Headed to RSA in San Francisco? May 6-9 | Join us!

Which Security Compliance Assessment is Right for Your Organization – Part 1

The world of compliance is one of numerous assessments and certifications, each varying in scope and effort depending on the industry they serve and the level of security. Figuring out which one is right for your organization can effectively and efficiently bolster your security posture and improve your competitive edge.  

On the flip side, spending time and effort on the wrong assessment can unnecessarily exhaust your organization’s resources.  

Between SOC 2, ISO 27001, PCI DSS, Federal compliance, HIPAA, and HITRUST, there are numerous factors to consider, such as timelines and organizational benefits. To help you make the right decision when choosing your next compliance initiative, our compliance experts put together a quick guide of the most common assessments, including their scope, timeline, and potential prerequisites.  

This article draws from the compliance Crosswalk Podcast, where A-LIGN’s practice leads for multiple compliance service lines shared their thoughts on which compliance assessments might be right for organizations of various types. They discuss the specifics in each of their areas including timelines, prerequisites, and common misconceptions, as well as how to identify which compliance assessments will best suit your organization’s needs. Listen here


What is ISO 27001/27701? 

ISO is an international standard that helps organizations manage the security of information assets. It provides a management framework for implementing an Information Security Management System (ISMS). ISO is meant to ensure the confidentiality, integrity, and availability of all data that passes through the company. ISO 27701 is an additional assessment that can be added to ISO 27001 focusing on Privacy.  

Who is ISO 27001 for? 

ISO certification is excellent for any organization that is interested in doing business internationally. In addition, as a risk-driven standard, ISO 27001 is an excellent assessment for any organization focused on the confidentiality, integrity and availability of the data in your environment.  

What prerequisites are there to complete an ISO 27001/27701? 

Both ISO 27001 and 27701 have little-to-no barriers to entry. The standard itself is very similar whether you’re a small business or a large company. Aside from initial project scoping, there are no prerequisites. 

How long does it take to complete an ISO 27001/27701? 

ISO 27001 can take three to four months from start to finish and varies by organization since it isn’t’ a checkbox audit, but rather a discussion-based audit. The process is broken up into two stages.  

The first stage on average takes around six weeks and includes a review of your company’s documentation to confirm it follows the ISO 27001 standard.  

Stage two can take four to eight months depending on the size of your organization and consists of interviews, an inspection of documented evidence, and process observation aimed at testing these controls and confirming your organization’s compliance. Following stage two is a round of remediations, which may vary in time depending on your specific audit.  

Why ISO 27001/27701 valuable to your organization? 

Being an international standard means your ISO Certification will be recognized by organizations throughout multiple markets outside around the world. You don’t need to have international operations to obtain this certification, making obtaining an ISO certification a great way to enter new markets.  


What is PCI DSS? 

PCI DSS (Payment Card Industry Data Security Standard) is a widely accepted Industry enforced and run standard consisting of a set of policies and procedures intended for organizations that handle credit, debit, and cash card transactions to ensure the protection of cardholders’ personal information. 

Who is PCI DSS for? 

PCI DSS is for companies that handle sensitive credit card data. PCI DSS can also apply to companies that provide services within Card Data Environments (CDE). If you affect the security of a CDE or a client CDE, then you can be brought into scope for a PCI DSS assessment.  

How long does it take to complete a PCI DSS assessment?  

The preparation phase can take about six to eight months for those undergoing the assessment for the first time, and around three to four months on average for a renewal assessment. The amount of time it takes to complete the assessment ultimately varies depending on the organization’s environment, what its processes are, and what its infrastructure looks like.  

Entities that are very large are continuously prepping. As soon as one audit ends, they’re prepping for the next year, making PCI DSS a continual process for them. Whereas smaller entities may have less of a lift to continually maintain those processes. 

Why is PCI DSS valuable to your organization?  

Obtaining a PCI DSS Report on Compliance (ROC) and Attestation of Compliance (AOC) demonstrates your organization’s commitment to payment card data security and identifies the level of validation you have achieved. Failing to maintain PCI DSS compliance can range in fines from $5,000 to $100,000 per month depending on the size of the company and the scope of noncompliance. 

Penetration Testing & Vulnerability Scans 

What is Penetration Testing & Vulnerability Scans? 

Vulnerability Scans are automated exercises that identify known vulnerabilities in your network devices, hosts, and systems. These scans offer a quick snapshot of potential weak points in an organization that an attacker could potentially leverage in an attack. There are multiple types of Vulnerability Scans including Quick, Full, and Compliance scans. These scans can also be performed at a point in time or single, monthly or quarterly. 

Penetration Tests are manual exercises that evaluate the effectiveness of your organization’s cyber defenses by attempting to exploit discoverable vulnerabilities utilizing the same tools and techniques hackers use. Pen Tests can include mobile and web apps, networks, wireless, and social engineering (phishing email, vishing phone, physical entry). These assessments are often used as part of SOC 2, PCI DSS, FedRAMP, and more.  

Why is a Penetration Test valuable to your organization?  

Both a penetration test and a vulnerability scans are with compliance frameworks such as SOC 2 or PCI DSS in mind. If you’re undergoing a compliance audit, there’s a high chance that you need a pen test. Even if you’re not completing an audit, a pen test is a very important exercise to perform as it allows you to better understand what your potential threat surface may be. A penetration test will also help identify frameworks and components in use across the organization that may be outdated, such as third-party libraries in mobile and web applications. This can help organizations stay up to date and shift to new frameworks and libraries with long-term support. Results from a penetration test can be used to understand if an organization has effective detection capabilities across systems and hosts, and where gaps may exist. 


