Because the impact of a cyberattack or data breach can be massive, most organizations require contractors or suppliers that may handle their sensitive information, including providers of Software-as-a-Service (SaaS) like Cysiv, to hold ISO 27001 and SOC 2 certification.
Certification by an accredited body demonstrates to customers that the company treats all aspects of security with the utmost care. It gives clients peace of mind that security risks are being treated effectively and that the organization is following information security best practices. Ongoing compliance with SOC 2 Type II and SaaS ISO 27001 standards is a demanding process, but one we believe is essential.
What Is SOC 2?
SOC, in this instance, stands for "system and organization controls" and was developed by the American Institute of Certified Public Accountants (AICPA) to provide a way to address growing concerns around data privacy and security. This “SOC” is not to be confused with “SOC-as-a-Service” in which the “SOC” stands for “security operations center.” While related, “security operations center” (SOC) refers to the service being offered by a cybersecurity vendor, and “system and organization controls” (SOC) refers to the certification standards that security organizations can meet. A SOC 2 report is designed to audit the processes and controls of service providers that store customer data in the cloud.
A SOC 2 audit is required to be completed by an independent third-party, which reviews and tests an organization's non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system.
What Does SOC 2 Certification Require?
A SOC 2 audit has two levels. SOC 2 Type I requires organizations to establish controls that align with five "Trust Factors" provided by the AICPA. These are:
- Security: The protection of information during its collection or creation, use, processing, transmission, and storage and the protection of systems that use electronic information to process, transmit or transfer, and store information to enable the entity to meet its objectives.
- Availability: Information and systems must be available for operation, monitoring, and maintenance by the organization.
- Processing Integrity: This refers to the completeness, validity, accuracy, timeliness, and authorization of system processing.
- Confidentiality: Confidentiality addresses an organization's ability to protect information designated as confidential from its collection or creation through to final disposition and removal.
A SOC 2 Type II audit then goes a step further than SOC 2 Type I, during which a third party monitors and tests how well an organization's controls work over a period of several months. The entire certification process typically takes between six months and a year to complete.
As many enterprises make the shift from on-premises data management to the cloud, gaining storage flexibility but losing hands-on control over security, SOC 2 Type II certification is more important than ever. SOC 2 Type II compliance can be an incredibly lengthy, time-consuming, and costly process. Depending on the size of the organization and level of support needed, it can run from $10,000 - $50,000 and is only valid for up to a year. By working with a vendor who thoroughly maintains a high level of SOC 2 Certification, such as Cysiv’s SOC-as-a-Service platform, you don’t need to undergo the extensive requirements, time, and costs associated with earning the certification yourself.
What Is ISO 27001?
ISO 27001 is the internationally recognized standard that stipulates the requirements for an ISMS (information security management system). Effective information security risk management is a cornerstone of an ISO 27001-conformant ISMS. ISO 27001 requires that management:
- Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
- Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
The Benefits of Vendors with ISO 27001 & SOC 2 Certification
With information security top of mind, especially in light of data privacy regulations, it's important to ensure third-party suppliers of SOC-as-a-Service or other related security services have completed ISO 27001 and SOC 2 certification. With it, you and your customers can be confident the vendor has processes and procedures in place to protect your data and that they are in active use.
SOC 2 Type II attestation and ISO 27001 audit reports enable customers to proceed through their legal and procurement processes without the expense and delays associated with conducting their own detailed security audits, which can often exceed 300 controls.
Together, these certifications create a solid foundation to support other regulatory requirements, including Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI) Security Council Standards, California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), and Federal Risk and Authorization Management Program (FedRAMP).
The Importance of Certification to Cysiv
As a trusted security partner of organizations across a wide range of industries, Cysiv has long understood that privacy and security need to be part of our core DNA, and that the best way to publicly demonstrate our commitment to protecting customer data is through SOC 2 Type II and ISO 27001 certification.
Certification reaffirms our commitment to providing customers with the highest levels of safeguards. Cysiv will continue to complete examinations annually as part of our continued commitment to adhering to strict information security policies and procedures.
Learn more about Cysiv's cloud-native platform, which provides the foundation for our cutting-edge SOC-as-a-Service solution. Our experts at Cysiv are always ready to improve and streamline your security operations, so please contact us with any questions you may have.