A-LIGN’s SVP of Marketing, Brian Gladstein, has been sharing ideas and best practices for getting the word out about your cybersecurity assessment. As the final post in this series, Brian discusses sharing your cybersecurity assessment with your professional community and how to promote your commitment to their security.

Recently I’ve been sharing ideas and best practices for getting the word out about your cybersecurity assessment, and how your SOC 2 report, ISO 27001/27701 assessment, or FedRAMP certification can demonstrate to customers and business partners the commitment you make to their security. If you’ve been following along, you first learned how to announce your cybersecurity assessment with a press release.  Then, we talked about how to best feature this assessment on your website and next we dove into how to win more deals by arming sales with your assessment.  If you haven’t been following along, take a few minutes to check these articles out!

As my final post in this series, I would like to share with you one more method – perhaps the most rewarding method because it’s the most personal. It’s time to talk about sharing your cybersecurity assessment with your professional community.

Why should I share our assessment with my professional community?

At first you might think, why would I do that?  What you may not realize is that not everyone has been through the cybersecurity audit process.  Many members of your community may be new to the idea, unsure of where to start and feeling a bit overwhelmed. Audits can be intimidating. Chances are, you learned a lot during this process – and others starting down the path will no doubt benefit from the wisdom you’ve acquired.

As security professionals, we are all eager to learn, improve and do better.  Since you’ve successfully navigated an assessment, you now have something to contribute to not only your community but conversations occurring on social platforms, like LinkedIn or Twitter.

I’d go so far as to say: it’s your obligation to contribute and teach others what you’ve learned. That’s what we do in cyber.

Talk about your security program, without actually talking about your security program.

I’ve been in the cybersecurity industry for a long time and, as a marketer always trying to get customers to provide a testimonial or participate in a case study, one hard reality about the security industry is that people are extremely hesitant to talk about their security program publicly. It’s understandable because of the inherent risks associated with sharing too much information. Why give an advantage to the adversary? If you disclose, for example, what products you use, you might open yourself up to an attack from a hacker who has an exploit for that particular product. It can be scary stuff.

This overarching concern sometimes does a disservice to the cybersecurity community because people may not share important lessons learned that can actually make a difference. That’s where your assessment opens a door.

Your assessment gives you a way to talk about your security program without actually talking about your security program.  Use your cybersecurity assessment to publicly discuss controls, best practices, policies, incident response, problems you’ve solved, and more.  In the context of the report, you find a rich supply of information and a way to discuss it that doesn’t require the disclosure of sensitive information or how you are operating your security apparatus.

You get to share important lessons learned in a safe way – it’s a win/win for everyone.

Cybersecurity professionals: Detectives, problem solvers, heroes

Listen, attackers need to work together. We are stronger when we do.

The bad guys are working together – there’s an entire dark economy out there that of malware, exploits and botnets that can be assembled to execute attack after attack. Smart defenders know that to protect against these coordinated, complex threats, we need to do the same thing on our end.

By nature, security professionals want to share their intel, knowledge and best practices with each other – it’s what we do!  As a cybersecurity professional, you are a detective, a problem solver, a hero. Get out there and tell your story.  Your community needs to know and we will all be better for it!

Four practical ways to share your cybersecurity assessment

There are a number of ways to share your security assessment with your community.  Here are four that come to mind:

1. Speak to other professionals, one on one. Discuss what you learned during your assessment, where your gaps were and how you addressed the gaps.  Answer questions that people are asking individually. You’ll quickly learn what to say and what not to say so you keep sensitive information to yourself, while still passing on your knowledge.
2. Give a talk at a local chapter meeting of ISACA, (ISC)², OWASP, or any other regional security meetup. It’s a safe setting where people gather to learn directly from each other and hey, it’s what members are there for.  Lay out some of the core elements of your security program and how you and your auditor worked together to provide assurance.
3. Microblog on social media. LinkedIn and Twitter are great places to drop little pieces of your story and lessons learned. You’ll help others and build your own reputation while creating buzz for your company.
4. Apply for speaking engagements and ‘calls for papers’at larger conferences. You may have a story that lots of people want to hear, and events like Blackhat and the RSA Conference are great venues for just that.  Don’t feel comfortable taking the stage alone?  Find a trusted vendor and they will almost certainly help you create slides, tell your story, and network with people at the event.

As a cybersecurity professional, you are on the front lines protecting information, protecting our families, protecting our businesses. Your assessment report demonstrates that you are doing the right things, and there are thousands of people out there who can benefit from your knowledge.  Get out there and tell your story. And as always, if you need help, give me a shout!

When researching regulations and requirements in the healthcare industry, many organizations come across both HITRUST and HIPAA. As a result, they may ask themselves: “What are the differences between HITRUST vs HIPAA and which should I choose?”

It’s not an apples-to-apples comparison. Here’s why:  

• HIPAA is a U.S. law that includes a set of safeguards that covered entities and business associates must follow to protect health information.   
• HITRUST is a certifiable security and privacy framework with a list of prescriptive controls/requirements that can be used to demonstrate HIPAA compliance. HITRUST has also been mapped against over 40 other standards such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA),  Federal Information Security Modernization Act (FISMA), PCI DSS, and ISO 27001) that could be added to the scope of the HITRUST certification.   

Trying to determine if HITRUST or HIPAA is better for your organization is actually the wrong question. Instead, ask yourself, “What is the best method for demonstrating HIPAA compliance within my organization?”  

Let’s look a little closer at HITRUST vs HIPAA and why you might choose the HITRUST CSF as a means to achieve HIPAA compliance.    

What is HIPAA?   

HIPAA is a U.S. federal statute signed into law by President Clinton in 1996. In addition to giving workers the ability to carry forward health insurance coverage between jobs, HIPAA defines requirements that covered entities (i.e., health plan providers, healthcare providers, and healthcare clearinghouses) and their business associates must follow to protect patient information.  

These information security and privacy requirements are defined according to three rules:  

• The HIPAA Privacy Rule: Sets national standards for when patients’ protected health information (PHI) may be used and disclosed.   
• The HIPAA Security Rule: Outlines measures that covered entities and business associates must take to protect patients’ electronic protected health information (ePHI).  
• The HIPAA Breach Notification Rule: Requires that covered entities notify affected individuals, the U.S. Department of Health and Human Services (HHS), and the media in the event of an information breach.  

Important updates to HIPAA  

Recently there have been several important updates related to HIPAA that are worth noting. One is the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act was signed into law on February 17, 2009 by President Obama. The HITECH Act encourages the use of electronic health records (EHR) by providing financial incentives for healthcare organizations that can prove they have implemented EHR. The HITECH Act also allows for more severe penalties to be levied against covered entities and their business associates for HIPAA noncompliance.   

Another important update to HIPAA, the HIPAA Safe Harbor Bill, was signed into law on January 5, 2021 by President Trump. This law amends the HITECH Act so that the HHS and the Office of Civil Rights (OCR) must recognize and encourage security best practices for HIPAA compliance. Specifically, HIPAA Safe Harbor reduces financial penalties and the length of compliance inspections for covered entities and business associates that can prove they’ve had “recognized security practices” in place for at least one year.  

How can an organization prove HIPAA compliance?   

