In cybersecurity and compliance, one certification stands out as the gold standard for information security management: ISO/IEC 27001. Achieving ISO 27001 certification demonstrates a company’s commitment to protecting its information assets and mitigating cyber risks. But what exactly is the ISO 27001 process, and how can your organization seamlessly attain this certification? Let’s delve into the steps of the ISO 27001 process. 

Understanding the ISO 27001 process 

The ISO 27001 process is a systematic approach to establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS) within an organization. It involves a series of steps that are carefully crafted to ensure the confidentiality, integrity, and availability of information assets. Here’s a breakdown of the key stages of the ISO 27001 process: 

1. Initiation and planning 

The journey towards ISO 27001 certification begins with a clear understanding of your organization’s context, scope, and objectives. During this phase, management’s commitment to information security is crucial, as it sets the tone for the entire process. Planning involves defining the ISMS scope, conducting a risk assessment, and establishing information security policies and objectives. 

2. Selecting a vendor 

Once your organization decides to pursue ISO 27001 certification, it must select a certification body to help navigate the audit process.  

It’s important to look for an accredited certification body. To become accredited, organizations must undergo a rigorous evaluation process to ensure that the certification audit is performed in accordance with the ISO 27006 and ISO 17021 requirements. The evaluation process assesses the competence of the audit team, the audit methodology, and the quality control procedures in place to ensure that the audit and report are completed properly.  

3. Pre-assessment 

The ISO 27001 pre-assessment process is designed for companies that will undergo the certification process for the first time and is only performed on an as-needed basis. Certification bodies will simulate the actual certification audit by performing a review of your company’s entire management system including scope, policies, procedures, and processes to review any gaps that may exist and should be evaluated prior to undergoing the certification process.  

The pre-assessment phase can give your organization a head-start on the certification process by revealing any oversights or potential weaknesses that your organization may have ahead of the actual audit so that you can act on areas that require remediation or attention. 

4. Stage 1 audit 

First, an auditor reviews an organization’s documentation to confirm it is following ISO 27001 requirements. The Stage 1 audit also checks to see if the required activities of the standard have either been completed or are scheduled for completion prior to starting Stage 2.  

At the end of Stage 1, the auditor will determine if your company is ready to move forward to Stage 2, or if there are any areas of concern regarding the company’s policies, procedures, and supporting documentation before proceeding. In rare cases where significant areas of concern are noted, you may be required to complete a second Stage 1 audit before moving on to Stage 2. 

5. Stage two audit 

The Stage 2 audit is performed to test the conformance of the system with the ISO 27001standard. During this stage, the certification body will perform testing procedures including interviews, an inspection of documented evidence, and an observation of processes. Every audit is different in duration, and the time to completion is determined by several factors. 

Upon completion of Stage 2, the certification body will determine if your organization is ready to be certified. If there are any major nonconformities, they will need to be remediated before a certificate can be issued. At this point, an organization is issued a certificate valid for three years, contingent on the continued successful completion of surveillance audits. 

6. Surveillance audit 

Obtaining ISO 27001 certification is not the end of the journey; it marks the beginning of a commitment to maintaining and improving information security practices. Surveillence audits are conducted annually to ensure ongoing compliance with the standard’s requirements. 

For the next two years, annual surveillance audits are required to ensure ongoing conformity with the ISO 27001 standard. These audits provide assurance that your systems and processes remain compliant over time. Surveillance audits are shorter in time and scope than the initial Stage 2 audit and test a sampled set of controls. Typically, this process should take a few months to complete each year. 

5. Recertification 

Your ISO 27001 certificate is valid for three years after the issue date as long as the surveillance requirements are met. However, your organization will need to recertify before the expiration date, which will then restart the three-year certification process. 

The recertification process differs from the initial certification, as organizations do not typically need to go through the Stage 1 audit again. Organizations begin recertification with a full system audit, which is similar to a Stage 2 audit. Upon completion of recertification, organizations will undergo further surveillance audits. 

The benefits of ISO 27001 certification 

Embracing the ISO 27001 process and obtaining certification bring a multitude of benefits to organizations, including: 

  • Enhanced security posture: By identifying and mitigating information security risks, organizations bolster their defenses against cyber threats. 
  • Improved customer trust: ISO 27001 certification demonstrates a company’s dedication to safeguarding sensitive information, earning trust from customers and stakeholders. 
  • Legal and regulatory compliance: Compliance with ISO 27001 helps organizations meet legal and regulatory requirements related to information security. 
  • Competitive advantage: Certification differentiates organizations in the marketplace, giving them a competitive edge over non-certified competitors. 

Partnering with A-LIGN for ISO 27001  

Navigating the complex landscape of ISO 27001 certification can be daunting, but with the right partner by your side, the journey can be efficient and seamless. A-LIGN, a trusted global leader in compliance and cybersecurity solutions, offers comprehensive services to support organizations in achieving ISO 27001 certification. 

With A-LIGN’s expert guidance, cutting-edge technology, and commitment to quality, companies can embark on their ISO 27001 journey with confidence. From initial assessment to certification audit and beyond, A-LIGN caters to diverse compliance needs, ensuring a smooth and successful certification process. 

The ISO 27001 process is not just a certification but a commitment to excellence in information security. By following a structured approach, leveraging expert guidance, and embracing a culture of continuous improvement, organizations can elevate their cybersecurity posture and build a foundation of trust and reliability in today’s digital world. 

