SOC 1, SOC 2, and SOC 3 Reports: Type 1, Type 2 or Readiness Assessment?

by: Alex Welsh And Pinal Desai 08 Feb,2022 5 min

Casual Business Meeting in Office

SOC reports are gaining in popularity across industries and across the globe. More and more customers are asking for demonstrated SOC compliance, and independent cybersecurity control validation and attestation are becoming necessary to compete for high-priority contracts. Beyond customer demand, SOC reports ensure that controls are properly implemented and used within your organization, greatly reducing potential security threats.

For organizations seeking a SOC 1, SOC 2, or SOC 3 report, there are two attestation options available: Type 1 and Type 2. Additionally, a readiness assessment can be performed to prepare your organization for the attestation.

With so many options, what type is best for your organization to prove compliance? Our experienced assessors break down the options so the path to compliance is clear between SOC 1, SOC 2 and SOC 3.  We then dive into the various types of SOC reports: Type 1, Type 2 and a readiness assessment.

SOC 1 Report

SOC 1 report follows the guidance outlined in the Statement on Standards for Attestation Agreements, which focuses on the internal controls that have an impact on the financially relevant systems and reporting. The main goal of a SOC 1 report is to ensure the controls identified by the organization are in place and/or operating effectively to appropriately address the risk of inaccurately reporting financials.

SOC 2 Report

A SOC 2 report highlights the controls in place that protect and secure an organization’s system or services used by its customers. Unlike a SOC 1, the scope of a SOC 2 examination extends beyond the systems that have a financial impact, reaching all systems and tools used in support of the organization’s system or services. The security of your environment is based on the requirements within a SOC 2 examination, known as the Trust Services Criteria (TSC). The TSC are based on upon the American Institute of Certified Public Accountants (AICPA) and consist of five categories:

  • Common Criteria/Security (required)
  • Availability (optional)
  • Processing Integrity (optional)
  • Confidentiality (optional)
  • Privacy (optional)

SOC 3 Report

A SOC 3 report is coupled with a SOC 2 report and is a scaled-down version of the SOC 2 report. The report is intended for a broader public audience including prospective customers and stakeholders. The SOC 2 report provides greater detail regarding the organization’s controls and operations. A SOC 3 report is effectively a summary of the SOC 2 report that provides less technical information, making it suitable for an organization to share publicly on its website or to hand out to prospective customers.

Readiness Assessment

A readiness assessment measures your organization’s level of preparedness for a Type 1 or Type 2 assessment. Used for internal purposes, this assessment provides your organization with a greater understanding of the demands of a SOC audit. The deliverables include a listing of your current controls, as well as identification of recommendations that should be implemented to enhance your environment prior to the full assessment.

We recommend completing our SOC Readiness Checklist before undergoing a readiness assessment to see how close your organization is to reaching its requirements for a SOC audit. Regardless of your results, you will have a clear understanding of if you are ready to move forward with a SOC examination or if you should continue to prepare.

A readiness assessment allows you to save time and resources by truly being prepared for your SOC examination. While you cannot technically “fail” a SOC examination, your report opinion can be noted as “modified” or “qualified”, which may result in a negative perception by your executive team and stakeholders.

SOC Type 1 Report

With a SOC Type 1 report, your organization’s controls are assessed at a specific point in time. This report acts as a snapshot of your environment to determine and demonstrate if the controls are suitably designed and in place. For example, we will take a sample terminated employee and confirm that their access was properly revoked and documented via a ticketing system.

A Type 1 report has the following characteristics:

  • Description of your organization’s system as a whole
  • Assesses the design of your organization’s internal controls
  • Tests a specific point in time

A Type 1 report does not provide an evaluation of how effective your controls are over an extended period of time because it’s only looking at the controls as they exist at that given date.

SOC Type 2 Report

For a SOC Type 2 report, your organization’s controls are assessed over a period of time, typically a twelve-month review period. Unlike Type 1, a Type 2 report acts as a historical review of your environment to determine and demonstrate if the controls are suitably designed and in place, as well as operating effectively over time. The audit process will include sample testing within the review period to determine if your organization’s controls are operating effectively. For instance, we will take a sample of employees from the population of terminated personnel and confirm that their access was properly revoked and documented via the ticketing system during the agreed-upon review period.

A Type 2 report has the following characteristics:

  • Description of your organization’s system as a whole
  • Assesses the design of your organization’s controls, as well as their operating effectiveness
  • Focuses on a period of time in which the controls are operating
  • Features detailed descriptions of the auditor’s tests and test results of the controls

Since a Type 2 report is more granular and comprehensive than a Type 1 report, it often provides your clients with a higher level of assurance. In today’s cybersecurity landscape, it’s commonplace for vendors, partners or customers to request that your organization earn a SOC 2 report as the cost of doing business.

Evaluate Your Compliance

As a licensed SOC 1 and SOC 2 auditing firm with more than 20 years of experience, and as one of the top SOC 2 report issuers in the world, A-LIGN has the people, process, and platform you need to help your organization reach any of your compliance needs.

ISO 27001 for Remote Work: Changes and Updates for Certification

by: A-LIGN And Pinal Desai 03 Feb,2022 3 min

In the past few years, many businesses have shifted to a hybrid or fully remote environment. While this has become a necessity for many, there are security risks to consider with taking a business remote. Organizations may lack visibility into the security of home networks and must be extra cautious with Bring-Your-Own-Device (BYOD) practices, which are just two examples of areas that require increased security needs.

It’s no wonder that information security is top of mind for many leaders at organizations that have shifted to remote work. As such, it’s more important than ever to ensure you have an ISO 27001 certification that confirms your information security management practices are up to snuff and your company is able to protect important information and data.

If you already received an ISO/IEC 27001 certification, but recently made changes to the physical environment in which employees work, you may be wondering if you need to update that certification. The short answer? Yes.