Though HIPAA requires organizations to conduct annual self-audits, it does not provide an official framework or methodology for verifying compliance with the law.   

So how can an organization prove HIPAA compliance? There are two primary frameworks we recommend for organizations that handle PHI to maintain compliance with HIPAA regulations:  

• A Systems and Organization Controls (SOC) 2 examination + HIPAA - This allows an organization to examine the necessary safeguards in order to validate HIPAA compliance. The organization going through the examination develops management’s controls to address the proper safeguards. A SOC 2+HIPAA examination can only be performed by a Certified Public Accounting (CPA) firm.   
•  HITRUST CSF - This is a comprehensive security and privacy framework that can be used to certify HIPAA compliance, as well as other standards and regulatory requirements. Unlike SOC 2, the HITRUST CSF necessitates the prescriptive controls that must be in place to achieve HIPAA compliance based on the organization’s risk factors. In addition, the HITRUST CSF certification is the only official certification that proves HIPAA compliance.   

What is HITRUST and HITRUST CSF?   

HITRUST was founded in 2007 to help healthcare organizations better manage information security systems and protect their data. HITRUST is perhaps most well known for developing the HITRUST CSF, described above, which is used by thousands of organizations around the world to efficiently manage regulatory compliance and risk management.   

The HITRUST CSF was originally tailored for the health industry, but with the release of CSF 9.2 in January of 2019, it transitioned to better align with other existing international privacy frameworks by adopting a more industry-agnostic approach. Prior to 2019, every HITRUST CSF examination included HIPAA compliance by default, but now it is an optional regulatory factor that must be selected as part of an assessment.   

Regardless, HITRUST CSF remains one of the premier security frameworks used to demonstrate HIPAA compliance. HITRUST has even released official documentation demonstrating that the HITRUST CSF meets all the requirements outlined in the HIPAA Safe Harbor Law.   

The HITRUST CSF “assess once, report many” approach also allows organizations to choose the frameworks and controls they want to initially be tested against and add more in the future if they choose.   

Why choose HITRUST for HIPAA compliance?  

When not contractually obligated to use the HITRUST CSF, some organizations opt for SOC 2+HIPAA or a self-assessment because of the higher cost and somewhat significant time and resource requirements of HITRUST CSF.   

However, there are benefits to leaning on HITRUST CSF for HIPAA compliance. Because of its strict and prescriptive nature, the HITRUST CSF has established itself as a gold standard for organizations to demonstrate they have the necessary controls in place for data protection.   

Additionally, leveraging HITRUST CSF includes other benefits, such as:  

• Extended duration: Organizations have a two-year certification with the HITRUST CSF, compared to SOC 2 validation which requires annual completion.   
• Social proof: The HITRUST CSF has developed a widespread positive reputation for compliance.  
• Options to easily adopt additional regulatory standards due to the fact that it is comprehensive, scalable and flexible: The HITRUST CSF has mapped controls to more than 40 standards across various industries worldwide and, with a dedicated research team that is specifically tasked with mapping security frameworks, can quickly get up to speed on any new laws and regulations.  

As a growing number of privacy laws continue to roll out internationally, HITRUST CSF will likely continue to expand and map to new legislation. In fact, the HITRUST research team mapped the General Data Protection Regulation (GDPR) within six months, and HITRUST has applied to become the premier certification body for GDPR. This is also why organizations in industries such as travel and hospitality, utilities, energy, etc., are adopting HITRUST.  

HITRUST vs. HIPAA: Asking the right question  

As mentioned before, asking if the HITRUST CSF or HIPAA is better for your organization isn’t the right question. The more appropriate question is, “What is the best option for demonstrating HIPAA compliance within my organization?”   

HITRUST CSF is one reliable way to achieve HIPAA compliance. In fact, it is the only way to become officially certified in HIPAA compliance. For this reason, the HITRUST CSF is often utilized and sometimes required by organizations in the healthcare industry.   

If you’re preparing your organization to be HIPAA compliant, HITRUST CSF certification may be a valuable investment. 

Download our HITRUST checklist now!

Download our HIPAA checklist now!

ISO 27701 is the first certification for privacy. By combining ISO 27701 and ISO 27001, organizations can build trust, prepare for privacy regulations, and more.

The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) issue many guidelines and frameworks for organizations. These can range from cybersecurity readiness to business continuity standards and beyond. 

In 2019, ISO expanded ISO/IEC 27001:2013 (ISO 27001), a popular and longstanding cybersecurity framework, with ISO/IEC 27701:2019 (ISO 27701), a new standard focused on creating a Privacy Information Management System (PIMS). The standard has generated excitement in the compliance world, as it is the first certification for privacy. In other words, ISO 27701 represents the first way an organization can actually become certified by a third party in privacy best controls, rather than compliant with standards and regulations.  

However, ISO 27701 is not a standalone standard. Rather, the original ISO 27001 cybersecurity framework serves as a foundational chassis, and organizations can add on additional ISO standards, such as ISO 27701, that work well for the specifics of their business.  

Organizations may wonder: what are the benefits of combining ISO 27701 and ISO 27001?

We will walk through four key benefits of adding the new ISO 27701 standard onto the core ISO 27001 framework. 

1. Builds Trust with External Stakeholders 

Today, much of our personal lives and our work happen on the internet, whether through applications, websites, or other form factors. Everyone is concerned about their personally identifiable information (PII), and no one wants it to fall into the wrong hands.  Each year there are data breaches that raise new security and privacy concerns. Consent, transparency, and security are more important than ever. 

As privacy concerns continue to grow amongst regulators and consumers alike, organizations are increasingly interested in improving their privacy policies and offering proof that they take privacy seriously. While there are many cybersecurity frameworks covering data privacy, none of them provide a dedicated privacy certification. Organizations can demonstrate compliance, however, they don’t get an official certification from a governing body. 

ISO 27701 is the first certification for privacy. 

For organizations, having a certification for privacy can help build trust with partners, vendors, customers, and other stakeholders. Having ISO 27701, in combination with the internationally-respected ISO 27001 framework, demonstrates your organization’s commitment to privacy. Organizations that hold an ISO 27701 certification must undergo surveillance audits each year, so your external stakeholders can feel confident that your organization is executing against best practices in accordance with ISO standards with a formal PIMS in place. 

Organizations are recognizing the value of ISO 27701 and ISO 27001. For example, Microsoft accepts ISO 27701 and ISO 27001 as a replacement to their own Supplier Security and Privacy Assurance (SSPA) program requirements. This demonstrates Microsoft’s strong trust in ISO’s frameworks and in ISO 27701’s privacy controls and data protection measures in particular. 

2. Strategically Certify Parts of Your Business 

Data moves through organizations in different ways depending on multiple factors. No two organizations are quite the same, and in some situations, the same organization can be both the controller and the processor of PII simultaneously.  

Some of the factors influencing an organization’s status as a controller and/or processor can include: 

• Industry (or industries) served 
• Business model, such as software-as-a-service (SaaS) 
• Regional or international presence 
• Partnerships and subcontractor relationships 
• And more 

However, because an organization may be both a controller and a processor of data at the same time, their data may not be subject to the same controls, depending on how it intersects with specific business activities. 