Are you ready to embark on your ISO 27001 journey? Partner with A-LIGN – contact us today to take the first step towards cybersecurity excellence. 

The launch of HITRUST CSF v11.3 represents a significant advancement in healthcare information security frameworks. This latest version not only aligns with current cybersecurity needs but also anticipates future requirements with an emphasis on AI compliance, ensuring organizations are well-equipped to protect sensitive data as the threat landscape continues to evolve.

The key updates of HITRUST CSF v11.3

By addressing the latest regulatory requirements, enhancing protections against sophisticated cyber threats, and streamlining the assessment process, HITRUST CSF v11.3 shows that HITRUST continues to demonstrate its commitment to supporting organizations in their quest for robust data protection and compliance.

1. Integration of authoritative sources
The inclusion of FedRAMP r5, and TX-RAMP into HITRUST CSF v11.3 is a strategic move to standardize the approach towards compliance for entities engaged with government contracts. StateRAMP r5, and TX-RAMP r5 into HITRUST CSF v11.3 is a strategic move to standardize the approach towards compliance for entities engaged with government contracts. The NIST SP 800-53 R5 mapping also underwent slight improvements reflecting updates from NIST SP 800-53 Release 5.1.1, encompassing the addition of one new control (IA-13) and enhancements to three existing controls.

These additions underscore the importance of a unified framework that addresses specific regulatory requirements, facilitating a smoother pathway to compliance for organizations navigating the complex landscape of government information security standards.

2. Enhanced protections with NIST SP 800-172
With cyber threats becoming more sophisticated, the integration of NIST SP 800-172 into the HITRUST framework enhances protections for Controlled Unclassified Information (CUI). This update is particularly beneficial for organizations with high-risk profiles, offering a tailored approach to the HITRUST r2 Assessment that is both rigorous and relevant.

3. Foundation for CMMC Level 3 requirements
Preparing for compliance with the Cybersecurity Maturity Model Certification (CMMC) Level 3 requirements is now more attainable with HITRUST CSF v11.3. This serves as a foundation for organizations to meet stringent NIST standards, positioning them to address future compliance needs effectively.

4. Security for AI systems with MITRE Atlas Mitigations
Acknowledging the growing role of artificial intelligence in today’s technology landscape, HITRUST has included MITRE Adversarial Threat Landscape for Artificial-Intelligence Systems (MITRE Atlas) mitigations. This ensures that security measures keep pace with the advancements of AI.

This transition towards incorporating advanced AI security measures through the inclusion of MITRE Atlas mitigations in HITRUST CSF v11.3 seamlessly complements the HITRUST AI Assurance Program launched in October 2023, further strengthening the framework’s capacity to secure AI-powered systems in the healthcare sector.

5. Streamlined assessment process
Efficiency is at the heart of the updated framework, with a significant reduction in redundancy across requirement statements. This streamlining effort has led to a decrease in the average r2 assessment size, making the certification process more manageable for organizations without compromising on control coverage.

6. Alignment with PCI DSS 4.0
The latest framework update aligns closely with the evolving landscape of cybersecurity and data protection, echoing the robust standards set forth by PCI DSS 4.0. Both frameworks prioritize the security and integrity of sensitive data within organizations, emphasizing comprehensive risk management and compliance measures. HITRUST CSF v11.3’s enhancements integrate elements that mirror the updated requirements of PCI DSS 4.0, ensuring that organizations adhere to stringent guidelines for safeguarding payment card data and other critical information.

Impact on organizations

The updates in HITRUST CSF v11.3 bring about several key impacts for organizations pursuing HITRUST CSF compliance in the evolving threat landscape, including:

  • Staying ahead of regulations: Organizations can now remain compliant with the latest industry standards and requirements, addressing current and future regulatory challenges.
  • Adapting to the cyber threat landscape: With the inclusion of new authoritative sources and enhanced protections, organizations are better equipped to tackle the dynamic cyber threat environment.
  • Efficiency in compliance efforts: The streamlined assessment process reduces the time and effort required for HITRUST Certification, enabling organizations to focus on critical business operations while maintaining high security and compliance standards.

Transitioning to HITRUST CSF v11.3.0

Starting April 16, 2024, the option to generate new e1 and i1 assessment objects, including i1 rapid recertification assessments, using CSF v11.2 in MyCSF has been deactivated. From now on, all new e1, i1, and rapid recertification assessments must be initiated with CSF v11.3. While existing e1 and i1 assessments created with CSF v11.2 remain eligible for submission post April 16, 2024, HITRUST will provide a 90-day notice prior to announcing the submission deadline for e1 and i1 assessments using v11.0.0, v11.0.1, v11.1.0, and v11.2.0. This transition period provides an opportunity for entities to assess their readiness and make necessary adjustments to align with the updated standards.

For organizations navigating these changes, A-LIGN offers diagnostic and gap assessments to bridge the gaps between previous HITRUST versions and v11.3. These services are designed to guide entities through the framework’s intricacies, ensuring a smooth and effective transition.

Learn more about pursuing HITRUST Certification with the latest framework updates by visiting https://www.a-lign.com/service/hitrust.

