According to a recent ENISA report, strong internal security is no longer enough for organisations, as attackers have already shifted their attention to suppliers.

With many recent cyberattacks on supply chains across Europe, organisations have begun to consider alternative enhancements to their existing security measures. One of these solutions is blockchain-based cybersecurity technology.

IBM defines blockchain cybersecurity as a “comprehensive risk management system for a blockchain network, using cybersecurity frameworks, assurance services and best practices to reduce risks against attacks and fraud.”

Although many solutions using blockchain have been announced, organisations have not rushed to adopt blockchain technology. I believe blockchain can complement efforts to provide an additional layer of security, but it’s important to be wary of the risks associated with cyber cyber supply chain blockchain technology.

Areas of highest risk for supply chains

Supply chains face a number of vulnerabilities — including economic instability, extreme weather events, supplier inconsistency and more. One of the top risks to supply chains are cyberattacks. The NotPetya attack in 2016 paralysed European and American supply chains and cost them nearly $10 billion worth of damage.

There is a reason why supply chains are especially vulnerable to attacks. The organisations making up supply chains aren’t technology companies. In fact, many supply chains still use aging and legacy infrastructure and rely on insufficient third-party software, which opens the door to risk.

Blockchain as a solution

The data structures of blockchain technology are based on consensus, cryptography, and decentralisation principles, which can enhance security.

But despite blockchain technology strongly improving since its inception, it still has several weaknesses in both security and structure that have prevented widespread adoption from organisations across the globe.

Risks associated with blockchain

Some of these shortcomings can make organizations more susceptible to attack. Security risks include:

  • Privacy: All network nodes have access to data on a public blockchain, despite blockchain databases being anonymous and encrypted. This makes it harder to control who has access to specific information.
  • Vulnerable to cyberattacks: Even though blockchain offers greater security than other platforms, it is not entirely safe. Cyberattacks and blockchain’s ​​cryptographic algorithm make it possible to compromise the blockchain network.
  • Private keys: Blockchain requires users to have private keys to access resources or data stored in the blockchain. If a user loses their private key, they can no longer access the wallet — but if a bad actor has taken the key, they potentially can.
  • Data immutability: Once data is written, it cannot be erased. If someone uses a blockchain-based digital platform, they can’t erase its record. Those who have access to the platform can see the data history.

Structural issues associated with blockchain

Along with the security risks facing blockchain, several structural issues exist as well. Some of the structural issues preventing widespread blockchain adoption include:

  • Scalability: Unlike their centralised counterparts, blockchains have limitations in how they can grow alongside a business.
  • Storage: Blockchain databases are stored permanently on all network nodes. Computers can only store a limited amount of data, and blockchain ledgers can outgrow their storage space.
  • Power use: Whenever a new node is created, it connects to all other existing nodes and builds a distributed, continuously updated ledger. This process can require an extraordinary amount of power.
  • ​​Cost and implementation: Even though most blockchain solutions are open source, implementing a blockchain solution can be a costly process. Enterprise blockchain projects can cost well over a million dollars to implement — and that figure does not include expected maintenance costs. 

This is not to say blockchain cannot be used as a valid solution. However, organisations should not rely solely on blockchain technology to keep their supply chains safe.

How to keep supply chains safe

On 15 September 2022, the European Union announced it would be advancing legislation to strengthen security requirements for all digital hardware and software products.

Even with this new framework, ENISA continues to highlight its recommendations for customers and suppliers to minimise the risk of a supply chain attack, whether they use blockchain solutions or not.

Recommendations for customers include:

  • Identifying and documenting service providers and suppliers.
  • Defining risk criteria for different types of suppliers and services (for example, supplier and customer dependencies, critical software dependencies, and single points of failure).
  • Continuous monitoring of supply chain risks and threats, this includes architecture and supported systems.
  • Managing suppliers throughout the complete lifecycle of a product or service, including end-of-life products or components.
  • Classifying assets and information that are shared with (or accessible) to suppliers, defining relevant procedures for accessing and handling them.

As for suppliers, ENISA recommends:

  • Confirming that the infrastructure used to design, develop, manufacture, and deliver products, components and services follow proper cybersecurity practices.
  • Implementing consistent product development, maintenance and support processes.
  • Continuous monitoring of security vulnerabilities reported by internal and external sources, including used third-party components.
  • Maintaining an inventory of assets that include patch-relevant information.

A-LIGN can help mitigate risk

No one security posture can keep you safe. Organisations should not rely on security processes or frameworks alone. For maximum protection, you must put your security controls to the test.

Penetration testing is designed to assess the cybersecurity of your organisational technologies and systems. A-LIGN’s OSEE, OSCE, and OSCP Certified Penetration Testers employ automated and manual techniques to find weaknesses in servers, end-user workstations, wireless networks and web-based applications. They also assess security awareness, and the human-layer and physical facility controls to provide a complete picture of an organisation’s level of protection.

If you would like to test your organisation’s systems, contact A-LIGN today.

Today’s hackers are setting their sights on cloud resources. Just recently hacker group Cloaked Ursa – also known as APT29, Nobelium, and Cozy Bear — executed a massive effort targeting Google Drive and Dropbox.  

Cloud breaches are leaving companies across industries vulnerable to hacks. In the last few months of 2022, password manager LastPass suffered a data breach when hackers gained access to a third-party cloud storage service and HR software maker Sequoia reported a breach of its cloud storage repositories, which put customers’ sensitive personal data at risk.  

How can you prevent something similar from happening within your organisation? The most important thing to do is to identify vulnerabilities exist. For most organisations, that includes: 

  1. The Human Element (People)  
  1. Logging and Monitoring procedures 
  1. App integrations and 3rd party components or libraries 

In this blog, we’ll provide cloud security tips to help your organisation strengthen these vulnerable areas to decrease the likelihood of an attack.  

Cloud Security Tip #1: Educate Employees to Prevent Social Engineering Attacks 

Many breaches involve a form of social engineering, where hackers exploit the human element to trick people within an organization into providing some sort of access to sensitive data. In fact, in a recent survey, 75 percent of respondents cited social engineering/phishing attacks as the top threat to cybersecurity at their organization.  

Phishing is a very common strategy and most often takes the form of emails, website forms, or phone calls that encourage readers to click a link that is used to install malware or reveal personal information like credit card numbers, social security numbers, or account login credentials. Hackers have become quite sophisticated in their efforts, impersonating colleagues or other reputable sources to deceive employees.   

Organization’s must prioritize educating their employees about these attacks, so breach attempts can be more easily identified and thwarted. It’s helpful to share examples of phishing attempts throughout your company so employees can better identify authentic communications.  

It’s also important to educate employees on an ongoing basis. Hackers are constantly updating/changing their methods — they switch methods once a new one is proven to be effective. With that in mind, your education efforts for employees (also known as security awareness training) should focus on relevant current attacks/threat vectors being used by bad actors.  