ISO 27701 is beneficial because it can be applied only to specific portions of an organization. In other words, an organization can carve out compliance as a controller or a processor of data—it does not have to get a blanket certification for the entire business. This is helpful for organizations with complex business models, where different sets of data may or may not require the same controls, include PII, etc. 

This feature differentiates ISO 27701 from regulations such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), which apply to the entire organization. In these laws and regulations, the organization as a whole must be compliant, regardless of the type of data or the organization’s role in generating, storing, or working with the data. ISO 27701 also differs from other standards, such as ISO 27018, which is an unaccredited standard and only applies to privacy in a public cloud — a much narrower range of applications. 

Together, ISO 27001 and ISO 27701 enable organizations to strategically certify the portions of their business that require the strictest privacy protection. 

3. Supports Several Privacy Laws and Regulations 

As noted, privacy is a growing concern for regulators and consumers alike. The rise of new privacy laws and regulations has forced organizations to think differently about their privacy programs.  

In fact, our recent 2021 Compliance Survey Report found that 48% percent of organizations claimed privacy regulations generated extra work. This rise is also making organizations more aware of the controls they need: 35% said they needed a higher level of cybersecurity controls. 

ISO 27701 maps against several key privacy regulations, which enables companies to more easily and strategically meet key regulations.  

For example: 

• ISO 27701 and the GDPR: ISO 27701’s privacy controls can help an organization demonstrate compliance with certain aspects of the GDPR, though it does not equate with GDPR certification. However, ISO 27701 does map to this landmark regulation in several ways. For example, the GDPR includes certain Articles that can be mapped back to the roles, responsibilities, and controls put forth in ISO 27701.  
• ISO 27701 and CCPA: Driven by the state of California in the U.S., the CCPA includes articles and language very similar to GDPR, which has become the gold standard on which many up-and-coming privacy regulations are based. ISO 27701 doesn’t specifically map directly to the CCPA. However, due to the law’s similarities to the GDPR, ISO 27701 can help organizations comply with the controls and requirements of CCPA. 

For organizations working to comply with GDPR, CCPA, or other privacy regulations and laws, ISO 27701 and ISO 27001 provide the scaffolding to build a strong compliance program. Again, it is not a replacement for any of these privacy laws and regulations, and it does not guarantee compliance. However, it can help your organization build an information security management system (ISMS) and a PIMS that can meet some of the requirements of the GDPR, CCPA, and others.  

4. Integrates with Your Existing Audit 

Many organizations are completing numerous audits every year — in fact, our 2021 Compliance Benchmark Survey also found that 85% of respondents conduct more than one audit each year. With a busy slate, the last thing anyone wants is more audits and assessments. 

Because ISO 27701 only exists in tandem with ISO 27001, the standard does not add significantly to the auditing process. Organizations with ISO 27001 in place can simply integrate ISO 27701 into their existing ISO audit and assessment.

For organizations looking to complete the core ISO 27001 framework for the first time, adding ISO 27701 is not a huge undertaking. It can be worked into the overall process of creating an ISMS, collecting the necessary evidence, and assigning responsibilities to key personnel. 

5. Grows with Your Organization 

As organizations grow, the type of data processed may expand and can result in additional compliance obligations. For example, fast-growing organizations may: 

• Expand to new geographic areas 
• Bring on new partners, vendors, or subcontractors 
• Drive business in new industries or sectors (some of which may include PII and be highly regulated, such as healthcare) 
• Work with distributed teams across countries 
• And more 

Meeting cybersecurity and privacy requirements is an ongoing process that can be made easier by building a framework that can be expanded as regulatory requirements continue to evolve.  

Having a PIMS in place is an excellent way to ensure your organization has a defined management system that can adapt to new cybersecurity and privacy obligations. As new workstreams start-up, regulations come into play, and data enters the company, you will already have the framework needed to handle everything smoothly. Together, ISO 27701 and 27001 create that framework to handle increasingly complex compliance requirements.  

ISO 27701 and ISO 27001: Better Together 

ISO 27701 and ISO 27001 represent a powerful package with many benefits to organizations. With the underlying framework of ISO 27001 creating a strong ISMS and ISO 27701 ensuring a certifiable commitment to privacy controls, organizations can clearly demonstrate their maturity relative to cybersecurity and privacy. This can give peace of mind to stakeholders such as customers and vendors. Enhance your privacy by combining ISO 27701 and ISO 27001, and continue your compliance journey. 

Get started by downloading our ISO 27001 checklist.

Your sales team is one of the most powerful tools you have to get the word out about your cybersecurity assessment.  A-LIGN’s SVP of Marketing, Brian Gladstein, describes how to arm them with your audit report and teach them how to use it so they can win more frequently and close more deals. 

In this post, I’ll continue to explore ways of getting the word out about your cybersecurity assessment – SOC 2, ISO 27001, HITRUST, FedRAMP, or any of the others – once that report has been delivered. Third-party cybersecurity assurance is fundamental in ensuring that businesses can trust each other when it comes to sensitive data or private information. So if you aren’t including your final report as part of your sales and marketing efforts, it’s almost as if you never completed it in the first place. 

So far we’ve talked about announcing your assessment with a press release and featuring your audit report on your website. Those are both very important steps, but they don’t necessarily deliver your report to a prospect at exactly the time it’s needed – nor are they able to relate the audit to the specific nature of the business partner sitting across the table from you. For that, you need to turn to one of the most powerful tools you have in your arsenal – your sales team. 

Your sellers are on the phone and in email, having one-on-one conversations with customers every day. They shape the discussion and frame the competition. They provide compelling answers to specific questions with finesse. If your cybersecurity assessment is a weapon, your sales team is the army that can most effectively wield it. 

Don’t “Throw It Over the Wall” 

Sales people are generally creatures of habit. They look for signals of success in the relationships they maintain and rely on proven patterns to drive opportunities forward and ultimately close deals. That can make it difficult to introduce something new to your sales team, especially if they don’t instinctively know how to use it and where it fits.  

I’ve spent most of my career as a marketer working closely with sales, and I’ve learned over and over again (sometimes painfully) that the best way to ensure your new materials are ignored is to “throw it over the wall” to sales. So don’t do that. 

Instead, you need to work hand-in-hand with your counterparts in sales. Understand the process they go through and how they use various tools at their disposal to overcome challenges and objections. What you will likely find is that there are a few places where your assessment can easily fit into their process. I’ll get into the most likely candidates below – but the point is that by understanding their needs, and fitting into their workflow, you can make it easy for them. 

Work With Sellers to Understand What They Need 

In most sales teams you’ll find a few individuals who love to experiment and try new things. It can be hard to change the behavior of a full team, but if you lock arms with these scrappy sellers and get a couple successful examples under your belt, the rest of the team will look to duplicate those patterns and it’ll make adoption much easier. 

Generally, it won’t be difficult to figure out who these team members are – just ask around. Once you do, grab some time with them, explain how a cybersecurity assessment can be used to put your competition at a disadvantage, and explore how they might use the report. Here are some questions to ask: 

• Do customers ever require us to fill out a security questionnaire? 
• When in the sales process do we normally position our technical strengths? 
• At a typical customer, what roles care about security the most? 
• Which competitors haven’t gone through their audit process – and how do we use our report against them? 