In July 2023, FedRAMP released the guidance for Cloud Service Providers (CSP) to transition from NIST 800-53 Revision 4 to Revision 5. The FedRAMP Rev 5 transition ranks as one of the biggest changes for CSPs in FedRAMP compliance and requires significant updates to all FedRAMP related processes, controls, and documentation.

For more information on the differences from Rev 4 to Rev 5 see our blog post Understanding the New FedRAMP Rev 5 Baselines.

As CSPs already on the marketplace are beginning to progress through their 2024 Annual Assessments for the first time since Rev 5 became a requirement, our assessors are seeing general pain points emerge for CSPs first assessment against the Rev 5 standard. Below is a summary of key challenges for cloud service providers (CSPs):

Ambiguity in requirements: Not defining parameters appropriately

Challenge: Revised controls in Rev. 5 introduce new parameters and updated requirements. This includes controls that already existed under Rev. 4 with additional requirements and adjustments in language. Their parameters will have to be updated as well. These controls are easy to overlook when focusing on the entirely new controls that Rev. 5 has introduced.

Solution: CSPs should collaborate closely with their security teams, assessors, and compliance officers. Clear communication and documentation are crucial. Detailed guidance on parameter definitions, use cases, and examples can mitigate this challenge. Begin with existing controls that have updated parameters for Rev. 5, then move onto the entirely new controls introduced in Rev. 5.

Privacy controls gap: Lack of incorporation within the framework

Challenge: While Rev. 5 integrates privacy controls throughout the catalog, CSPs may overlook their inclusion. Privacy is now a central theme, but some providers continue to focus solely on traditional security controls, neglecting privacy-related aspects.

Solution: CSPs must actively map their existing controls to the integrated privacy framework. Training and awareness programs can help bridge the gap. Additionally, leveraging tools and templates provided by NIST and FedRAMP can streamline the process.

Incomplete supply chain risk management implementation

Challenge: The new Supply Chain Risk Management (SR) control family demands robust supply chain risk assessments. CSPs, especially those new to the cloud space, grapple with building comprehensive SR plans. Incomplete implementation can jeopardize the security of the entire ecosystem.

Solution: CSPs should establish checks and balances within their supply chains. Collaborate with vendors, assessors, and third parties to ensure thorough risk assessments. Documentation of processes and transparent communication are essential.

Control objective misalignment: New controls falling short

Challenge: Implementing the new controls doesn’t always align perfectly with their intended objectives. CSPs may struggle to fully meet the control goals due to operational constraints or resource limitations.

Solution: CSPs should conduct thorough gap analyses. Identify areas where control objectives are not fully met and prioritize remediation efforts. Regular assessments and continuous improvement are critical.

Red team exercise: Relying on 3PAO penetration tests

Challenge: Control CA-8(2) introduces a new red team exercise requirement. However, some CSPs mistakenly rely solely on the 3PAO FedRAMP guided penetration testing to fulfill this requirement. However, penetration testing and red teaming are two unique exercises.

Solution: While FedRAMP is still finalizing requirements for red teaming, CSPs must recognize that the organization’s red team exercises are essential. They provide context-specific insights and simulate real-world scenarios. A balanced approach, combining both internal and 3PAO assessments, ensures comprehensive security testing. A-LIGN offers independent red team assessments apart from our FedRAMP services that can help management better assess their security posture and meet the requirements of Rev 5.

In summary, the transition to NIST SP 800-53 Rev. 5 demands careful attention to detail, proactive practices, precise implementation statements, and a robust security approach. By addressing these challenges, CSPs can enhance their security posture and successfully navigate the evolving landscape of information security and privacy.

ISO 42001 has sparked significant interest among organizations that currently use – or plan to use – artificial intelligence (AI) in their businesses. As organizations figure out how to leverage AI ethically and effectively, they are looking to this new standard for guidance.  

We’ve compiled frequently asked questions about ISO 42001 and consulted industry experts for their insights. Below is a distilled Q&A guide all about implementing ISO 42001. 

feature webinar ISO 42001 KimLucy 1 0

Watch our on-demand webinar, ISO 42001: The Future of AI Security with Patrick Sullivan, VP of Innovation and Strategy at A-LIGN and Kim Lucy, Director of GRC Standards at Microsoft.

What is ISO 42001 and why is it gaining attention? 

ISO 42001 is a standard that outlines the requirements for establishing, implementing, maintaining, and continually improving an AI Management System (AIMS). Its significance stems from the increasing reliance on AI technologies across various sectors and the need to ensure these technologies are developed and used responsibly. ISO 42001 helps organizations align their AI practices with ethical, legal, and technical standards, facilitating trust and safety in AI applications. 

Who were the architects behind ISO 42001? 

The development of ISO 42001 was a collaborative international effort, involving experts from tech industries, academia, and public sectors. Contributors like those from Microsoft and other leading technology firms played pivotal roles, leveraging their expertise to ensure the standard reflects the latest in AI governance and management practices. This diversity ensures ISO 42001 is broad in scope and applicability, making it relevant across industries and regions. 

How does ISO 42001 relate to existing management systems, such as ISO 27001? 

While sharing high-level structures with other ISO standards like ISO 27001, ISO 42001 incorporates unique elements specific to AI, such as detailed risk management focused on societal and individual impacts of AI systems. This includes the requirement for AI impact assessments, setting it apart from other standards that may focus more on organizational risks. The inclusion of sector-specific requirements underlines the standard’s focus on the unique challenges posed by AI technologies. 