Below, we’re answering some commonly asked questions about this process.

If my organization is now remote, do we need a new ISO 27001 certificate?

Yes. Organizations that switched to a remote work environment need to update ISO 27001 certificates to reflect any locations or operations that are new or no longer relevant to their business.

How do I get an updated certification?

At A-LIGN (an accredited ISO 27001 certification body), we’ve made this process as simple as possible. If your organization has recently gone remote, you’ll need to submit an updated  application letter to our team. This letter should outline the scope and all locations relevant to your business and the relevant activities performed at each of those locations.

We will then review the updated application letter and confirm that all activities listed are still within the scope of your certification. The experts at A-LIGN will look for any relevant changes to your business and confirm if any of your operations — for example, products or software developed — have shifted. We’ll review and confirm any physical environment changes as well.

Pro tip: Even if you are classified as a fully remote company you will still need an address on file to identify your company moving forward. A P.O. Box is fine for this identifier.

What about hybrid workplaces?

Although we’re specifically talking about companies that are fully remote, this process also applies for businesses who have undergone headcount changes, switched to a hybrid environment, or added or removed certain office locations. This is also relevant for companies who have updated the location of their headquarters — something we’ve seen many organizations do during the COVID-19 pandemic as leases have expired and less expensive cities beckon.

Will the audit process change for remote companies?

The ISO 27001 certification process itself will look a bit different for remote companies. Typically, audits include a physical walkthrough of relevant locations, where auditors can assess the operations in-person. This obviously hasn’t been easy to achieve throughout the pandemic; in fact, our experts conducted audits remotely to protect the safety and well-being of our employees and yours.

Regardless of how the audit takes place, remote businesses are still beholden to all of the control domains within the ISO  27001 standard. Many remote customers have asked us about Annex A.11, specifically. Some of the controls within this section reference the physical and environmental security of a business, with a goal to prevent unauthorized access or damage to information processing facilities (think: physical security perimeters around buildings and data centers, entry controls, access credentials, etc.). While those specific controls won’t be relevant for a fully remote business, Annex A.11 at large will still be part of the audit process. Remote businesses are still beholden to all other controls listed within this Annex, such as equipment maintenance and protection.

Receive an ISO 27001 Certification

A-LIGN is an experienced certification body that has helped many organizations update their ISO 27001 certificate to reflect remote and hybrid work environments during this ongoing global pandemic. Our goal is to help you ensure that the integrity of your Information Security Management System remains intact, regardless of where your employees choose to work.

Get started by downloading our ISO 27001 checklist.

What’s the Difference Between ISO 27001 and SOC 2?

by: A-LIGN 31 Jan,2022 5 min

In the world of cybersecurity, there are two widely popular cybersecurity assessments that verify an organization’s ability to protect information and mitigate risk: SOC 2 (System and Organization Controls) and ISO/IEC 27001:2013 (International Organization of Standardization/ International Electrotechnical Commission).

For many organizations, it can be difficult to separate the nuanced differences between the two and decide which is the most beneficial to pursue. While both have their distinct differences, it’s important to note first and foremost that both of these are hugely beneficial to any business.

Watch on-demand webinar: Elevate Your Security Posture with SOC 2 & ISO 27001.

ISO 27001 and SOC 2 both demonstrate a level of commitment to cybersecurity practices that is essential to monitor and prevent risk (and the detrimental impacts of security breaches) within any organization. Both a SOC 2 report and ISO 27001 certification are extremely attractive to prospective customers. In fact, more and more customers are requiring that vendors become ISO 27001 certified or obtain a SOC 2 report as part of the due diligence process.

While both of these assessments provide a similar end result, there are a few differences in the assessments themselves. Check out the four main differences below to evaluate which assessment is right for your business.

1. Certification vs. attestation

A certification is what many people picture when they think about the end result of a compliance audit. Since certifications are issued by a third-party entity, it enhances trust in an organization’s compliance with certain rules or standards. ISO 27001 certifications are issued by certification bodies with the accreditation body and IAF seal. ISO 27001 certifications can easily be verified in the vendor management process by the issuing certification body.

Though you will often see the term “SOC 2 certification” that statement isn’t really accurate. A SOC 2 is an audit resulting in an attestation report which proves compliance. In an attestation report the third-party assessor ​​documents a conclusion about the reliability of a written statement, to which the organization they are assessing is held responsible. 

2. ISMS vs. Trust Services Criteria

Certification vs attestation is not the only difference between the two assessments. The structure of each is also different at its core, though there is a lot of overlap in the security controls themselves.

ISO 27001 focuses on the development and maintenance of an Information Security Management System (ISMS). This is an overarching method of managing data protection practices. In order to achieve an ISO 27001 certification, organizations are required to implement all of the clauses 4-10 and 114 controls within the framework (that are relevant to the particular organization) to the scope of their ISMS. The end result is a pass or fail of the audit. You would need to successfully implement, maintain and continually improve the management system in order to achieve an ISO 27001 certification.

SOC 2 is structured around five Trust Services Criteria (TSC): Security, Availability, Confidentiality, Processing Integrity, and Privacy. For a SOC 2 audit, organizations can pick and choose which criteria they’d like to have evaluated (though the Security criteria is mandatory for all organizations). Instead of a pass/fail audit like ISO 27001, the organization’s auditors conclude an opinion based on the design and effectiveness of the operation of controls in place for each chosen Trust Services Criteria.

Companies are provided with a comprehensive SOC 2 report, which can be more than 100 pages in length. The report details how well an organization meets the control requirements within the evaluated criteria groups, based on the opinion of the expert who conducts the audit. It’s significantly more detailed than the one-page letter that proves an ISO 27001 certification, which can be very attractive to customers who want a higher level of detail and assurance about their partner’s cybersecurity posture.