Build Your Sales Enablement Plan and Materials 

A productive conversation with those key sales reps should help you put together everything you need for enabling the rest of the team, including: 

• Specific language that describes the report and its benefits that the sales team can use in emails, messages, and phone calls 
• Where in the sales process a rep would most likely introduce the report 
• An understanding of why the sales rep will benefit – for example, closing deals faster or winning more against a key competitor 

From there, you’ll want to prepare your materials. The following items are a good example of what you might need, but obviously your plan will depend on the specific needs of your organization. 

Messaging & Sales Tool: Capture all the relevant information into a single tool that sales can use. Include messaging that articulates how reps should describe the report, as well as ways to handle questions or objections that may come up. Include links to where they can download the report when needed, and your own contact information for when they need additional help.  

Presentation Slide: Most sales teams have a standard presentation deck they use when meeting with customers. Prepare a slide to include in the presentation that displays your report and includes high-level information about the nature of the report and who your independent auditor is. Be sure to articulate the benefits to the customer – materials like this should always speak directly to what the customer cares about.  

Sales Process: Help your sales team understand when and how to introduce your audit report by incorporating appropriate steps into their sales process. It’s not a bad idea to describe this in the sales tool you create (above). Most sales teams manage their process through a CRM that allows reps to access documents and trigger processes they need at exactly the right time on a customer-by-customer basis. If you have a Sales Operations team they should be able to help here. 

Proposal Template: Finally, include a reference to your audit report in your standard proposal template. This single document tends to be the culmination of all your strong selling points combined with the actual financial proposal that goes out to the customer. It’s a great place to provide a succinct statement on how you take your customers’ security seriously. 

Train the Team and Roll It Out 

Take a few minutes in a weekly sales call to train the team. Show them where all the resources are, walk through the messaging and the process, and ask that pioneering sales rep who helped you understand the dynamics of the organization in the first place to help bridge the gap. 

Once the team has been trained, check in with them every so often to see how it’s going. Make adjustments where needed and celebrate any wins in a public way to reinforce the value that your cybersecurity assessment provides.  

Working with sales teams and playing a role in winning business can be exhilarating. I always love talking about this, and any other aspect of marketing your audit report. Contact us if you’d like to chat more! 

Less than one year after the CCPA took effect, California passed another consumer privacy law: the CPRA. Here are six changes to help you understand the differences between CPRA vs. CCPA. 

In 2018, the state of California passed the California Consumer Privacy Act (CCPA), a landmark piece of legislation that secured several privacy rights for California consumers.  

Just over a year later, in November 2020, Californians voted to approve Proposition 24, creating the California Privacy Rights Act (CPRA) of 2020. The CPRA can be thought of as a more comprehensive version of the CCPA, updating, modifying, and extending certain rules and stipulations to increase the rights of California consumers.  

Wondering what the differences are between CPRA and CCPA?  

We have highlighted six key differences that we’ll explore in this post. Read on to find out the impact the CPRA may have on your organization. 

Difference #1: Updated Criteria for Qualifying as a Business

Under the CPRA, an organization can classify as a business if they are a legal entity that is operated for profit, involves the collection of California consumers’ personal information (PI), determines the purposes and means of processing PI, and satisfies one or more of the following conditions: 

(A) Has an annual gross revenue of over $25 million in the preceding calendar year 

(B) Alone, or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households 

(C) Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information 

Most notably, the CPRA doubles the CCPA’s threshold criteria of 50,000 California consumers or households within condition B. It also expands the CCPA’s definition in criteria C, including annual revenue derived from sharing PI in addition to selling it. 

Potential Impact 

This change in criteria means that some small to midsize businesses that have to comply with the CCPA may not fall under the scope of the CPRA. Because the CPRA increases the number of consumers or households in criteria A (from 50,000 in the CCPA to 100,000 in the CPRA), the new law may actually reduce the number of businesses that qualify under that threshold. However, the inclusion of “sharing” related to deriving 50% or more of annual revenue from selling or sharing consumers’ personal information in criteria C may potentially increase the number of organizations that would qualify as a business under that threshold. 

Difference #2: A New Category of Highly Protected Data  

The CPRA introduces a new category of protected data: sensitive personal information (SPI). This concept is very similar to Article 9 of the General Data Protection Regulation (GDPR)—”Processing of special categories of personal data”—which calls for a greater level of data protection due to the sensitivity of the personal information. The addition of this new data category may require businesses to implement additional technical and operational controls to process such data and to limit the use and disclosure of SPI according to consumers’ rights under the CPRA.

The CPRA imposes specific requirements and restrictions on SPI, giving users expanded rights to control businesses’ use of their personal information. These new requirements include: 

• Updated disclosure requirements 
• Purpose limitation requirements 
• Opt-out requirements for use and disclosure 
• Opt-in consent requirements after a previously-selected Opt-out 

Potential Impact 

The introduction of SPI means that businesses, as defined by the CPRA above, must be especially vigilant to protect this class of data and respond accordingly when a consumer decides to opt out. If a business intends to process consumers’ SPI as defined within Section 1798.121 and 1798.135 of the CPRA, then there are additional requirements that must be implemented. For example, businesses that store SPI must include a clear and conspicuous link on their websites titled “Limit the Use of My Sensitive Personal Information” that enables consumers to restrict the processing of their SPI.

Difference #3: New and Expanded Consumer Privacy Rights 

There are five consumer privacy rights that are present in the CCPA that have been modified under the CPRA. These rights are:  

• Right to Opt-Out of Third-Party Sales and Sharing: The CCPA allows consumers to opt-out of businesses selling their data. The CPRA expands this right to include the sharing of personal information, in addition to selling. The CPRA defines sharing as “disclosing, disseminating, making available, transferring, …  a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration …”  
• Right to Know: The CCPA requires that businesses respond to consumer requests to know personal information that was collected within the prior 12 months. The CPRA extends this timeline, enabling consumers to potentially request personal information collected beyond the prior 12-month window under certain circumstances.   
• Right to Delete: Through the CCPA, California consumers can request that a business delete their personal information if it is no longer needed to fulfill one of the purposes listed in Cal. Civ. Code Sec. 1798.105 (e.g., security needs, debugging).  The CPRA will also require businesses to send the request to delete to third parties that have bought or received the consumer’s personal information so that all parties are aware that it must be deleted, subject to some exceptions. 
• Right to Data Portability: The CCPA includes a “right to know”, which means that consumers have the right to receive a copy of their personal information by mail or electronically. Now, under the CPRA, a consumer can request that a business transfer specific personal information to another entity “to the extent technically feasible, in a structured, commonly used, machine-readable format.” 
• Opt-In Rights for Minors: The use of minors’ data is a general concern within the law, and the CCPA requires that businesses obtain opt-in consent to sell the personal information of a California consumer under 16 years of age. The CPRA goes one step further, mandating that businesses wait 12 months before asking a minor consumer for consent in selling or sharing their personal information after the minor has declined. It also states that the opt-in right must explicitly include the sharing of data for cross-context behavioral advertising. 