Cloud Security Tip #2: Use Automation to Mitigate Logging and Monitoring Vulnerabilities 

Hackers often take advantage of insufficient logging and monitoring procedures, which give them more time to penetrate systems unnoticed. This is a huge advantage for them. With more time to discover exploitable vulnerabilities, hackers can increase the likelihood of maximum damage.  

While hackers poke around your systems, your organisation may not even notice a system anomaly that needs to be investigated.  

The most common insufficiencies we see across organisations include: 

  1. Logging level configuration issues. When logging levels aren’t set correctly or are set too low, you can miss alerts about unexpected activity that require investigation. 
  1. A lack of log sources configured or onboarded. Without log sources, your organisation has no visibility into critical areas of your infrastructure — and therefore can’t detect suspicious activity.  
  1. Insufficient error messages. When error messages lack key details, it’s impossible to contextualize anomalies and decide if they need to be investigated. 

Consider using automated solutions to improve your logging and monitoring processes. This will allow you to notice and respond to anomalies at scale. 

Cloud Security Tip #3: Conduct Penetration Tests to Secure App Integrations 

Web applications are particularly vulnerable to attacks. Nowadays there are so many integrations that threat actors can take advantage of. Particularly, threat actors have been able to move laterally across the cloud with applications that were either not developed securely or have vulnerabilities within the integrations themselves. 

To monitor your app integrations, it’s essential to conduct regular penetration tests. Your organization should regularly test to identify weaknesses in web applications before an attacker identifies them. This includes testing to ensure integrations are supported and updated.  

A penetration test will show if there are unintended vulnerabilities that can be used to move laterally across different parts of your organisation’s cloud, so you can perform the necessary remediations immediately. 

Secure Your Cloud Resources Today 

Don’t wait to secure your cloud resources. Hackers continue to become more sophisticated with new strategies to discover vulnerabilities within any environment and target sensitive information. A breach can cause financial losses, reputational damage, and result in expensive GDPR fines and penalties for your organization.  

Start the process to protect your resources today by conducting a penetration test to identify your biggest areas of concern.  

Watch this video so you know what to expect during the process then contact the experts at A-LIGN to set up your first test. 

Over the last couple years, more and more organisations conducting business throughout the European markets have been seeking a SOC 2 assessment in addition to the ISO 27001 certification. So much so, many have begun to speculate whether the US originated SOC 2 audits will replace the need for the international ISO 27001 certification in these EMEA markets.   

The short answer: Not quite. 

While both provide some level of assurance to clients and regulating bodies, a SOC 2 assessment and an ISO 27001 certification by definition are two different processes.  

ISO 27001 is an internationally recognised standard with a framework of controls that can be applied to any organisation, regardless of the size or sector, with a pass/fail certification decision.   

A SOC 2 assessment is an audit standard created by the American Institute of Certified Public Accountants (AICPA) in which a CPA (Certified Public Accountant) will review your policies, procedures, and systems against five categories called Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). The independent assessor’s detailed SOC 2 report contains their expert opinion of how well the organization meets the selected criteria in regard to protecting all aspects of its systems.

Why the speculation?  

The rising use of SOC 2 in the US over the past decade is due to many large companies becoming more proactive about their cybersecurity risk management. These organizations began setting forth requirements stipulating that their vendors must have a SOC 2 report ready as part of the due diligence process. 

Over the past two years, a similar chain of events has started to play out in Europe. Increasingly, companies in certain key industry sectors require SOC 2 reports so they can determine whether organisations along the supply chain have the necessary controls in place to protect the data of all parties involved.  

The SOC 2 report is more in-depth than an ISO 27001 certificate. With the result of a SOC 2 assessment being an extensive attestation report up to 150+ pages in length, it tends to give a company’s partners and clients a higher level of detail about their security posture compared to the result of an ISO 27001 audit which is simply a one-page certification letter. This is one of the leading reasons why the cybersecurity compliance norm in Europe is beginning to welcome SOC 2 as an excellent supplemental security framework.    

Which is better: SOC 2 or ISO 27001?  

Because the two differ in scope and function, identifying one as superior over the other isn’t the correct way to think about it. Depending on the organization’s goals and capabilities, one may be better to prioritize as the first approach to security. Identifying which one is right for your organization can be done by consulting with an information security governance, risk and compliance management consultancy firm.  

You may find that leveraging both a SOC 2 assessment and an ISO 27001 certification only increases the efficacy and durability of your cybersecurity posture, enabling you to tap into the US and EMEA markets with a greater competitive edge. Utilising audit consolidation tools such as A-SCEND allows organizations to easily satisfy multiple audit requirements by deduplicating evidence collection, saving time and resources during the completion of both audits.  

Different Markets Require Different Compliance Needs 

In addition to SOC 2 and ISO 27001, there are several different certifications and standards that organizations can leverage to remain compliant in their region of operation and improve their security posture. For organizations who wish to do business in the UK, attaining a Cyber Essentials (CE) Certification (a certification developed by the UK Government and industry to help protect organizations against common online attacks) is a must. Additionally, compliance with the Data Protection Act 2018 is another compliance requirement unique to the UK. 

Equally, operators of essential services (OES) and related digital service providers (RDSPs) in the EU must adhere to the NIS Directive (Directive on security of network and information systems). Any company conducting business and/or processing EU residents’ personal information must comply with the GDPR (General Data Protection Regulation). 

Strengthening Your Business’s Compliance Programme    

Ensuring the privacy of consumer data and the protection of information will continue to be of utmost importance for your organisation in the coming years. If you’re looking to fine-tune your business’s compliance programme in order to abide by the latest regulations, while also winning new business, A-LIGN can help. Our expertise spans privacy impact assessments, GDPR-related services, ISO 27001 Certification and SOC 2 examinations. We have everything needed to take your compliance program to new heights in 2023. 

Are you confident in your organisation’s personal data because of the security measures, policies and procedures you have in place? For many organisations, this is a false sense of security. Establishing policies and procedures is not a one and done task. Cybersecurity efforts should involve your entire organisation from the top down and be treated as an ongoing effort.

With the shift to remote work came a drastic increase in data breaches, making cybersecurity more important than ever before. In this article, we will review the importance of data protection and establish how zero-trust architecture will help to better secure your European organisation’s personal information.

Data Protection- The Baseline to Cybersecurity

Data protection concentrates on the data itself, closely tracking who is using it and where it’s being sent, and blocks access based on certain conditions previously set. Establishing these conditions are the baseline steps to help to protect your organization against cybercrime. 

Since hackers can only steal information that is accessible to them once they gain access, one of the most effective ways to mitigate risk is to limit the data collected. For example, you shouldn’t collect any information that is not directly relevant to your business. If you must collect the data, be sure to set a retention time holding policy to direct staff on when to purge the data. This organisational practice applies not only to data stored on premise, but also in the cloud.