Can adopting ISO 42001 aid in regulatory compliance, like the EU AI Act? 

ISO 42001 was designed with an eye towards facilitating compliance with emerging regulations, including the EU AI Act. By aligning its provisions closely with such legislative frameworks, ISO 42001 serves as a valuable tool for organizations navigating the complex landscape of AI regulation. It offers a robust foundation that can help meet current and future legal requirements, positioning organizations favorably in a regulated environment. 

Is ISO 42001 applicable to both large corporations and startups? 

Yes, one of the strengths of ISO 42001 is its scalability and flexibility, making it suitable for organizations of all sizes, from global corporations to startups. The standard’s applicability regardless of an organization’s size is a testament to its thoughtful design, emphasizing the importance of defining the organization’s context and management system scope effectively. Properly scoped, ISO 42001 can guide any organization towards responsible AI use. 

What assessments are mandated by ISO 42001 for AI systems? 

ISO 42001 requires organizations to conduct AI impact assessments and AI risk assessments, emphasizing the effects on individuals and society. This approach marks a shift from traditional enterprise risk assessments, directing attention towards the broader implications of AI technologies. These assessments are critical for understanding and mitigating the potential negative impacts of AI systems on society. 

How does ISO 42001 enhance trust within the AI supply chain? 

By establishing a certification process for responsible AI use, ISO 42001 helps create a trust chain within the AI supply chain. This is particularly crucial in industries where AI components are integral to products, such as medical devices. Certification signifies that an organization has met stringent criteria for responsible AI development and use, providing assurances to partners and consumers alike. 

Are there additional resources that complement ISO 42001? 

For organizations seeking to thoroughly implement ISO 42001, resources such as ISO 23894 for AI risk management and ISO 42005 for guidance on AI impact assessments are invaluable. These documents provide deeper insights and practical advice on adhering to ISO 42001, offering a more comprehensive understanding of managing AI systems responsibly. 

What challenges might organizations encounter with ISO 42001? 

Adopting ISO 42001 requires a commitment to deep engagement with the standard’s requirements. Organizations should be prepared for a process that is more involved than simply applying a set of prescriptive measures. Successful implementation necessitates a nuanced analysis and adaptation to the organization’s specific context, goals, and the regulatory environment. 

How does ISO 42001 prepare organizations for future AI regulations? 

ISO 42001’s close alignment with current regulatory trends, such as the EU AI Act, and its proactive incorporation of AI impact assessments position organizations well for future AI regulations. It serves as a foundational step, enabling organizations to adapt to new legal requirements more seamlessly and ensuring continued responsible AI use. 

For businesses considering venturing into AI or seeking to enhance their AI governance, ISO 42001 provides a comprehensive framework that supports ethical, legal, and efficient AI use. By adopting ISO 42001, organizations can better, and more proactively, navigate the challenges of AI implementation, foster innovation, and build trust among stakeholders. 

How do I get started with ISO 42001? 

With a new framework, it is especially important to have an experienced audit partner on your side. The team at A-LIGN is on the forefront of ISO 42001 certification and has a team of experts ready to help you navigate the audit process and achieve ISO 42001 compliance. 

Common Challenges of the Audit Process

by: A-LIGN 04 Apr,2024 5 min

“What are the common challenges companies face throughout the audit process?” It’s a question often asked by proactive leaders who want to avoid the missteps and oversights made by other organizations.

Many executives and corporate compliance leaders say there are simply not enough hours in the day to get everything done, or even to just move things forward in a timely manner. It’s also common for some employees to feel like their organization’s compliance strategy is reactionary, driven by customer requests rather than established as a strategic initiative from the top down – and they’re not wrong. 

In this blog, we discuss the most prevalent audit challenges hindering organizations today and how the commitment to pursuing a quality audit can alleviate many of these common issues to pave the way for a more streamlined, efficient audit process. 

Challenge: Limited staff resources and budget constraints

One of the most common challenges organizations face during the audit process is a shortage of sufficient staff resources and budget allocated to compliance. In fact, only 20% of companies have a dedicated compliance department – most put IT in charge of compliance. 

That means IT professionals must manage compliance programs on top of their other responsibilities. Two-thirds of organizations spend at least 3 months each year preparing for each audit or assessment, which means teams in charge of compliance are spending a significant amount of time and money to prepare for and manage the process. 

Because of this, it’s not surprising that many organizations find themselves strapped for resources and budget when it’s time to complete an audit. Some organizations may think the solution is to find the cheapest, quickest audit available so they can check the box and move on, but we believe that choosing the right partner will allow you to have an efficient process without sacrificing quality. 

Solution: Choose an expert audit partner 

Organizations faced with limited staffing and budget can alleviate these challenges by working with a seasoned auditor who acts as a trusted partner throughout the entire compliance journey. A-LIGN has decades of experience and technology to streamline the audit process and help your business work as efficiently as possible. By working with an expert audit firm, your team can free up valuable time and resources while ensuring your business is audit ready. 

Challenge: Complexity in conducting multiple audits 

Many businesses are tasked with adhering to numerous frameworks, resulting in the necessity to conduct more than one audit and/or assessment each year. A recent survey found that 92% of organizations conduct more than one audit each year. Given the depth of these unique frameworks, preparation for audits can be a time-consuming endeavor, and can even result in duplicated efforts across multiple audits. Organizations that have siloed teams or departments might also inadvertently gather the same evidence repeatedly to be used at various points in time. 