In addition to expanding several of the CCPA’s consumer privacy rights, the CPRA also introduces four brand–new consumer privacy rights that are not present in the CCPA:  

• Right to Correct Information: A consumer has the right to request that a business correct any inaccurate personal information. 
• Right to Limit Use and Disclosure of Sensitive PI: A consumer has the right to limit the use and disclosure of their SPI to that “use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods and services.” 
• Right to Access Information About Automated Decision Making: A consumer has the right to request “meaningful information about the logic involved in those decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.”  
• Right to Opt-Out of Automated Decision-Making Technology: A consumer has the right to opt-out of being subject to automated decision-making processes, including profiling. 

Potential Impact 

Businesses must ensure that they are prepared to comply with the CPRA’s new and expanded consumer privacy rights. They will need to develop strong processes and controls to ensure they are both capable of and prepared to respond swiftly to consumer requests. Many businesses may need to make significant changes to their existing security and privacy-related controls, hire additional personnel, or contract third-party services to help them prepare for CPRA compliance.  

Difference #4: Adoption of Select GDPR Principles  

The GDPR has served as a template for many new privacy regulations, including the CPRA. For example, the GDPR enforces the concepts of data minimization, purpose limitation, and storage limitation. These principles are not included in the CCPA, but they are now codified as part of the CPRA:  

• Data minimization: The requirement that “a business’s collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”   
• Purpose limitation: This requires that businesses “only collect consumer’s personal information for specific, explicit, and legitimate disclosed purposes, and should not further collect, use, or disclose consumer’s personal information for reasons incompatible with those purposes.” 
• Storage limitation: This requirement addresses “the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period, provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.”

Potential Impact 

By codifying these principles explicitly in the CPRA, California has authorized the state regulator to enforce, and potentially penalize, a business’s failure to 1) reasonably limit the collection of personal information to what is necessary for the purpose for which it was collected, and 2) limit the retention of personal information to the least amount of time necessary to fulfill the purpose for which it was collected.  

Difference #5: Expansion of Legally Actionable Data in a Breach 

Data breaches are a serious concern for businesses of all sizes. When a breach occurs, hackers can extract sensitive information, which puts both the business and consumers at risk. In the event a data breach occurs, the CCPA gives consumers the private right to take legal action if their nonencrypted or nonredacted personal information becomes exposed because a business failed to implement reasonable security procedures and practices appropriate to the nature of the information processed. While the CPRA does not explicitly alter this right, it does add consumer login credentials to the list of personal information categories that may be actionable under the law. 

Potential Impact 

Many organizations suffer as a result of a data breach, as hackers gain access to personal information and exfiltrate that data from the boundary of the system. The CPRA’s expansion of scope to include login credentials as a legally actionable personal information security breach may be a response to the wave of authentication hacks affecting consumers in recent years. In addition to more advanced layers of data encryption, many businesses may want to require multi-factor authentication as an additional security layer.  

Difference #6: Creation of a New Privacy Enforcement Authority 

The CCPA was originally enforced by the California Office of the Attorney General (OAG). The CPRA shifts this authority by establishing the California Privacy Protection Agency (CPPA) and granting it investigative, enforcement, and rulemaking powers. 

Potential Impact 

The CPPA’s outlined role in enforcing the CPRA is a notable change from the CCPA. The codification in Section 1798.199.10 provides instruction regarding the CPPA including, “[t]he agency shall be governed by a five-member board, including the chairperson. The chairperson and one member of the board shall be appointed by the Governor. The Attorney General, Senate Rules Committee, and Speaker of the Assembly shall each appoint one member. These appointments should be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.” It remains to be seen how this new agency will wield its authority, but we expect that we will see an increase in the number of investigations and enforcement actions taken by the CPPA. 

Start Preparing for CPRA Compliance Today 

Although all aspects of the CPRA do not take full effect until January 1, 2023, organizations that do business in California should start laying the groundwork for CPRA compliance throughout the course of 2021 and 2022. If you currently have measures for CCPA in place, now is the time to perform a gap assessment based on the information available regarding the CPRA.  

To prepare for the CPRA, organizations can take proactive steps such as: 

• Conducting a data-mapping exercise to identify and document what PI will fall under the scope of the CPRA.
• Updating privacy notices to reflect the new and modified consumer privacy rights and related disclosure obligations.  
• Reviewing downstream data-sharing practices and informing third parties that they may be required to comply with these new regulations.  

By understanding the full scope of the CPRA and designing a thoughtful roadmap toward full compliance, companies can avoid the potential impacts of non-compliance once the CPRA is fully operative.  

A cybersecurity assessment like a SOC 2 or an ISO 27001 certification is a statement about your commitment to protecting information. This post looks at examples of how leading companies give that report a permanent home on their websites and provides best practices so you can do the same. 

A cybersecurity assessment like a SOC 2 examination or an ISO 27001 certification is much more than just a document – it’s a statement. Specifically, these reports communicate to your customers, prospects, and business partners that you take cybersecurity seriously, and you can be trusted with their sensitive information. So, it’s a great idea – in fact, a competitive advantage – to spread the word. 

In my last post, I talked about that first step – announcing your assessment with a press release. But your report lives beyond that initial announcement, which means you need to give that report (or some form of it) a permanent home on your website where it can be accessed any time it’s needed. We’ll look at some real-world examples of how companies do just that. 

Isn’t my compliance report a “need-to-know” document? 

You might say, “My compliance report should only be given to a customer on a need-to-know basis after an NDA is signed. It’s too much information to put on a website.” 

There’s a lot of truth to that – in a literal sense. Some documents are meant to be public (like a SOC 3 report, for example), but in general, compliance reports are reserved for specific situations where a non-disclosure agreement is in place. You may even find explicit instructions on what the report should be used for, such as the Restricted Use section of a SOC 2 report. 

However, none of that precludes you from talking about the fact that you have completed cybersecurity assessments and discussing the security principles and policies behind them. Today’s companies, surrounded by a barrage of reports about breaches and data leaks, want to trust the companies they transact with. Your reports are the meaningful, widely accepted evidence that backs up your claims. 

Let’s look at some examples 

I think one of the best ways of understanding how you can feature your assessments on your website is to look at examples of some great companies who have done an excellent job at this. Let’s check out four. 

Example 1: Snowflake 

Snowflake is a fast-growing data platform company that made news in September 2020 as the largest-ever software IPO (SNOW). As a company that provides customers with a cloud-based data warehouse, you can imagine how important it is for Snowflake to demonstrate trust to all its business partners. 

Snowflake has created a Security and Trust Center, with several different options for learning about various aspects of Snowflake’s approach to security throughout its platform, including a dedicated page listing its security and compliance reports. From here, a short description explains each report, with instructions on how to obtain them – specifically, acquiring an NDA and filling out a contact form. Note the following: 

• Snowflake displays all its certification badges proudly across the main trust center page 
• Includes simple, clear explanations of each of the certifications they go through 
• Provides a straightforward process for requesting a report, conditioned on meeting specific criteria 

Example 2: Salesforce 

Salesforce, the original SaaS company, is the 800-pound gorilla when it comes to anything related to customer relationships. Those relationships are sacred, so obviously Salesforce needs to demonstrate to their customers how seriously they take security.