Employee education also directly ties into data protection. The majority of employees will trust they are purging data when they simply remove the documents from their desktop, not realising duplicate files are also located within their computer. Learning how to properly dispose of data will drastically minimise the amount of data that can be compromised if hit by malicious threat actors.

Data protection is a common practice for European organizations. We are now seeing the U.S.-driven approach of zero trust gaining traction in the E.U. as an additional layer of cybersecurity. In response to the SolarWinds attack in 2020, the National Cyber Security Centre (NCSC) encouraged the widespread adoption of zero-trust security frameworks.

What is zero trust?

Establishing a zero-trust architecture means that your organization will restrict access to resources to only employees who need them. Every time an employee wants to access data or a resource, they must reauthenticate and prove who they are and that it’s necessary to their job function. Zero trust uses the methodology of least privilege, never trust, always verify.

Adding a zero-trust architecture to your data protection protocols will help to strengthen the security of your European organisation. The zero-trust principles assume that an internal network is already infected with many threats and creates an additional wall of protection to stop the spread and avoid becoming a cybersecurity event.

Driven by the SolarWinds attack, the General Data Privacy Regulations (GDPR) and the recent COVID-19 pandemic, European organisations need extra layers of security to best mitigate the threat environment.

Harden Your Organization’s Cybersecurity

Assuming a European organization has already established data protection standards and a zero-trust architecture, they should identify and highlight threat and risks with penetration testing and vulnerability scans to minimize the attack surface.  

Penetration tests (pen tests) are simulated cyberattacks performed by ethical hackers to assess the cybersecurity posture of your technology and systems. The process is carried out on real systems and data using the same approach a malicious hacker would use. It’s important to note that the data or personal information collected is not sold or distributed in any way.

To add an additional layer of security, consider undergoing a vulnerability scan. This exercise checks an organization’s network and systems against a database of known vulnerabilities. If your organization pairs a vulnerability scan with a pen test, you’ll have a more holistic view of your security posture to remediate any known vulnerabilities.

Prepare for a Cyberattack

It will be no surprise that human error is cited as the number one cause of data breaches and cybersecurity events. Examples of human error include default password usage, lost devices, unlocked devices, incorrect disclosure procedures, failure to manage system patches etc. As you can tell from this list, cybersecurity education for all employees is necessary and can help to prevent data breaches caused by human error.

When it comes to keeping your organization secure, it’s not a matter of if but when a cyberattack will occur. It’s important to take a proactive approach to cybersecurity by establishing your data protection plan and zero-trust architecture, then hardening your security posture with penetration testing and vulnerability scans. Putting all these tools in place now will help your organization avoid a costly cybersecurity attack in the future.

Is your European organization ready to implement zero trust? Our certified experts can help you today.

January 2023, HITRUST releases the HITRUST CSF v11. This latest upgrade comes with a series of changes that are said to both increase effectiveness while reducing certification efforts by 45% from its predecessor CSF v9.6. The reduction in efforts toward HITRUST Certification through greater efficiency is because of improved control mappings and precision of specifications afforded through CSF v11.  

To achieve these added efficiencies, CSF v11 introduces a threat-adaptive portfolio of assessments which moves the r2 baseline to the i1 requirements and includes i1 requirements as ‘Core’ on an r2 assessment. These overlaps in requirements enable organizations to use work completed on lower assessments towards more robust ones in the future.  

CSFv11 also welcomes the addition of a cybersecurity essentials assessment and the i1 Rapid Assessment to the list of HITRUST services. Here is everything you need to know about the new CSF v11, along with its new assessments and guidelines for Third Party Risk Management (TPRM).  

The new essentials, 1-year (e1) assessment  

This new assessment is designed to enable low risk organizations of any size to assess the general cyber hygiene of their operations against new and emerging threats and demonstrate the implementation of any necessary controls. The e1 assessment certification carries 44 Curated Requirements from the HITRUST CSF and is good for one year and annual renewal. Organizations may obtain certification after completing the e1 assessment and necessary conditions are met.  

This new assessment includes:  

  • A readiness self-assessment   
  • Controls and mitigations designed to defend against new and emerging threats  
  • Notifications for assessed entities of relevant changes in control guidance and mitigations to evaluate the current effectiveness of specific control implementations  
  • A streamlined assurance program that minimizes the burden on assessed organizations   
  • The ability to electronically distribute results as opposed to requiring a PDF report   

To maintain an adaptive set of controls for this framework, HITRUST will leverage its Cyber Threat-Adaptive Approach that frequently evaluates current Indicators of Attack (IoA) and Indicators of Compromise (IoC) against the controls currently in place.  

Updates to the i1 assessment CSF v11  

In addition to the new e1 Assessment, HITRUST announced a new version of the i1 Assessment, which includes a new i1 Rapid Assessment.  

The updated i1 Assessment under v11 will replace the existing i1 Assessment under v9.6 and will now include around 170 to 190 required control statements. This comes as a reduction in requirement statements from the existing i1 Assessment, which had 219 requirement statements.   

HITRUST explains the reasoning for this reduction comes from a refreshing of source mappings and from a better understanding of the current threat climate, allowing a more streamlined set of requirements that maintain a high level of security.  

The new i1 Assessment under v11 will have a Rapid Assessment option which provides an accelerated means for recertification by demonstrating your control environment has not materially degraded. Control degradation is defined by HITRUST as issues in the performance of a controlled operation of a control that exists when performing a rapid certification that was not present during the initial i1 assessment a year ago. Should any controls come back as degraded, you have options:  

  • For two or fewer below passing scores, you are allowed to renew and not deemed degraded  
  • For three or four below passing scores, you may expand your sample of requirement statements to try again or convert your rapid to a full i1 assessment   
  • For five or more below passing scores, you will need to convert your rapid assessment into a full i1 assessment.  

This new i1 rapid assessment option can only be used every other year. After being used for one year, the organization will need to complete a full i1 assessment.   

To be eligible for an i1 Rapid Assessment, organizations:  

  • Must hold an i1 certification using CSF v11 or later the previous year  
  • Must assess the same scope as their last assessment  
  • Must have no critical change in any security infrastructure from their last assessment  

New third-party risk management quick-start guidelines in CSF v11  

The latest changes to the HITRUST Third-Party Risk Management guidelines are meant to simplify the assurance process for third parties and those who rely on them. The Quick-Start Guide helps organizations implement the information security-related components of a comprehensive third-party risk management program. It is designed to:  

  • Streamline usage of the HITRUST TPRM Methodology  
  • Distill the broader methodology into clear actionable steps  
  • Provide clear guidance on computing inherent risk, classifying vendors, and selecting the appropriate level of third-party assurance  
  • Summarize alternative approaches to satisfy requirements and associated risks   
  • Provide links to reference material for continuous education  

You can learn more about the HITRUST TPRM here.  

HITRUST legacy CSF version sunsetting timeline  

HITRUST also plans to sunset older versions of CSF Assessments in the coming years. Here is what to expect.  