One other key difference between ISO 27001 and SOC 2 is that SOC 2 offers two different levels of attestation reports. A SOC 2 Type 1 report attests to an organization’s security posture at a single point in time, whereas a Type 2 report attests to the design and effectiveness of controls over a defined period of time (usually between 3-12 months). Organizations can choose to pursue one or both of these reports.

3. Global reach

ISO 27001 is an international standard that is used as the principal cybersecurity standard throughout the world. SOC 2, on the other hand, was designed by the American Institute of Certified Public Accountants (AICPA). As such, it’s particularly favored in the U.S. and most large or well-known U.S.-based customers will require their vendors to supply a completed SOC 2 audit. Although SOC 2 is an American-born standard, it’s gaining traction in places like Europe — especially as more European companies look to do business with U.S.-based companies.

When evaluating which assessment is right for your business, consider your current customer base and your plans to expand globally in the future. And keep in mind that it’s not a matter of one or the other. Many organizations pursue both paths, as compliance with one standard positions your company well to successfully comply with or complete the other.

4. Certifying bodies and renewal timelines

SOC 2 and ISO 27001 both require an independent third-party to attest to an organization’s ability to meet the requirements within the guidelines. For SOC 2, this attestation is carried out by a licensed CPA firm. Both a Type 1 and Type 2 SOC 2 report are considered valid within the industry for 12 months from the report date. ISO 27001 certifications must be carried out by an accredited ISO 27001 certification body. ISO 27001 certificates are valid for a three-year period with annual surveillance audits. 

Benefits of pursuing both SOC 2 and ISO 27001 

While both assessments have their own unique set of benefits, conducting both SOC 2 and ISO 27001 assessments can help organizations demonstrate a commitment to cybersecurity risk management and provide assurance to their customers and stakeholders that they have implemented effective controls to protect their data. 

SOC 2 audits ensure secure data management and privacy protection, while ISO 27001 certification showcases a commitment to data protection. 

By combining the two frameworks, organizations can also help organizations identify gaps in their cybersecurity management and develop a comprehensive approach to managing risks. Ultimately, conducting both SOC 2 and ISO 27001 assessments has great value and can help organizations build trust, differentiate themselves from competition, and win new business. 

ISO 27001 or SOC 2 with A‑LIGN

Some companies — like A-LIGN — hold the ability to carry out both audits. A-LIGN is an accredited ISO 27001 certification body, a licensed CPA firm and the top issuer of SOC 2 reports in the world. In addition to providing the final certificate or attestation for ISO 27001 and SOC 2, A-LIGN also provides readiness assessments and pre-assessments to ensure your organization is ready to pursue either audit. These assessments simulate the assessment process to determine whether your organization has any gaps that may need remediation, or opportunities to improve processes, before a final audit takes place.

HITRUST CSF v9.6 Enhances the Controls and Streamlines Audit Process

by: Blaise Wabo And Pinal Desai 26 Jan,2022 4 min

Learn how HITRUST v9.6 enhances the controls, such as NIST 800-53 and CMMC, while helping assessors more easily identify the controls that need tested. A-LIGN’s Healthcare and Financial Services Knowledge Leader, Blaise Wabo, explains why you should select v9.6 when pursuing a HITRUST certification.

Since 2007, the HITRUST CSF has been recognized as a well-rounded and certifiable security framework for organizations of all sizes and industries. With the new CSF v9.6 update, HITRUST continues to demonstrate its value for any organization by enhancing several areas of the controls and MyCSF portal so assessors can more easily identify what controls need to be tested and can locate the most updated frameworks.

Let’s look closer at what HITRUST v9.6 includes and what enhancements were made to the CSF and MyCSF portal.

Going Back to the Beginning

The HIPAA Safe Harbor Bill, signed into law on January 5, 2021, by former President Trump, changed the cybersecurity industry in a big way. If your organization processes Electronic Protected Health Information (ePHI), or Personally Identifiable Information (PII), you could be the target of a cybersecurity breach and therefore, an OCR audit. If this situation occurs, the HIPAA Safe Harbor Bill covers you and acts as a layer of security for your organization if you have a cybersecurity program in place.

HITRUST CSF is one of the most reliable ways to demonstrate HIPAA compliance. For this reason, the HITRUST CSF is often utilized, and sometimes required, by organizations in the healthcare industry.

What is the HITRUST CSF?

The HITRUST CSF is a scalable and extensive security framework used to efficiently manage the regulatory compliance and risk management of organizations. By unifying regulatory requirements and recognized frameworks from ISO 27001NIST 800-171HIPAAPCI DSSGDPR, and more into one comprehensive system, the HITRUST CSF streamlines the audit process by assessing once and reporting against many framework requirements. Because of this benefit, and its exhaustive focus on security, the HITRUST CSF has been adopted by organizations across different industries.

What enhancements were made to HITRUST CSF v9.6?

According to the HITRUST advisory, three enhancements were made in v9.6 to the CSF controls, all of which help to update the framework with the newest compliance standards.

  1. Even though HITRUST is based on the NIST 800-53 framework, it has never been an assessment option to select as a regulatory factor. By adding NIST 800-53 revision 4 as a selectable compliance factor, HITRUST is updating the mapping.

HITRUST is also changing language and further defining the illustrative procedures to provide guidance to the assessment firm on how to test against the updated requirement statements. Note that if an organization selects the i1 assessment, they would have to use the latest version of the CSF i.e. v9.6.

2. With the release of HITRUST i1, a scoping exercise to determine controls is no longer needed. All organizations evaluated against the i1 standards, will be measured on the same static control list.

3. HITRUST also made minor updates throughout the controls and standards to correct grammar, modify wording and correct mapping issues.