Salesforce has a much larger library of certification reports given the breadth of their business and has taken a more direct approach to presenting their certifications. Looking at their site, one might assume they expect visitors to know what they are looking for, so all the certifications are laid out in an easy-to-navigate grid form, with little additional context, so the user can drill down and get exactly what they need. Some observations: 

• The Salesforce compliance center sits on its own domain: compliance.salesforce.com 
• Each report is broken down by product, date, and infrastructure 
• Access to most reports is protected with your Salesforce credentials 

Example 3: Asana

Asana is a popular project management application – in fact, my marketing team here at A-LIGN depends on Asana for almost all our projects! Since Asana’s customers, like us, rely on the tool every day to coordinate teams and keep work moving, we need to know that our information is protected. 

Asana’s approach is to communicate a message of trust to their customers. Personally, I’m a big fan of customer-focused messaging, and I appreciate how Asana has laid out their story. They place their certification badges at the bottom of their page, providing links to publicly accessible reports. In particular, they provide a link to their SOC 3 report, which as the AICPA states, is “designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 report.” Some things to notice: 

• Everything, including the URL asana.com/trust, speaks directly to their customer commitment 
• They use clear language and graphics to explain their entire approach to security 
• They focus on publicly available resources to instill confidence in their security program  

Example 4: Freshworks 

Finally, let’s check out Freshworks. Freshworks is an engagement platform for employees and customers, so like some of our other examples, it’s pretty clear why protecting information related to those groups is so important.

Freshworks has a very advanced Security Center on their website, with multiple pages for different audiences (customers and developers), a trust center, best practices, resources, and even an area for responsible disclosure. What I like most about their site is how thought-through it is, with so much information and such a high degree of transparency. In website terminology, we call this a microsite – an entire area devoted to one concept, with a defined purpose and its own navigation and structure. Here are some things worth pointing out: 

• The microsite contains a rich FAQ area with answers to common questions 
• It includes a breakdown of many of their security processes and how they impact different audiences 
• They include a bug bounty hall of fame to promote responsible disclosure 

Putting it all together 

 Hopefully these pages gave you some good ideas for how to use your compliance reports on your website. My biggest takeaways: 

• Share your approach to security and relate it to your customers and business partners 
• To whatever extent you are comfortable, be transparent with some of your core security and compliance processes 
• Include some of the best practices you follow (encryption, penetration testing, etc.) 
• Guide your visitors through the process of requesting a report 
• Feature your auditor, as their credibility will translate to your customers 

Compliance is all about the customer 

When you put your cybersecurity attestations on your website, you can frame a message that’s all about your relationship with your customers. There’s plenty you can talk about without giving away the details of your security program to your customers, so finding that balance is important. And remember – most people don’t natively understand security, so be clear and simple in your language and explanations. 

Most importantly, remember that your assurance program is an opportunity to engage in a dialogue with people who are interested in how you do business. It’s much more than just the document – it’s a representation of who you are as a business and how you treat your customers.  

I’m always happy to speak with people about how to best market their cybersecurity attestations. If you are interested in a conversation, or anything A-LIGN has to offer, please drop us a line!  

You’ve just finished any one of the numerous cybersecurity assessments that are common today. Congratulations… but now what? A-LIGN’s SVP of Marketing, Brian Gladstein, describes some of the ways to leverage that final report and drive new revenue into your business, starting with a press release and an announcement plan.

How to Announce Your Cybersecurity Assessment with a Press Release 

You’ve just finished your SOC 2 examination, or received your HITRUST certification, or you’ve completed any one of the numerous cybersecurity assessments that are common today. Congratulations! It must feel good to have the project behind you… but now what? Turns out there are many ways to leverage that final report to help build trust with customers, strengthen your brand, and drive new revenue into your business. 

I think it’s safe to say that most people involved in the audit process would not consider themselves “marketers”. In fact, for many, the very idea of self-promotion can be off-putting. But these days, cybersecurity assessments play a critical role in business. They generate trust with a future business partner or serve as a competitive differentiator that wins over a prospect. In this post I want to focus on how to announce your cybersecurity assessment report, and I’ll share some tips I’ve learned after 20 years marketing in the cybersecurity and high–tech industry. 

So, whether you’ve got a marketing department or a PR firm writing press releases for you, or it’s something you’ve got to do yourself as an executive at a small business, I hope these pointers and specific examples below will help you get the biggest impact from your assessment report announcement. 

Building a Plan 

The heart of any announcement like this is the press release – and I’ll dig deep into what to include in that write-up shortly. But press releases don’t exist in a vacuum – you need to get people to read them – so before I write a press release I like to think of how I’m going to get the word out. There are a few easy ways to do this: 

• Publish on the wire. There are a variety of wire services that distribute news reports to journalists and news organizations, for example newswire.com ($199 per press release) or Cision/PRWeb ($99-$389 per press release). Find the best fit for you if you don’t use a service already.  
• Create a blog post. Press releases tend to have a formal writing style, but a blog post is your chance to make a more personal, human statement about how you take your customers’ security seriously. Be sure to link to the official press release you’ve published. 
• Post on social media. Create a catchy graphic (Canva.com is always a great resource) and post about your report on social media. Ask employees to like and share – the increased engagement will help your post get more visibility. 
• Email your customers. Don’t underestimate how important a short email announcing the report can be for your customers. Point them to your social media post and ask them to share with their own networks. 
• Showcase your badge. Adding the certification or assessment badge to your website, email footers, and other marketing materials can be a quick and easy way to share the achievement with stakeholders. I’ll be sharing more tips on how to feature your certification on your website in an upcoming blog post – stay tuned! 

Finally, for important customers and other critical business relationships, it might be worth picking up the phone or integrating the announcement into a regular customer success cadence – that all depends on the ins and outs of your specific business ecosystem. 

Writing the Press Release  

Let’s get to the writing. I’m not going to go through all the basics of writing and formatting a press release from scratch – there are a number of resources online for that such as this article from Forbes or this one from class:PR. Start with one of those templates and approach the press release as follows: 

• Focus on one main idea. Before you put pen to paper, think about what the one, single idea you want your readers to walk away with. You’ll undoubtedly ground the main idea in the news of your report, but you have the opportunity to go beyond just the facts here. Why did you conduct this? What does it mean for your customers? How does this report reinforce your company values? A good press release delivers one powerful message and everything is written to reinforce that message. Start with the end in mind and you’ll end up with a strong press release. 

Write your main idea down as a statement, for example: 

• We have successfully completed our SOC 2 examination, demonstrating our commitment to protecting customers’ user profiles and personal information. 
• We have successfully completed our FedRAMP certification, allowing us to serve a significant portion of the Federal market with our cloud-based product. 
• We are proud to announce our HITRUST certification as part of our increased focus on third-party privacy and security across our vendor ecosystem. 
• Create a clear, newsworthy headline and subheading. No one will read your press release unless they believe it’s interesting, and they determine that by scanning the headline and maybe the subheading. Take plenty of time to iterate on these first two phrases until you get something that stands out. Shorter is usually better, but don’t water it down too much. Get that main idea in there and drive it home. 

Here’s an example that is a great place to start: 

MyCompany Completes SOC 2 Type II Audit, Reinforcing Its Commitment to Data Security
Unqualified audit by independent firm provides assurance to cloud-based customers entrusting MyCompany with sensitive information.

• Get right to the point. If you’ve never heard the phrase “buried the lead,” it’s what happens when the important news is so far down in the article that the reader never gets there. People today have short attention spans, so strip out any marketing fluff and get the main news and value points right up front in that first paragraph or two.   