For older r2 Assessments:  

  • September 30th, 2023: The ability to create a new v9.1 – v9.4 r2 Assessment will be disabled.   
  • December 31st, 2024: The ability to submit v9.1 – v9.4 Assessment objects will be disabled.  
  • March 31st, 2026: CSF v9.1 – v9.4 libraries will be removed from MyCSF. Note that CSF versions 9.5 and 9.6 will remain available in the CSF libraries.  

i1 Assessments will transition to v11 :

  • March 31, 2023: The ability to create a new v9.6.2 i1 Assessment objects will be disabled  
  • June 30th, 2023: The ability to submit v9.6.2 and earlier i1 Assessment objects will be disabled.   

Proper planning = HITRUST success  

With the constant changes to the digital threat landscape and the evolving HITRUST CSF updates, A-LIGN knows HITRUST certification better than anyone. As one of the top HITRUST assessors in the world, we’ve helped more than three hundred clients successfully achieve HITRUST certification.  From readiness to certification, A-LIGN can ensure your organization achieves HITRUST success. Get in touch today.   

Download our HITRUST checklist now!

HITRUST is a standards organization focused on security, privacy and risk management. The organization developed the HITRUST Common Security Framework (CSF) to provide healthcare organizations with a comprehensive security and privacy program. This program was specifically designed to help organizations manage compliance and reduce risk.  

Although the HITRUST CSF has been around for more than a decade, many organizations still struggle with knowing if it’s the right certification for them.  

Here’s what you need to know before your organization decides to complete a HITRUST assessment.   

What is the HITRUST CSF?  

The HITRUST CSF is a comprehensive, flexible, and certifiable security and privacy framework used by organizations across multiple industries to efficiently approach regulatory compliance and risk management.  

This standard provides customers with confidence in knowing their data and confidential information are secure.  

HITRUST vs. HIPAA: What’s the difference?   

While HITRUST and HIPAA may seem similar on the surface, it would be inaccurate to truly pit the two of them against each other.   

HITRUST CSF is acertifiable security and privacy framework with a list of prescriptive controls/requirements that can be used to demonstrate HIPAA compliance. 

HIPAA, or the Healthcare Insurance Portability and Accountability Act, is a U.S. law that details a set of safeguards that covered entities and business associates must follow to protect health information.   

However, a more productive question to ask is “What is the best method for demonstrating HIPAA compliance within my organization?”    

If you’d like to learn more about why you might choose the HITRUST CSF as a means to achieve HIPAA compliance, check out our blog post explaining the benefits of this approach.   

Who must comply with HITRUST CSF? 

The HITRUST CSF was originally designed specifically for the healthcare industry. However, in 2019, HITRUST made the CSF industry agnostic, enabling organizations in any industry to pursue the certification.     

HITRUST Certification is not mandated by the Federal government but is considered to be the most comprehensive framework because of its mapping to many other standards, including HIPAA, SOC 2, NIST, ISO 27001 and  more. 

What are the benefits of HITRUST?   

Many organizations choose to undergo a HITRUST assessment because of how the CSF:  

  • Satisfies regulatory requirements mandated by third-party organizations and laws   
  • Accelerates revenue and market growth by differentiating your business from the competition  
  • Saves your organization time and money by leveraging a solid and scalable framework that includes multiple regulatory standards   
  • Unifies over 40 different regulatory requirements and recognized frameworks (such as ISO 27001, NIST SP 800-53, HIPAA, PCI DSS, etc.)  

What are the types of assessments?  

There are three types of HITRUST CSF Validated Assessments, each with its benefits. They are as follows:  

HITRUST CSF e1 Assessment, HITRUST CSF i1 Assessment and HITRUST CSF r2 Assessment. The e1 Assessment is a new Assessment type that HITRUST released January 2023.  

HITRUST CSF e1 Assessment 

The e1 is the cybersecurity essentials assessment with 44 control requirements and is meant for low-risk organizations that want to ensure they are maintaining good cybersecurity hygiene. It will provide a low level of assurance but can serve as a stepping stone for more robust HITRUST certifications like the i1 and the r2.  

More details on this new product can be found in our recent blog post.   

HITRUST CSF Implemented, 1-year (i1) Assessment   

The i1 Assessment  focuses on leading security practices with a more rigorous approach to evaluation than other existing assessments in the marketplace.   

The i1 Assessment provides moderate assurance. Although meeting all requirements of an i1 Assessment will lead to a 1-year certification, it does not have coverage for the 40+ regulatory factors in the HITRUST CSF.  

HITRUST made changes to the i1 Assessment as of January 2023. The new i1 Assessment is based on the new CSF v11 (also released January 2023) and has fewer controls than the current i1 Assessment. There are 182 control requirements in the new i1 Assessment vs. 219 in the previous version. Also, once the HITRUST i1 certification is obtained, the organization would have the option of doing an i1 rapid recertification in year 2 instead of an i1 full certification, if requirements are met.  More details on the new i1 Assessment and the rapid recertification option can be found in our recent blog post

HITRUST CSF Risk-based, 2-year (r2) Assessment  

Formerly known just as the CSF Validated Assessment, the r2 Assessment focuses on a comprehensive risk-based specification of controls. It also takes a very rigorous approach to evaluation, which is suitable for the high assurance requirement. This certification is issued for two years, and  an Interim Assessment must be completed at the one-year mark.   

Although this assessment provides the highest assurance level certified by HITRUST, the completion process is costly and requires a high level of effort and resources.  

If you’d like to learn more about the key differences between HITRUST i1 and HITRUST r2, read our blog post to learn about which assessment is best for your organization.  

What is the HITRUST assessment process?   

The HITRUST Assessment process is composed of five steps:  

  • Step 1: Define Scope. During this stage, an organization either works with a third-party assessor or an internal subject matter expert to define scope and determine what type of HITRUST assessment to undergo.  
  • Step 2: Obtain Access to MyCSF portal. The organization (the entity being assessed) contacts HITRUST to get access to the MyCSF portal. After receiving access, the organization should create its assessment object and engage an approved third-party assessor firm.   
  • Step 3: Complete a Readiness Assessment/Gap-Assessment. The assessor performs appropriate tests to understand the organization’s environment and flow of data between systems, and then documents any possible gaps. The gap assessment also ranks gaps in your organization by risk level, allowing you to remediate any gaps before the validated assessment.  
  • Step 4: Validated Assessment Testing. During the validated assessment (either the e1, i1 or r2 Assessment) testing phase, assessors review and validate the client scores, then submit the final assessment to HITRUST for approval. HITRUST will then decide whether to approve or deny your organization certification. The HITRUST QA stage in the process (before issuing the certification) can take anywhere from four to ten weeks, depending on the assessment and the assessors’ level of responsiveness.  
  • Step 5: Interim Assessment Testing. If certification is obtained as part of the r2 Assessment, an interim assessment is required to be conducted at the one-year mark  to maintain certification. It is important to note that an interim assessment is not required if certification was obtained via the e1 or i1 Assessment.  