What enhancements were made to the MyCSF portal?

An additional three enhancements were made in v9.6 to the MyCSF portal, all of which aim to further streamline the assessment process for auditors.

1. CMMC Compliance Factor

With the CMMC certification still coming to fruition, the standard path and control verbiage will be evolving. Every time CMMC makes an update to the standard, HITRUST will highlight the outdated versions with an orange flag to show the line item is no longer valid. Only the most recent version of CMMC will not have the flag.

2. Illustrative Procedure Enhancements

In the past, the ‘Illustrative Procedure for Policy’ description has been in a long, paragraph format. HITRUST has shortened the format to a more concise numbered list, making the information easier to understand by assessors. HITRUST has also broken ‘Illustrated Procedure for Implemented’ into a numbered list and added guidance to the assessor firm on how to score the control. For example, if three items fall under a section, each would be assigned a weighted value of 33.33% for coverage. If all items were met, the assessor would score the client 100% in this control.

3. Sampling Badge

The requirement view within MyCSF now contains a badge for items that require the assessor to select a sample of items to test. The assessor will no longer need to read a long paragraph to learn if the sample testing is required, but rather have a visual indicator to quickly understand what testing is needed.

The A-LIGN Difference

We encourage all covered entities and business associates pursuing a HITRUST CSF assessment to select HITRUST v9.6 if they would like to add NIST 800-53 as a regulatory factor, or if they would like to perform a HITRUST i1 Assessment vs. an r2 Assessment. A-LIGN’s experience and commitment to quality has helped more than 300 clients successfully achieve HITRUST certification. Our diligent audit process helps you prepare for the HITRUST assessment, and our team of HITRUST experts is here to answer any questions you might have through every step of the assessment.

Download our HITRUST checklist now!

Why Transparency is the Future of the Payment Industry

by: Dustin Rich 24 Jan,2022 4 min

The payments industry is going through a significant evolution, one that started to gain momentum over the past few decades. Preferred payment methodologies changed drastically from check to credit card to digital payment, which ultimately raised the importance of payment security. Needless to say, achieving compliance with PCI DSS industry requirements is critical to the success of an organization and critical in helping that organization maintain trust with their partners and customers.

When gaps are discovered in a PCI DSS assessment, what does an organization do? What steps does it need to follow to achieve compliance? And how are organizations monitored to ensure the gaps are effectively addressed?

The short answer: compensating controls. Compensating controls is what we see most organizations leverage to address control gaps during an assessment. Compensating controls, however, lack transparency. After all, there are no guidelines or requirements for an organization to disclose specifics around any gaps within the attestation or that would  clearly indicate an organization leveraged compensating controls as a corrective measure.

This is one of the primary reasons we believe a shift is coming to the payments industry, and the future of the industry is one that will be rooted in transparency and accountability.

To understand the impact this potential change will have, let’s explore how organizations have historically leveraged compensating controls and how increasing transparency has the potential to change the industry for the better.

What Are Compensating Controls?

The PCI Council explains compensating controlsmay be considered when an entity cannot meet a requirement explicitly as stated due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.

Basically, compensating controls currently provide organizations with an alternate way to achieve industry requirements when they are otherwise unable to do so. Compensating controls are great, in theory, given they allow organizations some flexibility to address legitimate constraints they might have preventing their ability to meet a control as stated but also ensure there are adequate controls in-place to mitigate the risk of not having the original control in-place as it was stated in the standards.  In addition, it has allowed organizations to put a corrective action into place to address issues and prevent a “con-compliant” report.  This has helped merchants to prevent non-compliance fees and service providers from impacting a customer’s trust which could result in customer churn. This also ensures they can avoid a “non-compliant” report, which could result in customer churn.

However, compensating controls have been overutilized, and primarily used in a way they weren’t technically designed for. It’s why we at A-LIGN believe that the industry relying on compensating controls to address gaps in an organization’s (particularly Service Providers) PCI compliance efforts is a bad practice for two primary reasons:  They cover up underlying issues that may need to be addressed, and the service prover’s clients are kept in the dark that there were control gaps.

One way in which compensating controls are misused is their broad application to cover flawed processes within an organization. We see compensating controls come into play often with things like vulnerability scanning and semi-annual firewall reviews. These are relatively simple and straightforward processes. Often, it’s not the scanning or technology reviewed that is missing the mark — it’s a problem with the related people processes and specifically a lack of both oversight and accountability. The people who are supposed to manage these processes and ensure they get done are not properly trained or monitored.

The people processes that lie behind the steps to maintain PCI compliance throughout the year can easily be overlooked. Organizations don’t take the time to ensure these people processes are properly in place. Instead, they rush to implement a compensating control to cover the issue. But this only remedies a symptom, it doesn’t cure the illness.

Customer Confusion

Compensating controls are also not properly reported to customers. Many times, customers are left unaware that control gaps exist or they only know an organization had utilized a Compensating Control, but they don’t have the details of the “why” behind its use”. This is because PCI DSS standards, as they currently exist, do not require any specifics around compensating controls or corrective actions be disclosed to a partner or customer. There is no process that requires an organization to be transparent about compliance issues or gaps they need to correct.

As a result, a customer of a service provider is unaware they could be working with an organization that lacks a necessary security requirement or the proper people processes to maintain a given requirement, opening them up to increased risk. And there’s little urgency in many situations for the organization to address those issues.

Transparency is the Way

We believe more transparency in reporting will raise the caliber of organizations within the industry. Organizations will feel a greater sense of urgency and commitment to fix underlying issues and mature their compliance programs if issues are promptly documented and reported via an attestation report.

After all, transparency often comes with a healthy side of accountability. Organizations are more likely to address various issues when their customers are made aware of the compliance gaps they’ve uncovered and corrected. This signals the potential for a significant shift of power, where customers have the ability to hold organizations accountable for their actions. Ultimately, that’s the fastest way to drive change and ensure organizations prioritize bettering their compliance programs.