CITY, State, Date — Company Name (include link), a (one line description about Company), today announced its successful completion of its System and Organization Controls 2 Type II (SOC 2 Type II) examination for the period of review period, as it looks to (statement about why this report matters, such as demonstrate its commitment to protecting customers’ sensitive information).  

The independent examination, conducted by leading cybersecurity assessment firm A‑LIGN, validates that Company’s security practices and controls meet the Trust Services Principles and Criteria for security, availability, and privacy over an extended period of time. 

• Use quotes from your leadership and your auditor. Your second or third paragraph should be a quote from your CEO or similarly prominent figure at your company, explaining why this assessment matters in clear, readable language. You can also throw a quote in from your auditor further down the press release (A-LIGN is always happy to provide quotes for our customers).  

“Our customers rely on us every day to process critical information that contains sensitive data, which makes protecting that data a top priority for us,” said Executive’s Name, Title of Company. “We are proud to have completed this important examination and assure all our customers that we take security as seriously as they do.” 

• Give readers a “next step”. The final paragraph or two of your press release is a good opportunity to describe a little more about the audit you went through and how readers can learn more. 

Established by the American Institute of Certified Public Accountants (AICPA), the SOC 2 examination is designed for organizations of any size, regardless of industry and scope, by ensuring the personal assets of their potential and existing customers are protected. SOC 2 reports are recognized globally and affirm that a company’s infrastructure, software, people, data, policies, procedures and operations have been formally reviewed.  

In addition to performing a SOC 2 audit on an annual basis, Company will make the report available to current or potential customers upon execution of a non-disclosure agreement (NDA). Visit www.company.com/trust for more details.  

• Include boilerplates for your auditor and yourself. Every press release ends with the ABOUT section, a standard description of any company mentioned in the article. These boilerplates are helpful to people scanning many press releases so they can get quick context about the subject of the article without having to do research. Be sure to include contact information for both you and your auditor so people know how to get in touch.  

About A-LIGN     

A-LIGN is a technology-enabled security and compliance partner trusted by more than 2,500 global organizations to help mitigate cybersecurity risks. A-LIGN uniquely delivers a single-provider approach as a licensed SOC 1 and SOC 2 Auditor, accredited ISO 27001, ISO 27701 and ISO 22301 Certification Body, HISTRUST CSF Assessor firm, accredited FedRAMP 3PAO, candidate CMMC C3PAO, and PCI Qualified Security Assessor Company. Working with small businesses to global enterprises, A-LIGN experts and its proprietary compliance management platform, A-SCEND, are transforming the compliance experience. For more information, visit www.A‑LIGN.com.   

Other Press Release Tips 

There are a few other concepts worth keeping in mind as you write your press release. 

• Don’t treat the press release like ‘marketing’. These articles function much more effectively when they are written clearly and down-to-earth. Use fact-based, direct language that sticks to the who/what/where/why/how. 
• Keep it brief. The main body should be no more than 4-6 paragraphs, a couple of sentences each. 
• Be relatable. Avoid technical and industry jargon, and write for the average reader. Talk about your accomplishment, but always put it in the context of how your customers and partners will benefit. 

More Resources Coming Up 

The announcement of your cybersecurity assessment is a big deal. That’s why you should treat it that way. And stay tuned for more tips on marketing your cybersecurity assessment including training your sales team, adding it to your website, and more. 

Want to talk more about how to market your cybersecurity assessment? We are happy to help.

For fast-growing businesses, an audit or certification process may be the last thing on the list of priorities and action items. However, compliance with leading regulations, policies, and frameworks is crucial to continued expansion and success.  

In today’s highly competitive, mobile, global, and remote business environment, cybersecurity is a top concern for businesses and consumers alike. Data privacy and security has never been more important. It’s likely that if your business wants to work with large customers or those in regulated industries, you will be asked to provide proof of your security controls, especially if you operate a cloud or services business.  

System and Organization Controls (SOC) 2 is a voluntary framework designed to ensure that organizations are meeting a set of trust services criteria and implementing controls to protect data. The SOC 2 framework is well-known and thorough—and it’s common for partners, vendors, customers, and other business stakeholders to request proof of SOC 2 attestation from organizations. This proof comes in the form of a SOC 2 Type 1 or Type 2 report from a CPA firm. 

From startups to more established companies, SOC 2 has many benefits. If you’ve been delaying the SOC 2 audit process, there are business risks you may unknowingly be facing.  

Let’s explore a few of those risks—and why you can’t afford to delay your SOC 2 audit much longer. 

Risk 1: Less Competitive Position 

Without a SOC 2 report, you may lose business to competitors who have gone through the SOC 2 process and can prove their security chops. Organizations that receive a SOC 2 report can display a SOC 2 logo on their website or other materials—sending a message that they’ve successfully completed an audit and are security-savvy. 

Many organizations are required by law to ensure the security of their data—or their customers’ data—and will therefore only work with partners and vendors who can demonstrate secure practices and compliance with regulations. Although SOC 2 is not a regulation or a certification, it is a highly respected, rigorous framework. It’s not unusual for customers, prospects, vendors, and partners to ask service providers to demonstrate SOC 2 “compliance,” often when they’re going through the sales process or at renewal time. This means they’re asking for a SOC 2 report—which can only be obtained via examination and attestation through a CPA firm.  

Organizations can get ahead of these requests by completing the SOC 2 audit process. A good place to start is a SOC 2 audit checklist to ensure you have everything ready to start an assessment with a reputable partner firm.  

Risk 2: Lost or Interrupted Sales 

As noted, requests for a SOC 2 report often come during the sales process. At some point, a prospect may ask for your SOC 2 report before moving any further. At best, lack of a SOC 2 report could interrupt the deal, slowing things down. At worst, it will cost your organization the business.  

Since SOC 2 is a rigorous framework, it isn’t something that can be completed overnight from one business call to the next. It requires planning, thought, ongoing cybersecurity controls, and the help of an external auditing partner. In short: it’s best to complete the SOC 2 examination process proactively and keep up compliance before it costs your organization revenue.  

Risk 3: Lack of Customer Trust 

A SOC 2 report sends a signal to customers that your organization takes security—and the protection of their information—seriously. Obtaining a SOC 2 report indicates a level of maturity around technology and business. In order to pass a SOC 2 examination and receive a letter of attestation successfully, it means an organization is addressing controls in areas including: 

• Access control  
• Passwords 
• Change management  
• Incident response  
• Logging and monitoring  
• And other critical areas of data protection 

Without a SOC 2 attestation from a licensed CPA, customers have no way of verifying that their trust is being well-placed. And without trust, it is very difficult to do business. 

Risk 4: Vulnerability to Security Threats 

One of the most valuable outcomes of pursuing a SOC 2 attestation is improving and maintaining the strength of your own organization’s cybersecurity posture. SOC 2 is comprehensive and covers a wide range of controls, such as those listed above.

Of course, a SOC 2 report does not itself ensure security or assure ongoing compliance. But the controls required to pass an audit—when properly implemented and continuously used—greatly reduce risk to the organization. Each of these controls individually won’t fully protect your company, but, in combination, these elements create a much stronger shield against hackers and other threats (including insider threats from employees, trusted vendors, and others).  