What is HITRUST? 

HITRUST Alliance is a private company founded in 2007 that offers the HITRUST Common Security Framework (HITRUST CSF). By pulling from major pre-existing frameworks, and working with organizations to better understand their needs, HITRUST provides a complete, certifiable security and privacy standard. This standard gives customers confidence that their data and confidential information is secure. 

Who is HITRUST for? 

HITRUST CSF is a security framework that provides a comprehensive approach to HIPAA compliance and enables organizations to cover both security and compliance components of HIPAA and is tailored to the requirements of their specific industry.  For these reasons, many healthcare organizations and those working with healthcare companies undergo a HITRUST certification. Since HITRUST is based on many pre-existing frameworks, some organizations outside of the healthcare industry also find HITRUST as a helpful assessment to ensure they are meeting security and privacy standards. 

How long does a HITRUST Assessment take? 

HITRUST typically takes six to eighteen months, depending on the scope of the project and the preparation required. 

Why is HITRUST valuable for your organization? 

Achieving HITRUST Certification satisfies regulatory requirements mandated by third-party organizations and laws, in addition to helping your organization differentiate from the competition, resulting in increased revenue and market growth. In addition to the added revenue, HITRUST Certification saves time and money by leveraging a solid and scalable framework that includes multiple regulatory standards. 


What’s the Difference Between SOC 1, SOC2, & SOC 3? 

SOC stands for System and Organization Controls and is one of the most sought-after security assessments in the US market. The American Institute of Certified Public Accountants (AICPA) organization is the governing body of the SOC framework. There are three kinds of SOC assessments: SOC 1, SOC 2, and SOC 3. 

SOC 1 assesses your organization’s controls that have the ability to impact the financial statements of your end users. This includes business process controls based on the organization’s services, as well as information technology general controls that support the overall security of the system. 

 A SOC 2 audit examines your organization’s controls that are in place to protect and secure it’s the system and services used by customers or partners. The security posture of your organization is assessed based on the requirements within a SOC 2 examination, known as the Trust Services Criteria (TSC).   

A SOC 3 is a general-use version of a SOC 2. A SOC 2 may contain sensitive details about an organization’s system, including details about your people, processes, and technology that should not be shared with the general public. Obtaining a SOC 3 allows you to share your report without any sensitive information included. 

Who is SOC for? 

SOC 1: Because a SOC 1 deals with organizations that provide services that can impact the financial statements of their user entities or their clients, not all organizations need a SOC 1 but anyone who wants one can typically get one. 

SOC 2: Any organization that can affect another company’s information security can and is encouraged to obtain a SOC 2 report. This makes it the most common compliance assessment in the United States and is gaining traction in other markets around the world. 

Why SOC 2 is valuable to your organization? 

SOC 2 has become the unofficial baseline for security compliance in the United States. Having a SOC 2 report enables your organization to demonstrate its dedication to security, builds trust with current and future customers, and opens up an array of business opportunities.   


What is Federal Compliance?  

The Federal Information Security Modernization Act (FISMA) of 2014 says every federal agency must have a formal cyber security program that includes a risk management review of a system before it’s used for the government, whether the government owns it or they’re contracting that service from someone else. From this, all federal assessment and authorization frameworks are created by the National Institute Standard of Technology (NIST), the federal agency was tasked with providing general guidance on federal cybersecurity. From NIST, we get a series of different assessment and authorization frameworks for different government agencies and covering various services including NIST 800-171, FedRAMP, CMMC and more. These frameworks are also adopted and modified for State and Local government agencies, for example, StateRAMP. 

Are there any prerequisites for Federal Compliance?  

Federal compliance authorization assessments typically require a federal or other government agency to sponsor your organization’s system offering. If you don’t have an agency that’s sponsoring you through a federal assessment and authorization program, you will most likely not be able to start the assessment. 

What is Risk Management Framework?  

The Risk Management Framework (RMF) is the basis for all federal compliance assessment and authorization programs. RMF is tailorable and specific to each federal agency based on their implementation requirements to meet FISMA. 

What is FedRAMP? 

With the introduction of cloud technology, organizations working with one agency can now have a wide impact across more than any single agency, which led to the creation of the FedRAMP program. FedRAMP is required by any cloud service provider seeking to do business with the Federal Government. Unlike other federal compliance assessments, FedRAMP is a framework that is the same for all agencies within the federal government. A single FedRAMP assessment can be leveraged or reviewed by any Federal agency for them to authorize the use of, or procurement, of that service or product. 

How Long Does FedRAMP Take?  

FedRAMP is very granular, it’s very prescriptive, and it’s very rigorous, making it one of the longest assessment processes. The prep for beginning a FedRAMP assessment can typically take anywhere from six months up to eighteen months. The actual assessment may take anywhere from four to six months. Because of the granularity of the FedRAMP process it’s important to use an experienced assessor who has experience doing many assessments and has the ability to conduct the assessment in the most efficient and effective manner. 

What is StateRAMP 

StateRAMP is the state and local government equivalent of FedRAMP and allows a company offering services to state and local governments to achieve authorization to do business with them. The advantages of going through a StateRAMP assessment are that they allow an organization to conduct business with multiple different state governments using one assessment.  

What is CMMC?  

The Cybersecurity Maturity Model Certificate (CMMC) is a new compliance developed by the Department of Defense (DoD) to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks. It will be required for any organizations that work with CUI and are interested in conducting business with the DoD.  

Interested in learning more about which compliance assessment is right for you? Get in touch today with one of our compliance experts at [email protected].