How A-LIGN Can Help

Partnering with a trusted PCI DSS Qualified Security Assessor Company (QSAC), like A-LIGN, gives organizations peace-of-mind knowing they’re working with an audit partner that is focused on helping them meet their organization’s compliance needs. From helping set reminders to stay on track with PCI DSS timelines to conducting regular segmentation testing and vulnerability scans, A-LIGN can help your organization recognize ways to enhance the maturity of your processes to achieve and maintain PCI DSS compliance, so you can be confidently transparent.

Federal Compliance Updates 2022: CMMC 2.0, StateRAMP, FedRAMP

by: 20 Jan,2022 6 min

With the recent unveiling of CMMC 2.0, the expanded presence of StateRAMP, and new FedRAMP advisory guidelines for external servers, it’s safe to say that 2022 has a lot in store for Federal compliance changes. Tony Bai, A-LIGN’s Federal Practice Lead, and Emily Cummins, Anitian’s Director of Cloud Security, had a chance to sit down and discuss the latest news in federal compliance and what it could mean for your organization. Let’s dive in and get their thoughts on the latest CMMC 2.0 introduction, the new FedRAMP authorization boundary guidance, StateRAMP and more! 

CMMC 2.0

Like everyone else in the world of federal compliance, A-LIGN and Anitian have been closely tracking the Cybersecurity Maturity Model Certification (CMMC) since the U.S. Department of Defense (DoD) shared its initial draft of the model in early 2020. With the release of CMMC 2.0, three major changes were recently announced: fewer security tiers, removing some third-party assessment requirements, and allowance for “Plan of Action & Milestone” reports.

Fewer Security Tiers

The initial CMMC draft established five tiers of cybersecurity requirements for contractors. The tier with which a contractor needs to comply is based on the types of data they work with to execute federal contracts. With CMMC 2.0 there are now only three security tiers:

  • CMMC Levels 2 and 4 from the original framework are eliminated along with all maturity level processes.
  • Level 1 Foundational: Includes the same 17 controls outlined in the original CMMC framework, but now only requires an annual self-assessment and affirmation by company leadership.
  • Level 2 Advanced: Has pared down the original 130 controls in the original CMMC Level 3 baseline to the 110 controls outlined in NIST 800-171. The DoD is working on a process that will identify “prioritized acquisitions” that must undergo an independent assessment against the new Level 2 Advance requirements on a triannual basis. All other Organizations will only be required to perform an annual self-assessment and company affirmation every year.
  • Level 3 Expert: This level will replace what was formally known as CMMC Level 5. Details of this level are still being defined. It is expected that this level will incorporate a subset of controls from NIST SP 800-172.

Removing Some Third-Party Assessment Requirements

Under CMMC 2.0, Level 1 contractors will no longer be required to obtain a third-party certification. Instead, they will follow a self-assessment protocol which can significantly reduce the cost of compliance for many contractors. These self-assessments will require an annual affirmation by company leadership. The same changes apply to Level 2 assessment requirements; third-party assessments will only be required for companies supporting the highest priority programs.

Even with this change, to ensure compliance and avoid any significant penalties, we recommend you hire a third-party assessor to complete your CMMC certification.

“Plan of Action and Milestones” (POA&Ms) Reports

The DoD made the decision to allow POA&Ms reports in specific cases. These reports allow contractors to pass an assessment even if they do not currently meet every security control required- provided their report properly outlines a plan of action and deadlines to meet future controls.

“I have three words: Totally clean assessment,” said Emily. “We would all love to have them but in my eight years of working in this industry, I’ve never once seen a zero-finding assessment. With the release of CMMC 2.0, there is now the ability for an exception; where a finding is documented and tracked within the Plan of Action and Milestones (POA&M). This change makes CMMC certification much more achievable and realistic for the supply chain industry.”

Agreeing with Emily, Tony adds: “In the past, if we ever saw a system or report with zero findings, it would be a huge red flag and prompt us to dig much deeper. A completely clean company would raise suspicions.”  With CMMC 2.0, the POA&Ms will be allowing six months from the time the assessment is completed by the C3PAO to remediate any issues. The DoD has yet to determine if any of the practices will be considered “showstoppers” if non-compliant.  

FedRAMP

FedRAMP strengthened the Federal government’s ‘cloud first’ initiative by enabling federal agencies to contract with approved cloud providers who were best equipped to protect vital government information. FedRAMP has officially posted their new authorization boundary guidance under “draft”, but it is essentially in effect for all the CSPs, C3PAO and stakeholders.

“The biggest impact is that nonfederal authorized external services that store, process, transmit federal data and metadata aren’t going to be acceptable for FedRAMP operating status with a user-ready assessment report,” said Tony.

With FedRAMP High, organizations were never able to connect to an external service that didn’t also earn FedRAMP High ATO.  “In the past, as long as the organization had other authorizations, they could build a use case for why they are using an unauthorized external service,” said Emily. “This will no longer be allowed as organizations can now only connect to FedRAMP authorized services.”

FedRAMP recently released a document that clearly defines metadata as all-around data that can be ‘traced or linked back to’. “FedRAMP will want to see the peripheral attachments, systems, or equipment that isn’t necessary for the operation of that system that you’re selling to the government, but can play a significant role if it’s used,” said Tony. “You should contact your 3PAO, like A-LIGN, or cloud security experts, like Anitian, for clarification and guidance for your organization’s specific situation.”

StateRAMP

As cyberattack attempts carried out against state and local governments continue to become more prevalent, government agencies are in dire need of a way to modernize and systematize their cybersecurity practices — especially regarding cloud technologies. That’s where the State Risk and Authorization Management Program (StateRAMP) comes in. StateRAMP is essentially a nonprofit FedRAMP at the local level, based on the NIST framework.