To view a comprehensive, step-by-step guide to the HITRUST CSF Assessment process, download our HITRUST CSF Companion Guide.    

What are the HITRUST policies and procedures?   

The biggest challenge many organizations face in obtaining a HITRUST CSF Certification is establishing policies and procedures that satisfy the HITRUST requirements. This is more  challenging for r2 Assessments. It is important to note that some policies and procedures are still required to be tested in an e1 and i1 Assessment, even though the tests performed will be less rigorous than for the r2 Assessment.  

HITRUST policies and procedures must be created, documented, and in place for at least 60 days prior to the validated assessment to achieve full compliance. Policies are established guidelines and rules an organization and its employees must follow to achieve a specific goal, whereas procedures are the documented steps for the organization to meet the defined policies.  

For a full description of the specific policies and procedures  to obtain HITRUST CSF certification, read our blog post on the subject.  

Which policies and procedures does my organization need to document? 

The HITRUST CSF is a flexible and scalable security framework that is adapted to each organization’s compliance needs so the policies and procedures required will depend on your scope. 

You must have policies and procedures in place that address at least 19 HITRUST control domains. Your organization must receive a maturity score of at least “3” (on a scale from 1-5) for each control domain to earn HITRUST r2 certification. The HITRUST CSF control domains are: 

  1. Information Protection Program 
  2. Endpoint Protection 
  3. Portable Media Security 
  4. Mobile Device Security 
  5. Wireless Security 
  6. Configuration Management 
  7. Vulnerability Management 
  8. Network Protection 
  9. Transmission Protection 
  10. Password Management 
  1. Access Control 
  2. Audit Logging and Monitoring 
  3. Education, Training, and Awareness 
  4. Third-Party Assurance 
  5. Incident Management 
  6. Business Continuity and Disaster Recovery 
  7. Risk Management 
  8. Physical and Environmental Security 
  9. Data Protection and Privacy 

Why is it important to choose HITRUST-compliant vendors and partners?  

After receiving a HITRUST CSF Certification, continue managing risk by assessing exposure from third-party business partners.    

With cybersecurity compliance constantly evolving as new threats emerge, it doesn’t matter how great the security is if third-party vendors do not also have great security creating a risk exposure vector to your organization.   

In fact, many large healthcare corporations, including Anthem, Health Care Services Corporation (HCSC), Highmark, Humana, and UnitedHealth Group sent a memo to most of their downstream vendors to achieve HITRUST Certification. This was enacted to ensure the safe handling of all sensitive information.      

When selecting vendors, be sure to perform a risk assessment to confirm they have a risk mitigation strategy in place. This is the first step to ensure that they can protect the data that might be shared with them. Requesting a security compliance report, like a HITRUST Validated Assessment, SOC 2, PCI DSS, or NIST 800-53, among others, is a good approach to meet this objective.       

For more on how to properly vet HITRUST-compliant vendors, read our blog on the topic.  

Can HITRUST certification satisfy other requirements?  

In short, yes. HITRUST CSF Certification draws from several major pre-existing frameworks to provide a complete, certifiable security standard. The nature of this foundation may simplify the steps an organization needs to take to satisfy other requirements.  

Three major requirements HITRUST CSF Certification can help satisfy include SOC 2, ISO 27001/NIST 800-53 and FedRAMP.  

HITRUST and SOC 2 

A SOC 2 report describes the internal controls at a service organization, providing users withmanagement assertions, a description of both the system and the controls, tests and the results of the tests, and the independent service auditor’s report. Service organizations that provide services to other business entities commonly use SOC 2 reports.    

HITRUST and the AICPA have developed a collaborative approach that aligns the AICPA’s Trust Services Criteria with the HITRUST CSF criteria. This converged reporting model makes HITRUST and SOC 2 complimentary services.     

HITRUST and ISO 27001/NIST 800-53   

The foundations of HITRUST CSF were actually built upon ISO 27001 and NIST SP 800-53. However, ISO 27001 is not control-compliance based, and is instead a management/process model for the Information Management System that is assessed.   

Unlike HITRUST CSF, NIST 800-53 does not address the specific needs within the healthcare industry. This means that while ISO 27001 and NIST 800-53 are both beneficial frameworks to demonstrate cybersecurity standards, they are not as comprehensive as HITRUST CSF.    

Fortunately, HITRUST Certification covers many more factors than ISO 27001 and NIST 800-53, making both assessments easier to attain after being HITRUST CSF Certified.   

HITRUST and FedRAMP   

The Federal Risk and Authorization Management Program (FedRAMP) is a certification that serves to raise confidence in the security of cloud service providers (CSPs) utilized by the Federal government.     

 FedRAMP requirements can be easily mapped to the HITRUST CSF framework. Organizations interested in pursuing FedRAMP certification should consider adding it to their HITRUST assessment. This provides a FedRAMP benchmark and reveals areas to mature, but  is not the equivalent of achieving FedRAMP Certification.    

For a complete list of requirements that HITRUST CSF Certification can assist with, read more here.   

Get started with HITRUST Certification 

HITRUST Certification may seem daunting, but it doesn’t have to be. There are many steps organizations can take ahead of time to streamline the process.   

The best way to set yourself up for a successful HITRUST Assessment is to make the time and resource investment upfront. This means hiring an external assessor firm that understands your business and industry, and has proven HITRUST Certification success. Thoroughly scope the project with your assessor to understand everything needed for the project.   

For more on the do’s and don’ts of beginning your HITRUST journey, check out this blog post.    

How long is HITRUST Certification valid? 

The HITRUST e1 and i1 certifications are valid for one year while the r2 certification is valid for two years if the Interim Assessment is completed successfully and timely.  

Note that the HITRUST certifications should be treated as a continuous improvement and monitoring assessment and not a static once and done type of assessment. And this is because the threat landscape is always evolving and so the HITRUST CSF. 

How much does HITRUST cost? 

HITRUST Certification greatly varies in price from approximately $40,000-$200,000, depending on the size, risk profile and scope of the assessment. 

The cost will be determined by the number of controls tested and the scope of the environment.  

Note that self-assessments are much less expensive but do not carry the same level of assurance because the process does not involve a third-party assessor. 

What’s an example of HITRUST Certification in the real world?  

Below are customer case studies in which the organization earned HITRUST Compliance to drive revenue, build customer trust and better their security posture.  

What’s the history of HITRUST CSF? 

HITRUST was founded in 2007 to make information security a focus of the healthcare industry. HITRUST has now moved beyond healthcare and is a widely adopted, industry-agnostic framework. 

Start your HITRUST journey  

With more than 400 successful HITRUST Assessments completed, A-LIGN’s team of HITRUST experts is here to answer any question you might have through every step of the process by responding to all inquiries within 24 hours. With A-LIGN, you’re on the right path to HITRUST Certification success.   