Due to these complexities, many organizations find it difficult to allocate the correct resources to navigate different frameworks and complete all the required assessments in a timely, accurate manner. 

Solution: Consolidate efforts across audits 

Collaborating with an audit firm with expertise in a variety of frameworks can help streamline and consolidate your team’s audit efforts. With a breadth and depth of services, your audit team at A-LIGN will have the expertise to identify any overlaps to consolidate all your audits into one strategic audit plan. This ensures a consistent, standardized approach that provides a more comprehensive view of an organizations’ compliance posture. Plus, when leveraging A-LIGN’s audit management technology, users can easily link one piece of evidence to multiple audit requests, further streamlining efforts across frameworks. 

By consolidating an audit into a single annual event, organizations can expect reduced employee workload and the ability to seamlessly and efficiently complete multiple audits. The efficiencies gained in audit consolidation also reduce the amount of time required to complete each audit. 

Challenge: Tedious and manual evidence collection 

The manual, repetitive tasks associated with evidence collection can plague the efficiency and quality of the audit process. With a scattered, de-centralized audit program spanning multiple vendors, different teams in an organization may spend dozens of hours searching for the same pieces of evidence. In an environment where teams have to do more with less, every hour counts. Manual evidence collection can result in a significant amount of time and resources that could be better allocated elsewhere.  

Solution: Leverage GRC platforms 

Organizations can save time and resources and streamline evidence collection when they work with an experienced auditor and leverage leading government, risk management, and compliance (GRC) technology. 

With A-LIGN’s strategic partnerships with top GRC providers like Vanta, Drata, and AuditBoard, businesses can use integrations to ease the burden of evidence collection and foster an efficient audit process with the help of cutting-edge automation. 

Comprehensive GRC software can also help with: 

  • Monitoring your security program in real time 
  • Gaining visibility into risks across your business 
  • Demonstrating compliance to customers via trust centers and questionnaire automation 

Common challenges of the audit process: Key takeaways

In the face of challenges such as tedious evidence collection, staffing and budget constraints, and the complexity of managing multiple audits, many organizations find themselves adopting a reactive approach, often resulting in inefficiencies and disorganization during the audit process. 

To address these issues, organizations should take a proactive approach to managing audits as a key business function. Working with an experienced audit partner, consolidating audit efforts, and leveraging leading GRC technology can create a more efficient audit process and allow teams to feel confident in their compliance strategy. 

If you’re looking for a single provider approach for an efficient, high-quality audit experience, A-LIGN is here to help. Our experts will guide you through your assessment across the scope of each major framework while helping you get the most out of the audit process.  

Ready to get started? Contact us today

The Trusted Exchange Framework and Common Agreement (TEFCA) is a groundbreaking initiative within the healthcare sector, promoting integrated and secure health information exchange. This framework not only supports interoperability among Qualified Health Information Networks™ (QHINs), but also simplifies the sharing of patient data. Organizations under TEFCA must achieve HITRUST certification to uphold strict data protection standards. The partnership between TEFCA and HITRUST lays a robust foundation for health information exchange, enhancing patient privacy and security.

What is TEFCA?

TEFCA establishes a shared framework of principles, terms, and conditions to facilitate the creation of a standardized agreement. This agreement aims to facilitate the seamless exchange of electronic health information across diverse health information networks on a national scale.

Launched in December 2023, TEFCA’s primary goal is to advance the seamless flow of health information nationwide. The agreement is intended to ensure that healthcare providers, payers, and patients have secure, efficient access to health data, leading to better patient outcomes.

The Sequoia Project, a non-profit advocate for nationwide health information exchange, has been pivotal in developing TEFCA, serving as the Recognized Coordinating Entity (RCE). In this role, it’s responsible for crafting the Common Agreement and the QHIN Technical Framework, setting technical and governance requirements for Qualified Health Information Networks (QHINs) to ensure secure data exchange.

Collaborating with the Office of the National Coordinator for Health Information Technology (ONC), and stakeholders, The Sequoia Project ensures TEFCA’s visions translate into practice, enhancing healthcare delivery efficiency in the US.

What are the goals of TEFCA?

TEFCA plays a vital role in driving the US healthcare system towards efficiency and comprehensive care. The agreement aims to:

  • Increase data access: Enable more secure and appropriate sharing of electronic health information to support existing user needs.
  • Ensure core data availability: Guarantee a set of core data is shared across networks for treatment, individual access, public health, benefits determination, and certain payment and healthcare operations as defined by HIPAA.
  • Reduce costs and improve efficiency: Minimize the need for multiple Health Information Network (HIN) memberships and legal agreements.
  • Standardize privacy and security requirements: Offer a common framework for privacy and security, including standards for identity proofing and authentication, to protect patient data.

Who can participate in TEFCA?

TEFCA’s data exchange network is open to a wide range of healthcare organizations that successfully complete the comprehensive onboarding process, ultimately being designated as QHINs. These organizations include hospitals, health systems, payers, HIES, and other entities engaged in the management, exchange, or analysis of healthcare data.

