Veelgestelde vragen over Cyber Security-certificering, ISO27001 en SOC2

Blog-FAQ-cyber

We regularly receive questions about Cyber Security certification, ISO27001 and SOC2. With this article we try to answer common questions. For more information, feel free to contact us. Happy reading!

Why cyber security certification?

More and more organizations process data and have the need to demonstrate that cyber security / information security is demonstrably “in control”. One of the ways to do this is by submitting relevant certificates and audit reports. The idea behind it is that an independent third party (the auditor) has determined that the requirements are met and that users can derive assurance from this.

 

Which cyber security certification can we best apply?

Our advice is to look at the needs of customers. In practice, we mainly encounter the ISO27001 certificate and the SOC2 report. We see a trend that more and more organizations are of the opinion that an ISO27001 certificate is no longer sufficient and that more certainty is required. For example via a SOC2 report.

 

Does certification also mean that data is sufficiently protected against hackers?

Certificates and audit reports help to obtain certainty about cyber security and information security. Each organization will have to judge for itself whether this is sufficient. As described above, we see a trend that ISO27001 certification is no longer sufficient and that SOC2 reporting is being requested more often.

We believe that organizations that have relevant cyber security certifications and/or SOC2 reports at least demonstrably pay attention to cyber security. Certainly for a SOC2 report, a large number of important control measures must be demonstrably implemented. In practice, it happens that organizations that have cyber security certifications and audit reports are still hacked. The reasons for this will have to be assessed case-by-case. Certification provides certainty, but not absolute certainty.

New certification schemes are currently also being worked on at European level: “As set out in Regulation (EU) 2019/881, the EU cybersecurity certification framework lays down the procedure for the creation of EU cybersecurity certification schemes, covering ICT products, services and processes. Each scheme will specify one or more level(s) of assurance (basic, substantial or high), based on the level of risk associated with the envisioned use of the product, service or process.” For more information, see the ENSIA website: https://www.enisa.europa.eu/topics/standards/certification

 

What is the difference between ISO27001 and SOC2?

ISO27001

The management cycle is central to ISO27001 certification (plan-do-check-act). This means that an organization must demonstrably think about risks, take control measures to mitigate risks, check whether these control measures work (internal audits) and make adjustments. In practice, certain security measures may not be in order, but as long as there is an improvement plan for this, this does not have to lead directly to a finding or problem with the certification.

Annex A of the ISO27001 standard lists 123 control measures that organizations can consider to mitigate risks. In practice, many customers take these control measures as the starting point for the design. The control measures used by customers are laid down in a so-called “Statement of Applicability”.

Organizations often provide the ISO27001 certificate and the Declaration of Applicability to their customers. In some cases, customers also request the audit reports in which deviations from the standard are described.

SOC2

A SOC2 report is based on the AICPA Trust Service Criteria standard. With a SOC2 report, an organization must also set up a management cycle (plan-do-check-act). This means that an organization must demonstrably think about risks, take control measures to mitigate risks, and check whether these control measures work (checks).

Parallel to this, substantive management objectives have been included in the AICPA TSC standard, for which management measures must be taken around the criteria of Security, Availability, Confidentiality, Processing Integrity and Privacy. The criteria that are in scope are determined by the organization. It is possible to include only the Security criteria and leave the other criteria outside the scope.

In preparation for a SOC2 audit, all defined control measures must be implemented. If a measure is not set up effectively, this will lead to a deviation (and comment) in the SOC2 audit report. In that respect, an ISO27001 certificate differs from a SOC2 report in that the SOC2 report provides concrete insight into the effectiveness of the control measures. For this reason it is often stated that the bar is higher in a SOC2 audit than in an ISO27001 audit. However, it is possible to propose and possibly include compensatory control measures if certain measures prove to be ineffective.

A SOC2 report has two variants:

  • Type I – where assurance is provided about the design and existence of the control measures.
  • Type II – where assurance is provided about the design, existence and effectiveness of the control measures (over a period of at least six months).
  • Organizations often work towards a type I report, after which a type II report is processed at a later stage.

The end product is a SOC2 report containing the following components:

  • Management Statement – management statement
  • Auditor Statement – auditor’s statement (explanation of activities and conclusion)
  • System description – in which the internal control system is explained by the organization (including an explanation of the organizational structure, processes and explanation of the control measures)
  • Overview of control measures – overview of control measures including a statement of the work of the auditor and the conclusion of the auditor for the relevant control measure.

Who can issue an ISO27001 certificate or SOC2 report in the Netherlands?

An ISO27001 certificate can be issued by a Certifying Body accredited for this by the Dutch Accreditation Council (RvA). An audit statement accompanying a SOC2 report can be issued by a Register Accountant (RA) or a Register IT Auditor (RE) (often employed by an accountancy firm).

 

What are the differences in effort and cost when comparing ISO27001 and SOC2?

The operational effort for the organization to arrive at an ISO27001 certificate and SOC2 report is approximately the same and strongly depends on the organization in question.

The costs of an ISO27001 audit are often somewhat lower than the costs of a SOC2 audit (a SOC2 report often provides more certainty to customers than an ISO27001 certificate). Audits are often carried out annually for both SOC2 and ISO27001. For the ISO27001 audits, topics rotate annually within a three-year cycle.

 

What does an ISO27001 or SOC2 project mean for my organization?

Cyber security and information security is not just about activities of the IT department, but covers the entire organization, processes and ways of working. Depending on the cyber maturity of the organization, a limited or significant effort is required.

 

What is the difference between SOC2 and SOC1/SOC3?

A SOC1 report deals with the control measures related to the reliability of the financial accounts (annual accounts). In the Netherlands, the term SOC1 is used less often, but it is comparable to an ISAE3402 report. There are quite a few misunderstandings surrounding ISAE3402, which we will discuss in another article. Because the AICPA Trust Service Criteria are not mandatory with a SOC1 statement, such a statement is generally somewhat easier to obtain than a SOC1 report.

A SOC3 report is a summary of a SOC2 report. This SOC3 report can also be published (e.g. on the organization’s website) and contains less (company-sensitive) information.

 

Do I have to appoint a Security Officer for ISO27001/SOC2?

It is not mandatory for ISO27001/SOC2 to appoint a Security Officer. It is important that responsibilities regarding information security are clearly assigned and that internal checks/audits take place independently of the implementation. Smaller organizations assign the role of Security Officer to an existing employee/manager. Medium to large organizations have a separate Security Officer / Chief Information Security Officer (CISO).

 

Closing remarks

We hope this has provided some answers to your questions. RiskNow supports organizations in setting up cyber security, obtaining certifications and Security-Officer-as-a-Service services. For more answers to questions or support, feel free to contact us, we are happy to help you.

Delen