Speak with an expert at A-LIGN today! 

The world of compliance is one of numerous assessments and certifications, each varying in scope and effort depending on the industry they serve and the level of security. Figuring out which one is right for your organization can effectively and efficiently bolster your security posture and improve your competitive edge.  

On the flip side, spending time and effort on the wrong assessment can unnecessarily exhaust your organization’s resources.  

Between SOC 2, ISO 27001, PCI DSS, Federal compliance, HIPAA, and HITRUST, there are numerous factors to consider, such as timelines and organizational benefits. To help you make the right decision when choosing your next compliance initiative, our compliance experts put together a quick guide of the most common assessments, including their scope, timeline, and potential prerequisites.  

This article draws from the compliance Crosswalk Podcast, where A-LIGN’s practice leads for multiple compliance service lines shared their thoughts on which compliance assessments might be right for organizations of various types. They discuss the specifics in each of their areas including timelines, prerequisites, and common misconceptions, as well as how to identify which compliance assessments will best suit your organization’s needs. Listen here

ISO 

What is ISO 27001/27701? 

ISO is an international standard that helps organizations manage the security of information assets. It provides a management framework for implementing an Information Security Management System (ISMS). ISO is meant to ensure the confidentiality, integrity, and availability of all data that passes through the company. ISO 27701 is an additional assessment that can be added to ISO 27001 focusing on Privacy.  

Who is ISO 27001 for? 

ISO certification is excellent for any organization that is interested in doing business internationally. In addition, as a risk-driven standard, ISO 27001 is an excellent assessment for any organization focused on the confidentiality, integrity and availability of the data in your environment.  

What prerequisites are there to complete an ISO 27001/27701? 

Both ISO 27001 and 27701 have little-to-no barriers to entry. The standard itself is very similar whether you’re a small business or a large company. Aside from initial project scoping, there are no prerequisites. 

How long does it take to complete an ISO 27001/27701? 

ISO 27001 can take three to four months from start to finish and varies by organization since it isn’t’ a checkbox audit, but rather a discussion-based audit. The process is broken up into two stages.  

The first stage on average takes around six weeks and includes a review of your company’s documentation to confirm it follows the ISO 27001 standard.  

Stage two can take four to eight months depending on the size of your organization and consists of interviews, an inspection of documented evidence, and process observation aimed at testing these controls and confirming your organization’s compliance. Following stage two is a round of remediations, which may vary in time depending on your specific audit.  

Why ISO 27001/27701 valuable to your organization? 

Being an international standard means your ISO Certification will be recognized by organizations throughout multiple markets outside around the world. You don’t need to have international operations to obtain this certification, making obtaining an ISO certification a great way to enter new markets.  

PCI DSS 

What is PCI DSS? 

PCI DSS (Payment Card Industry Data Security Standard) is a widely accepted Industry enforced and run standard consisting of a set of policies and procedures intended for organizations that handle credit, debit, and cash card transactions to ensure the protection of cardholders’ personal information. 

Who is PCI DSS for? 

PCI DSS is for companies that handle sensitive credit card data. PCI DSS can also apply to companies that provide services within Card Data Environments (CDE). If you affect the security of a CDE or a client CDE, then you can be brought into scope for a PCI DSS assessment.  

How long does it take to complete a PCI DSS assessment?  

The preparation phase can take about six to eight months for those undergoing the assessment for the first time, and around three to four months on average for a renewal assessment. The amount of time it takes to complete the assessment ultimately varies depending on the organization’s environment, what its processes are, and what its infrastructure looks like.  

Entities that are very large are continuously prepping. As soon as one audit ends, they’re prepping for the next year, making PCI DSS a continual process for them. Whereas smaller entities may have less of a lift to continually maintain those processes. 

Why is PCI DSS valuable to your organization?  

Obtaining a PCI DSS Report on Compliance (ROC) and Attestation of Compliance (AOC) demonstrates your organization’s commitment to payment card data security and identifies the level of validation you have achieved. Failing to maintain PCI DSS compliance can range in fines from $5,000 to $100,000 per month depending on the size of the company and the scope of noncompliance. 

Penetration Testing & Vulnerability Scans 

What is Penetration Testing & Vulnerability Scans? 

Vulnerability Scans are automated exercises that identify known vulnerabilities in your network devices, hosts, and systems. These scans offer a quick snapshot of potential weak points in an organization that an attacker could potentially leverage in an attack. There are multiple types of Vulnerability Scans including Quick, Full, and Compliance scans. These scans can also be performed at a point in time or single, monthly or quarterly. 

Penetration Tests are manual exercises that evaluate the effectiveness of your organization’s cyber defenses by attempting to exploit discoverable vulnerabilities utilizing the same tools and techniques hackers use. Pen Tests can include mobile and web apps, networks, wireless, and social engineering (phishing email, vishing phone, physical entry). These assessments are often used as part of SOC 2, PCI DSS, FedRAMP, and more.  

Why is a Penetration Test valuable to your organization?  

Both a penetration test and a vulnerability scans are with compliance frameworks such as SOC 2 or PCI DSS in mind. If you’re undergoing a compliance audit, there’s a high chance that you need a pen test. Even if you’re not completing an audit, a pen test is a very important exercise to perform as it allows you to better understand what your potential threat surface may be. A penetration test will also help identify frameworks and components in use across the organization that may be outdated, such as third-party libraries in mobile and web applications. This can help organizations stay up to date and shift to new frameworks and libraries with long-term support. Results from a penetration test can be used to understand if an organization has effective detection capabilities across systems and hosts, and where gaps may exist. 

HITRUST 

What is HITRUST? 

HITRUST Alliance is a private company founded in 2007 that offers the HITRUST Common Security Framework (HITRUST CSF). By pulling from major pre-existing frameworks, and working with organizations to better understand their needs, HITRUST provides a complete, certifiable security and privacy standard. This standard gives customers confidence that their data and confidential information is secure. 

Who is HITRUST for? 

HITRUST CSF is a security framework that provides a comprehensive approach to HIPAA compliance and enables organizations to cover both security and compliance components of HIPAA and is tailored to the requirements of their specific industry.  For these reasons, many healthcare organizations and those working with healthcare companies undergo a HITRUST certification. Since HITRUST is based on many pre-existing frameworks, some organizations outside of the healthcare industry also find HITRUST as a helpful assessment to ensure they are meeting security and privacy standards. 

How long does a HITRUST Assessment take? 

HITRUST typically takes six to eighteen months, depending on the scope of the project and the preparation required. 

Why is HITRUST valuable for your organization? 

Achieving HITRUST Certification satisfies regulatory requirements mandated by third-party organizations and laws, in addition to helping your organization differentiate from the competition, resulting in increased revenue and market growth. In addition to the added revenue, HITRUST Certification saves time and money by leveraging a solid and scalable framework that includes multiple regulatory standards. 

SOC 

What’s the Difference Between SOC 1, SOC2, & SOC 3? 