To achieve QHIN status, an organization must demonstrate rigorous adherence to TEFCA’s technical, privacy, and security requirements. Additionally, these entities are mandated to maintain a commitment to interoperability, ensuring that health information can be securely shared across the care continuum to improve patient outcomes and streamline healthcare delivery.

As of February 2024, seven organizations have completed the rigorous approval process and have been designated as QHINs able to exchange health data across the nation via TEFCA:

  • CommonWell Health Alliance
  • eHealth Exchange
  • Epic Nexus
  • Health Gorilla
  • Know2
  • KONZA
  • MedAllies

HITRUST Certification Requirements for QHINs in TEFCA

HITRUST Certification is a gold standard for compliance in the healthcare industry, providing a comprehensive security framework that aligns with existing standards and regulations, like HIPAA. As an internationally recognized benchmark for safeguarding sensitive information, HITRUST Certification demonstrates an organization’s commitment to protecting healthcare data.

As a part of TEFCA, QHINs are required to meet the rigorous data protection standards of the HITRUST CSF. Through collaboration with HITRUST, TEFCA upholds high data protection standards, acknowledging HITRUST as an effective solution for risk mitigation and compliance in healthcare.

Take the Next Step with A-LIGN

Whether you are on the path to becoming a QHIN within the TEFCA exchange or are just beginning your HITRUST compliance journey, A-LIGN can assist you with the certification process.

Working with A-LIGN offers you a high-quality and efficient audit experience, ensuring that your organization not only meets but exceeds the rigorous data protection standards required. With our expertise, your organization can confidently progress toward HITRUST Certification, paving the way for enhanced security, compliance, and trust in the rapidly evolving healthcare landscape.

For more information about achieving HITRUST Certification, contact us today.

Penetration testing is a critical component of a robust cybersecurity strategy, aiming to replicate real-world attack scenarios on the digital infrastructure. However, the effectiveness of penetration testing hinges on thorough preparation. In this blog, we’ll explore how you can prepare your organization for a penetration test, and how to turn readiness into an action that strengthens your digital defenses. Keep reading for a list of key activities and a penetration testing readiness checklist.

The purpose of preparation

The first step before you begin penetration testing is to complete pre-testing groundwork. But, this isn’t just about ticking boxes on a checklist, it is about a series of actions to improve your organization’s security posture. To start, organizations should:

  • Align their security posture with industry best practices
  • Identify risks that might be overlooked in daily operations
  • Ensure personnel are aware, trained, and ready to respond

Penetration testing checklist

The detailed checklist outlined below is your map to a pen testing preparedness. It outlines the critical steps to gauge and elevate your readiness level for a penetration test, ultimately improving your defense and response strategies against cybersecurity threats.

Organizational preparation

Documented Objectives: The purpose of the penetration test should be clear and aligned with business objectives. These objectives will guide the scope and depth of your test.

Organizational Chart: A clear depiction of authority and responsibility helps in directing the flow of communication between stakeholders and the testing team.

Defined Responsibilities: Ensure that every role has clear guidelines on their involvement in the penetration testing process, including those who will lead the effort and those who will be audited.

Separation of Duties: Preventing conflicts of interest is paramount. Implementation should ensure that no single individual has control over all aspects of a task.

Board of Directors or Executive Oversight: High-level representation ensures that decisions are backed by the required budget and priority.

Policies and procedures

Hiring and Onboarding Procedures: Proper vetting and training of personnel helps to protect against insider threats.

Code of Conduct: This provides an ethical framework for employee actions and interactions with the penetration test.

Employee Handbook: All personnel should be acquainted with the rules and security measures specific to your organization.

Awareness and Ongoing Training Activities: Regular updates and training sessions keep security at the forefront of operation strategies.

Distribution of Policies: Policies are only effective when they are known. A clear communication plan is essential.

Personnel Evaluations: Regular assessments ensure that all staff members are continually adhering to security protocols.

Technical readiness

Inventory of Assets: Identifying and documenting all hardware and software assets enable thorough testing coverage.

Network and Application Architecture Details: This blueprint aids testers in navigating your systems effectively and efficiently.

Initial Vulnerability Scan: Conducting a preliminary scan gives you an overview of potential vulnerabilities and the breadth of issues that penetration testing might reveal.

Data Classification: Sensitivity classification enables testers to prioritize the most critical data, imitating real-world attack scenarios more accurately.

Controlling environmental variables

To mitigate surprises during a pen test, it’s essential to have control measures in place. These strategies secure the integrity of your systems and data, while also protecting the testing team from potential legal or professional ramifications.

Establishing test windows

Coordination with IT Operations: Keep them in the loop about the timing of the test to avoid conflicts in operations.

Notification to Third-Party Service Providers: Any systems controlled or managed by outside vendors should be scheduled for penetration testing in collaboration with them.

Legal and ethical considerations

Proper Authorization: Ensure that the testing team has explicit permission to probe your systems, applications, or network.

Impact Analysis: Conduct an assessment to determine the potential disruptions the test might cause and plan accordingly.

Scope Limitations: Clearly define what is in scope for testing to prevent unauthorized access to critical systems.

Client and Third-Party Notification: Notify your clients and third parties about the impending test, especially if there is potential for service disruptions.

Preparing your team for pen testing

A penetration test may challenge not just your cybersecurity measures, but also your human resources. Preparing your team involves psychological and professional readiness to handle the outcomes and implement necessary changes post-test.