“I think StateRAMP is going to find their success with CSP’s struggling to locate a sponsoring agency,” said Emily. “Reciprocity will occur but for those struggling to find the federal sponsorship and shy away from the FedRAMP JAB business requirements, StateRAMP will be a great solution.”

Tony added: “StateRAMP doesn’t have to occur at the formal state CIO level on down. StateRAMP is for any city government, county government, or state agency that wants to participate in this program. There are some states that are accepting this certification at a holistic level, like Arizona and Texas. For those companies that have an existing FedRAMP authorization, there is a reciprocity down to the StateRAMP level- they would review your FedRAMP package and issue an equivalent status.”

What’s Next? 

Compliance certifications are continuously evolving and rightfully so.  “It’s necessary for compliance frameworks to grow in order to keep up with federal’s changing threat landscape,” said Tony. “Your organization needs partners and technology that understand the requirements and can provide insight into CMMC, FedRAMP and StateRAMP throughout all phases of the assessment.” 

“Oftentimes organization’s feel that security certifications are a large lift, but the right partner and technology solution can greatly help your organization when preparing and going through the assessment process,” said Emily. Together, A-LIGN and Anitian can help organizations achieve CMMC 2.0, FedRAMP Ready and/or a FedRAMP Authorized, and StateRAMP Authorized status from application security to certification. 

If you have any questions or if you would like to learn more about undergoing a CMMC, FedRAMP, or StateRAMP assessment, please reach out to one of A-LIGN’s experienced assessors at [email protected] or 1-888-702-5446. To discover how Anitian offers the fastest path to security and compliance for cloud applications, please complete a form or call 1-888-264-8426. 

ISO 22301 for Business Continuity – Benefits Explained

by: A-LIGN 12 Jan,2022 4 min

During the COVID-19 pandemic, the need for a solid business continuity management plan was put on full display. Practically overnight, many businesses had to move to a full remote state and stand up new systems, processes, and security measures to ensure business could run “as usual.” 

But a global pandemic isn’t the only thing that changes the way a business operates — extreme weather conditions may knock out server access, a technical hiccup could disrupt a department’s ability to access files, or a high-ranking member of the executive team could leave their job. All of these conditions could cause disruption and as such, organizations must have contingency plans in place to deal with any issues that arise.  

It’s time to for organizations to make sure they implement a Business Continuity Management System (BCMS). As the name suggests, a BCMS is a management system to help organizations plan for disruptions and ensure that critical business functions remain running in the event of an emergency.  

ISO 22301 Offers a Solution 

As it’s done with other information security and privacy management best practices, the International Organization for Standardization (ISO) created a framework and certification process for BCMS’ called ISO 22301: 2019 (ISO 22301). ISO 22301 was originally introduced in 2012 (minor updates were later introduced in 2019) with a goal to help organizations prevent, minimize, and recover from disruptive incidents without incurring financial and reputational penalties to their business.  

ISO 22301 certification is of particular interest to businesses with data centers, employees, or offices in multiple locations throughout the world. These businesses have a lot of “what if” scenarios to manage on a day-to-day basis. For example, one data center might be situated in an area that’s prone to hurricanes and a disruption to that data center could reverberate across the entire global organization. In this case, it’s extremely important that considerations for every location — not just the location of the data center — are included in a business continuity plan.  

Additionally, organizations that are data center providers, offer infrastructure as a service (IaaS), or offer their customers the equipment or tools needed to run their business, are all prime examples of organizations that would rely on a BCMS to mitigate risk and would want an ISO 22301 certification. 

Why Should Organizations Seek Certification? 

There are many benefits to pursuing an ISO 22301 certification. As an internationally recognized framework, ISO 22301 gives organizations the opportunity to provide peace of mind to their customers. With an ISO 22301 certificate in hand, organizations can show customers that they are a reliable business partner who will be able to restore operations in a timely manner should something happen.  

Internally, a proper BCMS gives an organization a sense of potential vulnerabilities and outlines steps to reduce downtime should an emergency occur. A BCMS is a single place to organize all potential vulnerabilities across locations, and file plans for each “what if” scenario. 

The Most Important Elements of ISO 22301 

What exactly does ISO 22301 include? The standard looks at a variety of areas within your organization — including leadership resources, operations in place to reduce the likelihood of incidents, and more. The major clauses of the standard are as follows: 

  • Clause 5: Leadership — Ensures appropriate management and resources are provided to support a business continuity plan.  
  • Clause 6: Planning — Looks at an organization’s ability to identify risks related to its operations and the locations in which it operates. 
  • Clause 7: Support — Ensures staff are available if in the event of an emergency, and that they are aware of their role in assisting the organization during such a time. This clause also covers communication procedures that are in place to notify customers of any issues when an incident occurs.  
  • Clause 8: Operations — Focuses on identifying necessary procedures to avoid or reduce the likelihood of incidents and steps to be taken when incidents occur.  
  • Clause 9: Evaluation — Covers how an organization will evaluate performance against its plan with appropriate metrics.  
  • Clause 10: Improvement — Defines actions an organization will take to continually improve its business continuity plan as corrective actions arise from audits, reviews, and exercises. 

The Certification Process 

Though it’s clear how a BCMS could benefit any organization, too many businesses still fail to plan ahead and only consider these issues in the midst of a crisis. There’s a better option. Gaining an ISO 22301 certification allows your organization to rest easy knowing that plans are in place to secure critical business functions in times of need. 

