Because the impact of a cyberattack or data breach can be massive, most organizations require contractors or suppliers that may handle their sensitive information, including providers of software-as-a-service (SaaS) like Cysiv, to hold SOC 2 Type II and ISO 27001 certification.
Certification by an accredited body demonstrates to customers that the company treats all aspects of security with the utmost care. It gives clients peace of mind that security risks are being treated effectively and that the organization is following information security best practices. Ongoing compliance with SOC 2 Type II and ISO 27001 standards is a demanding process, but one we believe is essential.
What Is SOC 2?
SOC, in this instance, stands for “system and organization controls” and was developed by the American Institute of Certified Public Accountants (AICPA) to provide a way to address growing concerns around data privacy and security. A SOC 2 report is designed to audit the processes and controls of service providers that store customer data in the cloud.
A SOC 2 audit is completed by an independent third-party, which reviews and tests an organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system.
What Does SOC 2 Require?
A SOC 2 audit has two levels. SOC 2 Type I requires organizations to establish controls that align with five “Trust Factors” provided by the AICPA. These are:
- Security: The protection of information during its collection or creation, use, processing, transmission, and storage and the protection of systems that use electronic information to process, transmit or transfer, and store information to enable the entity to meet its objectives.
- Availability: Information and systems must be available for operation, monitoring, and maintenance by the organization.
- Processing Integrity: This refers to the completeness, validity, accuracy, timeliness, and authorization of system processing.
- Confidentiality: Confidentiality addresses an organization’s ability to protect information designated as confidential from its collection or creation through to final disposition and removal.
A SOC 2 Type II audit then goes a step further, where a third party monitors and tests how well an organization’s controls work over a period of several months. The entire certification process typically takes from six months to a year to complete.
What Is ISO 27001?
ISO 27001 is the internationally recognized standard that stipulates the requirements for an ISMS (information security management system). Effective information security risk management is a cornerstone of an ISO 27001-conformant ISMS. ISO 27001 requires that management:
- Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
- Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
Why You Should Look for SOC 2 Type II & ISO 27001 Certified Vendors
With information security top of mind, especially in light of data privacy regulations, it’s important to ensure third-party suppliers of SOC-as-a-Service or other related security services have completed SOC 2 Type II and ISO 27001 certification. With it, you and your customers can be confident the vendor has processes and procedures in place to protect your data and that they are in active use.
SOC 2 Type II attestation and ISO 27001 audit reports enable customers to proceed through their legal and procurement processes without the expense and delays associated with conducting their own detailed security audits, which can often exceed 300 controls.
Together, these certifications create a solid foundation to support other regulatory requirements, including Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI) Security Council Standards, California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), and Federal Risk and Authorization Management Program (FedRAMP).
The Importance of Certification to Cysiv
As a trusted security partner of organizations across a wide range of industries, Cysiv has long understood that privacy and security need to be part of our core DNA, and that the best way to publicly demonstrate our commitment to protecting customer data is through SOC 2 Type II and ISO 27001 certification.
Certification reaffirms our commitment to providing customers with the highest levels of safeguards. Cysiv will continue to complete examinations annually as part of our continued commitment to adhering to strict information security policies and procedures.