Team skills assessment

Knowledge Base Evaluation: Determine whether your security team has the skills to decipher and act upon the findings of the penetration test.

Recruitment of Skills Gaps: For more complex and robust testing, consider hiring external specialists to complement your in-house team’s knowledge.

Psychological and social readiness

Contextualizing the Test as a Learning Opportunity: Frame the penetration test as a collaborative tool that can enhance the organization’s overall security posture.

Counseling for Potential Stress: High-stress environments, such as those experienced in cybersecurity exercises, can lead to burnout. Prepare your team mentally.

Responding to penetration test results

The end of a penetration testing engagement is not a wind-down to business as usual. Instead, it triggers a series of high-impact responses and analyses that feed back into your cybersecurity strategy, turning passive readiness into active protection.

Assessment of test results

Documentation of Findings: Every identified vulnerability must be exhaustively documented with information about its exploitability and potential impact.

Prioritization of Remediation Actions: Classify the findings based on their criticality and potential impact and create an action plan for remediation.

Implementation of remediation strategies

Immediate Fixes: Some vulnerabilities warrant an immediate fix to prevent exploitation. Implement these first.

Mid-Term Remediation Planning: Develop a more extensive plan to address issues in the medium term that require design changes or architectural improvements.

Long-Term Strategic Adaptation: Use the findings to inform long-term security strategy and architecture that are in line with current and future threats.

Penetration testing readiness is more than a requirement to tick off a compliance checklist. Committing to a comprehensive readiness strategy not only primes your organization for potential vulnerabilities, but also contributes to a culture of security-awareness at every level. When the time comes, your team can face the challenge with grit and knowledge.

Artificial intelligence (AI) has revolutionized many industries, but its rapid growth has also brought ethical, privacy, and security concerns. To address these challenges, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) devised a new standard, ISO/IEC 42001 (ISO 42001). Published on December 18, 2023, this standard provides guidance to organizations that design, develop, and deploy AI systems on factors such as transparency, accountability, bias identification and mitigation, safety, and privacy. 

This article will explore the key elements of the standard, the benefits of implementing it, and next steps for organizations. 

Structure of ISO 42001 

Like several other ISO/IEC standards, ISO 42001 has several annexes that provide much of the detailed guidance organizations need. Here’s a quick breakdown of these annexes: 

  • Annex A: Management guide for AI system development, including a list of controls 
  • Annex B: Implementation guidance for the AI controls listed in Annex A, including data management processes 
  • Annex C: AI-related organizational objectives and risk sources 
  • Annex D: Domain- and sector-specific standards 

Key themes of ISO 42001 

ISO 42001 covers issues throughout the AI system lifecycle, from the initial concept phase to the final deployment and operation of the system. It is designed to help organizations manage the risks associated with AI and ensure that their AI systems are developed and used responsibly. 

Some of the key requirements covered in the published standard include: 

  • Leadership: Top management should demonstrate leadership and commitment to the AI management system (AIMS) and establish policies and objectives that are consistent with the organization’s strategic direction. 
  • Planning: Identify and assess risks and opportunities associated with AI and develop a plan to address them. 
  • Support: Provide resources and support for the AIMS, including training, awareness, and communication. 
  • Operation: Establish processes and procedures for the development, deployment, and maintenance of AI systems. 
  • Performance evaluation: Monitor, measure, analyze, and evaluate the performance of AI systems and take corrective actions when necessary. 
  • Continual improvement: Continually improve the AIMS, and ensure that it remains relevant and effective. 

Is ISO 42001 mandatory? 

If your organization produces, develops, or uses AI, you may be wondering to what extent you should be scrambling to become certified in ISO 42001. In short, ISO 42001 is a voluntary standard and is not legally binding. However, given its significance and emerging recognition, it is highly likely to become the benchmark for AI management systems in the future. Organizations should anticipate possible regulatory developments and consider proactively adopting ISO 42001. 

Organizational roles and responsibilities 

Effectively implementing ISO 42001 starts with identifying members of your organization in key roles related to AI

  • AI provider: An organization or entity that provides products or services that uses one or more AI systems. AI providers encompass AI platform providers and AI product or service providers. 
  • AI producer: An organization or entity that designs, develops, tests and deploys products or services that use one or more AI system. This includes AI developers that are concerned with the development of AI services and products. Examples of AI developers include model designers, implementers, computation verifiers, and model verifiers. 
  • AI customer: An organization or entity that uses an AI product or service either directly or by its provision to AI users. 

Benefits of implementing ISO 42001 

Though few organizations relish the idea of more audits, there are good reasons to move forward with certification sooner rather than later. (Plus, if you practice strategic compliance and consolidate your audits, adding ISO 42001 to your compliance program may be easier than you think.) 

Managing AI risks and opportunities  

ISO 42001 provides organizations with a systematic approach to identify, evaluate, and address the risks associated with AI. This can help organizations mitigate the risks of AI and protect themselves from potential harm. 

Competitive advantage 

Implementing ISO 42001 enables organizations to showcase their early adopter status, demonstrating their commitment to responsible AI use. This can enhance stakeholders’ trust and distinguish the organization from competitors. 

Cost savings and improved efficiency 

By incorporating ISO 42001’s best practices, organizations can streamline their AI processes, identify and rectify vulnerabilities earlier, and reduce the potential financial and reputational costs associated with AI failures. 