It’s also important to point out the value of having security controls audited by a certified, independent firm that specializes in cybersecurity assessments. When internal security teams—or cybersecurity vendors/providers like a managed security service provider (MSSP)—grade their own security controls, there is an inherent bias. Implementation teams have inside knowledge that external, third-party auditing firms don’t. It’s possible for these teams to make assumptions or miss problems because of this knowledge—an independent firm avoids this natural conflict of interest and gives you (and your customers) confidence that the validation process is unbiased. 

SOC 2: A Business and Security Advantage 

Putting off a SOC 2 audit can hold organizations back in the long run by impacting their competitiveness, slowing the sales process, and more. For organizations looking to compete in today’s security-aware business climate, SOC 2 compliance is a must-have—so don’t delay, and start your SOC 2 journey today. 

A SOC 2 audit may seem intimidating, but companies can take steps to make the process smoother. We break down five key steps to start on SOC 2 compliance today.

Many organizations hear the word “audit” and freeze—even the idea of an audit conjures a vision of hours spent tracking down paperwork and digital evidence, making organizational changes, and months of work. While an audit may seem overwhelming at the beginning, organizations can take steps to make the process streamlined, smooth, and successful. 

One of the most common audits that service organizations seek out is a System and Organization Controls (SOC) 2 audit, which aims to ensure that the organization employs adequate controls to protect customer information in its systems. Meeting the AICPA’s SOC 2 criteria can look slightly different for every organization, and organizations must attain a report by a CPA firm to document the attestation.  

Oftentimes, these reports—which come in two formats, SOC 2 Type 1 and Type 2 reports—will be requested by prospective customers as part of their due diligence for new partners, or as part of their own audit and risk management processes. 

Attaining and maintaining an annual SOC 2 attestation is valuable to many service providers. As noted, SOC 2 is often a requirement to do business with certain partners or customers. It can help build customer and partner confidence in your organization’s security and it demonstrates you take their trust seriously. By implementing the best practices required to meet the SOC 2 trust services criteria, your organization can uncover security vulnerabilities, remediate them, and ensure a responsible level of security practices. 

In this post, we will walk through five key steps that can make the SOC 2 audit process less intimidating, especially if you’re seeking SOC 2 for the first time. Use these steps to get in shape for an audit and start your SOC 2 journey today. 

Prioritize the Most Important Controls 

The technology landscape is getting more complicated every year, and threat actors are always looking for a way into organizations to steal or exploit their data. Security controls are crucial for preventing or limiting the impact of breaches, yet it can seem like an endless list of to-dos and must-haves. 

Before diving headlong into a SOC 2 audit with an external partner, examine the different controls required by SOC 2 and bolster any gaps you are aware of. By prioritizing the controls your organization needs, compliance becomes bite-sized—and less intimidating. 

The areas of controls that are most important during a SOC 2 examination include: 

• Information Security  
• Access Control  
• Password Management 
• Change Management  
• Risk Assessment and Mitigation  
• Incident Response  
• Logging and Monitoring  
• Vendor Management  
• Data Classification  
• Acceptable Use  
• Information, Software, and System Backup 
• Business Continuity and Disaster Recovery 

Determine which policies and procedures need the most attention, and in what order. Then, begin working through them methodically. A few ways to prioritize policies could include: 

• Starting with those that require the least work, so you can tally up accomplishments 
• Starting with those that require the most work, so you get them out of the way and can assess your time commitment going forward 
• Starting with those that are the most visible to build awareness and momentum within your organization around the effort 

Schedule Key Compliance Tasks to Stay on Track  

In some ways, practicing year-round compliance is like going to the dentist—you may only visit your dentist once or twice a year for a cleaning, but you still brush, floss, and rinse every day. Good dental hygiene doesn’t happen as a result of a single visit, and neither does SOC 2 compliance. 

If you’re seeking a SOC 2 audit, one of the best ways to make the process easier and to reduce the chances of an undesirable outcome to your audit is to practice compliance year-round—rather than in a rush at audit time. Cybersecurity threats never sleep, and neither can your controls. 

Once you’ve determined your priority policies and procedures, break down the components of each and make a list of the controls that need to be put in place and kept up. Some activities can be done weekly, such as checking your logs, while others can be monthly or quarterly, such as reviewing access to systems or conducting vulnerability scans.  

Make a timeline of these activities or a SOC 2 checklist, and then hold the organization accountable for maintaining each element. This will make your life much easier at audit time, and it reduces the likelihood of needing remediations.  

Get Started with Audit Automation 

As technology becomes more advanced and security risks grow, organizations are increasingly building the audit process into their cybersecurity stack. Elements of the auditing process can be automated, which can reduce the time needed for preparation and make auditing faster.  

For example, our A-SCEND compliance management software can centralize and store evidence, re-use and repurpose evidence for multiple audits or frameworks, automatically create requests, track milestones in the audit process, and more. All of this reduces the pressure on an organization’s staff and also ensures that information makes its way into the right place. 

IT organizations are looking for every opportunity to automate their tech stack, so they can move faster and get more done with fewer people. Implementing compliance management and audit automation software is a great way to get some small wins quickly. 

Start Small and Grow Alongside Your Business’ Needs  

Don’t bite off more than you can chew—especially when it’s your first time completing an audit of any kind. The SOC 2 criteria are flexible, and organizations can choose to comply with only the common criteria or to add in additional criteria. Either way, make sure you right-size with the correct criteria and keep your process streamlined and efficient. 

This attitude applies to your auditing and security approach in general. While SOC 2 is an excellent framework for service providers to start with, compliance and regulations tend to grow alongside businesses as they expand. It’s likely that you will encounter more applicable regulations or requirements in the future. 

For example, if you are a service organization and you begin working with payment card data, the Payment Card Industry Data Security Standard (PCI DSS)—a requirement from most global credit card providers—may become crucial. Depending on your client base, industry, business strategy, and how you expand, other possible requirements could include HITRUST, FedRAMP, ISO 27001, and more. 

Completing a SOC 2 audit is an excellent learning experience. It can help your organization get into the right mindset for future certifications, frameworks, and regulations. And as you are subject to more compliance directives, you can build off what you’ve learned from the SOC 2 process. 

Choose a Partner—Not Just an Auditor 

SOC 2 compliance must be certified by an external auditor. For an organization seeking a SOC 2 report for the first time, an expert guide can be a boon. With deep experience and trained eyes, the right audit partner can help companies complete the auditing process smoothly and confidently. Notice that I used the word partner—not vendor or even auditor.  

Attaining and maintaining compliance is not a one-time endeavor, and as organizations grow, they’re likely to encounter further policies, frameworks, and regulations that require certifications and audits, such as ISO 27001 or HITRUST. It takes a partner who will walk, step for step, beside your organization. A partner will take the time to understand your business, provide guidance and support around the audit experience, and help you reach your goals. 

Getting Started on SOC 2 Compliance 

Organizations beginning the SOC 2 audit process for the first time can get the ball rolling with the five steps above. By understanding and prioritizing controls, getting into shape internally with regard to policies and procedures, finding ways to automate the audit process, and joining forces with a true partner, SOC 2 compliance is within reach.