A-LIGN is an accredited certification partner and can guide you through every step of the ISO certification process. The process is separated into two stages and generally takes about six to eight weeks to complete. During Stage 1, the ISO experts at A-LIGN will review information about your business processes and operations, as well as the equipment and software that’s currently in place, the levels of control that have been established, and other regulatory requirements. In Stage 2, A-LIGN experts will evaluate the implementation and effectiveness of your BCMS to ensure it aligns with the ISO requirements and that all key performance objectives are being properly measured.  

Once an ISO 22301 certificate is issued, it is valid for three years. Throughout that time, A-LIGN will provide subsequent surveillance audits to ensure the BCMS is up-to-date and continues to cover the full scope of operations as your business grows and evolves. In addition to servicing companies that are new to the ISO 22301 process, A-LIGN is also able to guide organizations that were previously certified using the original 2012 standard as they update their certification to comply with 2019 updates.  

How European Companies Can Best Market Compliance Programs

by: A-LIGN And Pinal Desai 05 Jan,2022 6 min

Is your organisation getting maximum value from its compliance program? Each compliance report or certification you possess is more than just a document — it’s an affirmation to your customers, prospects, and partners that your company understands the importance of cybersecurity and is fully capable of safeguarding sensitive information.

To spread the word about the assessments that have been completed and what they actually mean, your organisation needs to identify and leverage all available opportunities to market your compliance program and drive new revenue into the business.

Whereas companies in the U.S. — especially in the tech industry — can be quite enthusiastic about promoting their various certifications and achievements, organisations in Europe tend to be a bit more subdued when it comes to compliance marketing. Read on to explore the top tips you should be using to market your unique competitive advantage: compliance.

Publish a Press Release

The press release is a cornerstone piece of compliance marketing material that is used to announce your organisation’s achievement in successfully completing a cybersecurity assessment. Whether it’s produced by the marketing department, a public relations firm, or written yourself, all compliance-related press releases should be brief (roughly 300-400 words) and get straight to the point.

Each press release will focus on one main idea. When strategising for a release, ask yourself, “What is the key takeaway for readers?” Write your answer down as a statement and use that assertion as the backbone of the writeup. For example, that statement might be, “We have successfully obtained a SOC 2 report, proving our commitment to protecting customers’ information and expanding the business on a global scale.”

While press releases are formal announcements intended to share breaking news about your company, that doesn’t mean they have to be boring or confined strictly to the minutiae of official names and dates. Talk about your accomplishment without using technical jargon and try to answer any questions that the average reader might have, such as:

  • Why did your business conduct this assessment?
  • What are the key impacts or benefits?
  • Does it change the way your customers do business with you?
  • How does the certification or report reinforce your company values?

Flavour your press release with direct quotes from your senior management as well as your auditor. Ultimately, you want all the facts surrounding the assessment to be placed in the context of how your customers and partners will benefit.

Pro tip- When writing, include the most important information at the top of the press release. If the reader stops after the first paragraph, this writing structure ensures they have still acquired the key message.

Update Your Website

Because your company’s website serves as an “always-on” marketing tool, it needs to effectively communicate your compliance achievements. Showcasing these credentials on your website shows that you take cybersecurity seriously and can be trusted with different types of information.

While some documents like a SOC 3 report are intended to be shared publicly, most compliance reports are reserved for situations where a non-disclosure agreement (NDA) is in place. That’s why updating your website often entails adding social proof (such as certification badges) to indicate that you have completed certain assessments without revealing all the sensitive details.

You can also use your website to host educational materials about the security principles and policies behind different assessments as well as your organisation’s unique philosophy on information security and privacy.

Supercharge Sales Enablement

Another valuable use case for compliance reports and certifications is sales collateral. In marketing parlance, sales enablement materials can be considered more “bottom of the funnel” compared to press releases and educational resources because they can be directly tied to deals closed and revenue earned.

Compliance reports allow your sales team to build trusting relationships by bridging audit requirements and the prospect’s organisational needs. Identify people on your sales team who are willing to experiment with new techniques and work with them to identify how your cybersecurity assessments could be used to give your company a competitive advantage. Ask questions like:

  • Do our customers ever ask us to fill out a security questionnaire?
  • At what point in the sales process do we typically position our technical strengths?
  • What teams and job titles care about security the most?
  • Which of our competitors have not gone through the audit process that we could call attention to?

From these conversations your marketing and sales teams can work together to drill down specific language about the benefits of compliance to use across emails, phone calls, and enablement content. While your plan will depend on the specific needs of your organisation, here are some examples of sales materials you might consider:

  • Battlecard: This is a single, comprehensive resource that salespeople can use to articulate various details about the report, as well as guidance for handling common questions or objections that may arise. This may take the form of a one-pager within an internal training system, a printed resource that gets delivered to each member of the sales team, or even just a list of bullet points that is distributed via email.
  • Presentation slides: Your sales team likely has a standard presentation deck they use when meeting with customers. Help them put together a few slides to include in the presentation that displays your report and includes high-level information about what it means and why it is valuable. Be sure to include information about the independent auditor you used to pass the assessment. 
  • Proposal template: Include a reference to your audit report in your standard proposal template. Because this document is a culmination of all your strongest selling points combined with the financial proposal that is sent to the customer, it’s a great place to give a concise statement on how you take your customers’ security seriously.

Leverage Your Community and Partners

For maximum reach, look beyond your own website and marketing channels to distribute messaging about your organisation’s compliance achievements. This might include opportunities like guest blogs, webinar speaking engagements, engaging on social media, or getting a piece of your content placed in an industry newsletter.

The key to this type of marketing is to avoid being self-promotional — instead, focus on the compliance benefits your organisation has realised and why other businesses would want to replicate your success. Many companies have not been through the cybersecurity audit process and may feel overwhelmed when approaching such an endeavour for the first time. By strategically sharing the high-level knowledge you’ve acquired, you can establish key figures in your organisation as thought leaders in this area, which increases recognition of your business as a symbol of compliance excellence in your industry.