SOC stands for System and Organization Controls and is one of the most sought-after security assessments in the US market. The American Institute of Certified Public Accountants (AICPA) organization is the governing body of the SOC framework. There are three kinds of SOC assessments: SOC 1, SOC 2, and SOC 3. 

SOC 1 assesses your organization’s controls that have the ability to impact the financial statements of your end users. This includes business process controls based on the organization’s services, as well as information technology general controls that support the overall security of the system. 

 A SOC 2 audit examines your organization’s controls that are in place to protect and secure it’s the system and services used by customers or partners. The security posture of your organization is assessed based on the requirements within a SOC 2 examination, known as the Trust Services Criteria (TSC).   

A SOC 3 is a general-use version of a SOC 2. A SOC 2 may contain sensitive details about an organization’s system, including details about your people, processes, and technology that should not be shared with the general public. Obtaining a SOC 3 allows you to share your report without any sensitive information included. 

Who is SOC for? 

SOC 1: Because a SOC 1 deals with organizations that provide services that can impact the financial statements of their user entities or their clients, not all organizations need a SOC 1 but anyone who wants one can typically get one. 

SOC 2: Any organization that can affect another company’s information security can and is encouraged to obtain a SOC 2 report. This makes it the most common compliance assessment in the United States and is gaining traction in other markets around the world. 

Why SOC 2 is valuable to your organization? 

SOC 2 has become the unofficial baseline for security compliance in the United States. Having a SOC 2 report enables your organization to demonstrate its dedication to security, builds trust with current and future customers, and opens up an array of business opportunities.   

Federal  

What is Federal Compliance?  

The Federal Information Security Modernization Act (FISMA) of 2014 says every federal agency must have a formal cyber security program that includes a risk management review of a system before it’s used for the government, whether the government owns it or they’re contracting that service from someone else. From this, all federal assessment and authorization frameworks are created by the National Institute Standard of Technology (NIST), the federal agency was tasked with providing general guidance on federal cybersecurity. From NIST, we get a series of different assessment and authorization frameworks for different government agencies and covering various services including NIST 800-171, FedRAMP, CMMC and more. These frameworks are also adopted and modified for State and Local government agencies, for example, StateRAMP. 

Are there any prerequisites for Federal Compliance?  

Federal compliance authorization assessments typically require a federal or other government agency to sponsor your organization’s system offering. If you don’t have an agency that’s sponsoring you through a federal assessment and authorization program, you will most likely not be able to start the assessment. 

What is Risk Management Framework?  

The Risk Management Framework (RMF) is the basis for all federal compliance assessment and authorization programs. RMF is tailorable and specific to each federal agency based on their implementation requirements to meet FISMA. 

What is FedRAMP? 

With the introduction of cloud technology, organizations working with one agency can now have a wide impact across more than any single agency, which led to the creation of the FedRAMP program. FedRAMP is required by any cloud service provider seeking to do business with the Federal Government. Unlike other federal compliance assessments, FedRAMP is a framework that is the same for all agencies within the federal government. A single FedRAMP assessment can be leveraged or reviewed by any Federal agency for them to authorize the use of, or procurement, of that service or product. 

How Long Does FedRAMP Take?  

FedRAMP is very granular, it’s very prescriptive, and it’s very rigorous, making it one of the longest assessment processes. The prep for beginning a FedRAMP assessment can typically take anywhere from six months up to eighteen months. The actual assessment may take anywhere from four to six months. Because of the granularity of the FedRAMP process it’s important to use an experienced assessor who has experience doing many assessments and has the ability to conduct the assessment in the most efficient and effective manner. 

What is StateRAMP 

StateRAMP is the state and local government equivalent of FedRAMP and allows a company offering services to state and local governments to achieve authorization to do business with them. The advantages of going through a StateRAMP assessment are that they allow an organization to conduct business with multiple different state governments using one assessment.  

What is CMMC?  

The Cybersecurity Maturity Model Certificate (CMMC) is a new compliance developed by the Department of Defense (DoD) to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks. It will be required for any organizations that work with CUI and are interested in conducting business with the DoD.  

Interested in learning more about which compliance assessment is right for you? Get in touch today with one of our compliance experts at [email protected].

Myth Busting: Can Your Auditor Assist with the Readiness Portion of an Audit?

by: A-LIGN 09 Dec,2022 5 mins

There’s a myth in the marketplace that CPA firms cannot provide readiness assessments that has left many questioning what type of organizations are ethically able to provide these services, the value of SOC 2 readiness, and the role CPA firms play in the auditing process.

So, what’s the truth? While the guidelines outlined by the American Institute of Certified Public Accountants (AICPA) are intended to maintain an independent point of view by the auditor, they do not limit CPA firms from helping organizations identify gaps and best practices as they are working towards their SOC 2 audit. In the below article, our auditing experts bust three common myths to set the record straight.

MYTH #1
CPA Firms Can’t Provide Readiness Services

Fact: CPA firms absolutely can provide readiness assessment services and are uniquely qualified to identify gaps that may exist.

For organizations preparing their first SOC 2 audit, it is common for the CPA firm to recommend a readiness assessment as a first step. Readiness assessments include identifying gaps within the system and providing industry best practices to remediate those gaps. As a licensed CPA firm, we are uniquely qualified to perform readiness services. We undergo regular peer reviews and independent evaluations to ensure that the strict AICPA guidelines are upheld in all services we provide.

As the #1 issuer of SOC 2 reports in the world, our firm is built on the trust of our clients and we go to great lengths to remain impartial while always having a mind toward the customer.

For the past 13+ years, we have helped thousands of organizations throughout the ENTIRE SOC 2 journey including readiness, audit fieldwork, evidence review, and final report delivery without requiring involvement of third-party vendors. Our experienced team of auditors guide organizations on industry best practices throughout the audit, while upholding A-LIGN’s professional and ethical values.

It’s important to note that software vendors are not peer reviewed, held to any industry standards, or audited by governing bodies.

How A-LIGN Delivers Trust

Our auditors are experts on the standards and ensure we can deliver what is most important to our customers — TRUST. Our firm has undergone four peer reviews mandated by the AICPA and annual audits for The ANSI National Accreditation Board (ANAB) and American Association for Laboratory Accreditation (A2LA). We also submit annual questionnaires for PCI and went through our first CMMC audit. A-LIGN holds several designations, including:

  • Licensed CPA firm
  • Accredited ISO/IEC 27001:2013, ISO/IEC 27701:2019, and ISO 22301:2019 Certification Body
  • HITRUST CSF Assessor Firm
  • Accredited FedRAMP 3PAO
  • Candidate CMMC C3PAO
  • PCI Qualified Security Assessor Company

A-LIGN has delivered more than 5,000 SOC 2 reports for more than 2,500 clients. Our final reports are widely trusted in the marketplace and have a reputation for quality.