ISO 42001: Next steps for businesses 

To navigate the complex landscape of AI governance and compliance, compliance managers should consider the following steps: 

  • Purchase and understand the standard: Obtain a copy of ISO/IEC 42001 and familiarize yourself with its provisions. It is crucial to understand the requirements,  recommendations, and other applicable requirements (i.e. ISO/IEC 22989, ISO/IEC 23894) to effectively implement the standard. 
  • Start internal talks about certification: Initiating conversations about the certification audit process within your organization is essential. Understanding the steps involved and allocating necessary resources will ensure a smooth transition toward ISO 42001 compliance. 
  • Get a readiness assessment: Consider engaging a trusted compliance partner like A-LIGN to conduct a readiness assessment tailored to your organization’s specific needs. This assessment will help identify any gaps and provide guidance on achieving ISO 42001 compliance. 

As the AI landscape continues to evolve, embracing ISO 42001 will position businesses as leaders in the field, fostering trust and ensuring the long-term success of AI initiatives. Stay ahead in the AI era by leveraging ISO 42001 and building a solid foundation for your AI management system. 

Securing cloud infrastructure is a top priority for modern organizations. A commonly recognized compliance standard for cloud service providers (CSPs) is the Cloud Computing Compliance Criteria Catalogue or C5. C5 was first introduced by the Federal Office for Information Security (BSI) in Germany in 2016. In this blog post, we will provide a comprehensive guide to C5 attestation, highlighting its fundamental principles and what organizations need to do to achieve compliance.  

Why is C5 attestation important for CSPs? 

C5 attestation provides a comprehensive framework of standard security controls for CSPs providing cloud services. The security controls are tailored to meet the needs of CSPs and provide a foundation for secure cloud services. By complying with the C5 requirements, CSPs can demonstrate a high level of security maturity and gain a competitive advantage in the market. 

What are the C5 requirements? 

The C5 criteria are divided into 17 categories and objectives initially based on ISO 27001:2013 Annex A. These categories include Asset Management, Physical Security, Identity and Access Management, and countless others. The C5 criteria also considers a wide range of standards and publications, including the AICPA Trust Services Criteria, ISO 27001, ISO 27002, ISO 27017, the Cloud Security Alliance (CSA) Cloud Control Matrix (CCM), and the German IT baseline protection manual (BSI-IT-Grundschutz). CSPs that are already compliant with one or more of these publications should consider their preparedness and applicability to the C5 criteria.  

What is the C5 examination process? 

The Federal Office for Information Security has dictated that C5 assessments should be performed using nationally and internationally established standards, namely ISAE 3000 in conjunction with the AICPA’s AT-C section 105 “Concepts Common to All Attestation Engagements” and AT-C section 205 “Examination Engagements.” The catalog dictates that conformity with the C5 criteria should always be provided using the ISAE 3000 audit standard. 

A good starting place for organizations new to C5 is a SOC 2 plus C5 readiness assessment. Your assessor can help you understand the requirements, assess your current status, and identify potential gaps. After the readiness assessment is completed, your team will have a roadmap to follow that can make the final examination easier for all parties involved.  

Whether a readiness assessment is needed or not, full compliance should be achieved via a SOC 2 plus C5 attestation with the ISAE 3000 integration. The engagement can be completed as a Type 1, attesting to the design of the C5 control set, or a Type 2, testing the design, implementation, and operating effectiveness of the organization’s controls as they meet the SOC 2 and C5 criteria.  

Staying up to date with C5 requirements 

The BSI updates the C5 controls regularly to reflect the changing cybersecurity landscape. Organizations can stay updated on new or modified controls by regularly checking the BSI website. Failure to comply with the updated controls could result in non-compliances, fines, and reputational damage. 

Updates to the C5 Attestation 

Germany has tightened its rules about processing health data as more companies rely on cloud computing to safely transmit and access patient information. 

The new Section 393 SGB V provides “minimum technical standards” for IT systems and cloud computing and will require many companies to get a new C5 certificate. 

According to the new requirements, health and social data can only be processed in Germany, in an EU or EEA member state, or in a third country adequacy decision by the European Commission. The data processing entity should also have a business establishment in Germany. 

Section 393 SGB V also requires stricter technical and security compliance requirements. Companies that process data using cloud computing services need the following: 

  • Appropriate technical and organizational measures for data security. 
  • A current C5 certificate. Until June 30, 2025, a Type 1 certificate is considered current. Beginning in July 2025, a new Type 2 certificate is required. 
  • To implement C5 certificate conditions and criteria. 

Health care providers and insurance companies will have additional technical and organizational requirements based on the type of provider or institution. 

Medical research and projects may be subject to these new requirements too, though the scope isn’t immediately clear. Companies that conduct clinical trials with pharmaceuticals, medical devices, and diagnostics are less likely to be impacted by these new standards than trials that collect real-world data, like non-interventional studies. 

Getting started with C5 

Achieving C5 attestation is essential for security-conscious CSPs that want to demonstrate their commitment to security to clients and customers. The process requires dedication, effort, and a thorough understanding of the C5 catalogue, but the benefits are undeniable. By embracing C5, organizations can establish a foundation for secure cloud services, improve their security posture, and gain a competitive edge in the market. 

Contact A-LIGN to learn more about C5 attestation.