Some of the security professionals you have on staff have likely picked up compliance best practices from their peers at other companies. Giving back to the community and sharing your story is a great way to establish your reputation as a champion of compliance for everyone. 

Building Trusting Relationships Through Compliance Marketing

Effective compliance program marketing is all about nurturing relationships of trust with your customers, prospects, and partners. In many ways, the work of passing the assessment is the hard part. Now all you must do is strategise about how you will let people know, “Look what we did!” Hopefully the tips listed above will help put you on the right path to devising a compliance marketing strategy that is well-suited to your organisation.

If you are looking to review your organisation’s entire information security program to identify areas where a new assessment would have the greatest impact, A-LIGN can help.

Approaching Cybersecurity With a Tactical Mindset

by: Joseph Cortese 20 Dec,2021 5 min

With a threat landscape that is constantly evolving, cybersecurity can’t be something you set up and ignore. To keep your organization safe, and to stay compliant with required industry regulations and standards, you need to approach cybersecurity with a tactical mindset, one that positions it as a planned and proactive — not reactive — component of your business strategy.

The Threat Landscape Today

Think of it this way: Your entire network infrastructure is a battlefield and your job is to protect it from threats, both internal and external. To do this most effectively, you need to always be thinking one step ahead to prepare for what could happen next, in conjunction with keeping up with the current threat landscape.

Why? Because threat actors will keep doing what works well, shifting their tactics to make it look like a new attack. For example:

  • Phishing — A few years ago, spearphishing and whaling attacks were popular. Though they haven’t gone away, the approach has shifted in regards to both the target and the delivery channel. Today, threat actors target disgruntled employees with the intention of stealing credentials to gain access to insider information. And sometimes, threat actors leverage social media to launch phishing attacks, as well.
  • Familiar Attack Vectors with New Targets —Like they do with phishing attacks, threat actors know where organizations are most vulnerable. Though they continue to use the same attack vectors, they are changing targets, like SMBs instead of enterprises, or lower-level employees instead of leadership.
  • Ransomware —Ransomware increased by 151% in the first six months of 2021 compared to the same timeframe in 2020. Ransomware has grown in popularity partly because threat actors are taking advantage of remote workers and hybrid infrastructure models. Threat actors are also making it easier for others to run attacks as a result of increased use of the cloud. In fact, there has been an increasing amount of material online that makes running ransomware attacks easier.
  • Third Parties — Today’s interconnected world has allowed for greater partnerships across organizations. But this also means that one company’s cybersecurity incident can also become yours. Though an organization’s partners and vendors may have their cybersecurity systems and protocols in place (something that should be vetted before signing a contract), the organization itself also needs to keep current with their own cybersecurity efforts. This extends to compliance with government and industry regulations. Each third party related to your organization enlarges your threat landscape and increases your risk of a compliance violation.

Protecting Your Organization With a Tactical Mindset

To avoid these attacks, pay close attention to what’s happening on your network. Areas you think are secured might, in fact, be your biggest vulnerability. The last thing you want to do is be tricked by a threat actor. Remember, cybersecurity should be proactive, with emphasis on active.

So how can you approach cybersecurity in a more strategic way?

Develop and Implement a Framework

Consider leveraging an acceptable framework, like NIST, to establish strong cybersecurity controls to help manage and reduce cybersecurity risk. MITRE’s D3FEND framework also helps organizations understand how others were hacked to provide insight to recognize threat patterns before you become victim to a cybersecurity incident. This insight can also provide organizations with a better understanding of their own cybersecurity posture.

Hire Ethical Hackers and Pen Testers

The best way to know where your organization’s vulnerabilities are is to hack your own network. You’ll want to hire someone that understands a variety of frameworks and architectures, an ethical hacker that can discover vulnerabilities before malicious actors get the chance.  As you consider who could be a fit for this role, don’t limit yourself to looking at experience alone. After all, the purpose of testing the network is to harden your security posture; this can only be done effectively when someone is thinking one step ahead to test how well prepared you really are to prevent a cybersecurity incident. Hire someone who embodies a tactical mindset.

Check the Logs

Another component of the tactical mindset for cybersecurity is to check the logs. Though checking logs may be boring to some, it is one of the most important tasks in an effective cybersecurity strategy. If you don’t know what your logs should look like, you won’t be able to identify anomalies.

To that point, if you find there are a lot of errors in your logs, it could signal a clandestine attack or some other nefarious activity happening. Small events, anomalies, or user-experienced issues can be the first sign of something bad brewing. Typically, “breadcrumbs” are left during an attack but hidden in plain sight so always pay attention to the logs as they can provide clues to invisible or unexpected security events. Even if you have tools that alerts positive hits, you still need to check the logs regularly.

Adopt a Zero Trust Approach

Implementing a zero trust architecture is considered, by many, to be the best way to lessen the threat surface for your organization. Zero trust is a collection of concepts and ideas that are designed with the principle of least privilege for information systems. Basically, it’s about restricting access to resources to only the people who need them.  Every time a user wants to access specific data or a specific resource, the user will need to authenticate and prove who they are.  

The restriction around privileges is done intentionally. After all, a zero-trust architecture uses zero trust principles to manage workflow, designed to assume that an internal network is already infected with various threats.

Though this can present a unique mental hurdle for many organizations — especially since most people assume an internal network is protected — zero trust, combined with a strong framework, provides an organization with a more strategic approach to cybersecurity.  

Tighten Up Your Cybersecurity

A tactical mindset requires an organization to always be alert. It’s about knowing your infrastructure, the devices connected to the network, how they communicate, the characteristics of your data, and who has data access.

Building a culture of proactive cybersecurity, complete with set policies, best practices, and user security awareness training, positions your organization to be better prepared for when a cybersecurity incident occurs.