MYTH #2
It’s Easier to Use a Software Provider AND an Auditor

Fact: Using a software provider for your SOC 2 Readiness Assessment AND an auditor for your final report creates a disjointed audit process, and in turn, more work for your team.

All SOC 2 audits must be completed by an external auditor from a licensed CPA firm. If you plan to use a software solution to prepare for an audit, it’s helpful to work with a firm who can provide both the readiness software, perform the audit, and produce a reputable SOC 2 report. 

By working with A-LIGN and utilizing A-SCEND throughout your SOC 2 audit process, you’ll have access to your project dashboard to understand your audit in real time. This dashboard allows you to see all of your calls to action, overall progress, items that may be past due, and much more.

To expediate your audit, A-LIGN clients can use the automated evidence collection features of the A-SCEND platform to gather any remaining evidence. As this is a time intensive process, auditing experts highly recommend using a compliance automation software tool to save effort, time and resources.

After your report has been issued, we recommend reviewing A-SCEND’s Crosswalk feature to view how close you are to completing additional compliance assessments. For example, if you have completed a full-scope SOC 2 report with A-SCEND, you’ve also met 90% of HIPAA compliance and 100% of SOC 1 evidence requirements. The Crosswalk feature allows you to benchmark your organization’s compliance against other standard requirements to streamline and consolidate your compliance needs.

MYTH #3
SOC 2 Readiness Assessments Aren’t Necessary in the Audit Process

Fact: SOC 2 readiness assessments can expediate the audit process, saving you time, budget and resources.

Going into your first SOC 2 examination unprepared can be costly to your organization. Identification and remediation of gaps is a critical step in preparing for your audit. Often preparedness activities performed by a non-CPA can provide organizations with a false sense of security with common issues that include incorrect scoping, misleading timelines and failure to understand the intent of the comprehensive requirements.

How can A-LIGN assist? Our automated SOC 2 Readiness Assessment includes a list of questions to answer about your organization’s security posture through our compliance automation software, A-SCEND. Based on your responses, A-SCEND will generate a comprehensive report to gauge your level of readiness. A-LIGN professionals are available to aid in review of the gaps and best practices so that customers can begin remediation.

As a CPA firm, how does A-LIGN maintain independence during the review process? We provide you with best-in-class templates that your organization can use to create any missing policies through our Policy Center in A-SCEND. A-LIGN refrains from making any managerial decisions or actions on behalf of your company, and will not:

  • Implement controls on your behalf
  • Provide step-by-step direction on how to remediate a control gap
  • Write your policies and procedures
  • Configure your systems, tools, or applications

Our experts can help you navigate the common issues experienced for organizations that are new to the SOC 2 journey. Our professionals are available to answer your questions that may come up during the readiness assessment.

The Benefits of SOC 2 Readiness Assessments

A-SCEND’s SOC 2 Readiness Assessment minimizes cost and increases productivity, helping your organization become SOC 2 compliant.  Overall, a SOC 2 Readiness Assessment can:

  • Make SOC 2 Compliance Easy: With everything you need to prepare for your SOC 2 exam, our readiness assessment lays out the questions in a language you’ll understand with multiple-choice Q&As. 
  • Remediate Issues Before Your Exam: Discover any issues or gaps prior to your audit via an easy-to-read readiness assessment report available for download.
  • On-Demand, Expert Advice: Our expert auditors answer your questions through the comments function or live auditor assistance.
  • Learn from the #1 SOC 2 Report Issuer: Our expert auditors have completed thousands of audits and will provide tips and recommendations to assist throughout the SOC 2 exam.
  • Complete SOC 2 Without Switching Auditors: The information from your readiness assessment will directly relate to your Information Request List (IRL) during the audit process. Any evidence you already uploaded will automatically transfer over to your SOC 2 examination.

Better Prepare for Your SOC 2 Examination

A-SCEND’s SOC 2 Readiness Assessment is the only compliance management solution that includes live auditor assistance from a CPA firm. Once you’ve prepared for your SOC 2 examination, there’s no need to find another auditing firm- our professionals can take you from readiness to final report. To learn more about our SOC 2 Readiness Assessment, please complete the form below.

Pursuing a SOC 2 audit brings value to your organization in a number of ways. The in-depth audit provides you with increased insight into your security posture and gives you a better understanding of your opportunities to improve controls and processes. A SOC 2 audit also provides a competitive advantage and boost to your organization’s reputation — customers and prospects can rest assured knowing your organization takes security seriously. 

A SOC 2 audit isn’t just a one-time exercise. The audit must be renewed yearly. Consistently renewing your SOC 2 audit builds continuity with your controls and processes and helps to ensure that everything you put in place continues to function as needed.  

The renewal process may sound time consuming at first, given how in-depth the initial SOC 2 audit process can be for an organization. But renewals don’t have to be a burden.   

Here are some tips and tricks to help navigate the renewal process so you can save time and money, and use internal resources strategically.  

1. Work with the Same Auditor 

If you were happy with your service during the initial SOC 2 audit, work with the same vendor for the renewal process. Working with the same auditor year after year will create efficiencies in the audit process. The vendor will become familiar with your environment and internal processes, and you’ll avoid the time-consuming task of onboarding a new audit firm each year — which can take weeks.  

If the vendor uses compliance automation software to streamline the evidence collection or audit process (like A-SCEND), you may also benefit from rollover features within that technology. Rollover features automatically collect and update information based on what was collected into the system in past efforts. This speeds up the evidence collection process and can condense your renewal timeline greatly.  

2. Consider a Multi-Year Bundle 

Oftentimes auditors will offer a multi-year bundle package, allowing you to pay upfront for a certain number of SOC 2 renewals. It’s a great way to save money in the long run — and plan your budget ahead of time. With a multi-year bundle, you lock into a certain price per renewal. Otherwise, renewal prices may increase year over year as your business scales and the economy changes. 

At A-LIGN, we offer a three-year bundle package for customers. The bundle includes access to our SOC 2 certified experts, as well as use of our compliance automation software, A-SCEND, which streamlines the audit process for your team. With A-SCEND, you’ll have access to automated readiness assessments, automated evidence collection, continuous monitoring, policy center, and more, making your audit process more efficient.  

3. Allocate Internal Resources 

Continuity on the auditor side is great — as is continuity within your organization. It’s helpful to utilize the same internal resources each year (when possible) to manage the SOC 2 audit and renewal process.  

The initial SOC 2 review process requires a lot of heavy lifting. But subsequent years tend to be more efficient because your team has a better understanding of what is required based on the prior year. Each year gets easier and the more consistency you can create within your internal SOC 2 leads, the better.  

Renew Your SOC 2 with A-LIGN 

A-LIGN is the top issuer of SOC 2 reports in the world. We combine industry expertise and a leading compliance automation software platform to make the SOC 2 audit and renewal process seamless for your team.  

Contact us today to speak to a SOC 2 expert about the SOC 2 renewal process and our multi-year bundle options.