So Many Security Standards, Audits, and Certifications. Which One is Right?!

Last week I had a great conversation with a prominent member of the information security community (@HackSec), and he raised the following concern:  Many are confused about when to use ISO 27001 certificationPCIcertification, SOC 1 (aka SSAE16), SOC 2 & 3, NIST, and CSA STAR to give customers comfort about their security.  I explained my position that I think organizations should use SOC2 as an umbrella for all of them especially because many service organizations are required by their customers to comply with multiple standards and produce multiple reports. 

To this, he expressed his frustration that if the information security community cannot decide which one to standardize on, how can customers be expected to know what to do? He said: "We'll stay in this nexus of confusion where every attestation is required, and yet customers still do not have confidence in our security and demand the right to audit." He went on to explain that the Trust Services Principles and Criteria (TSPC), that a SOC 2 is based on, is not detailed enough, and that CSA STAR and NIST are much more thorough standards for ensuring security.

In our continuing dialogue, I explained the idea that they can all get along under the SOC2 umbrella.  Here's why: Accountants understand auditing, security professionals know security, and the international standards organization is just that...international.  Each has something that the other does not, and if you bring it all together, you have one heck of a team.  Let me explain a little more about each:
 
Accountants understand auditing:  Accountants can trace the history of auditing back to ancient Egypt, but in its more modern form of independent CPA accounting back to 1593.  They were auditing and being held responsible for their opinions (through lawsuits) long before information security was invented.  By this I am trying to say that there is an audit process that is missing from the security assessment space.  PCI and ISO 27001 assessments provide a point in time assurance which is no assurance at all, and CSA STAR is a self-assessment at this point.  While I agree that the TSPC is a weak standard, at least with SOC2 you get a period of time assurance by taking advantage of the audit process that the attestation standard requires.  Then all you have to do is add the other standards into the covered areas and enhance the audit procedures to ensure that the controls are not only "in place", but that they "have been in place" for the period of time that is covered by the report.

Security professionals know security:  CSA STAR, NIST, and ISO27001 are great standards, and security professionals are the only ones who can test them.  Accountants know that they cannot test security which is probably why the TSPC are so vague.  Security professionals have the right security standards, but they do not understand what assurance is, or how it is achieved.  The very fact that entire industries throw around words like "certification" and "compliant" demonstrate this.  Accountants understand that when you use words like this, the entity providing the attestation is opened up to huge liability.  Accountants are very careful to design and perform their tests to mitigate this risk, and use terms like "reasonable assurance", "in all material respects", and "in our opinion" to ensure that organizations that rely on their opinion know exactly what they can rely on.
ISO is international:  Professionals in other countries resist "American" standards because it makes them feel less sovereign.  They hate the arrogance of it.  Right now there are no International Standards on Attestation Engagements (ISAEs) for security because ISO 27001 dominates in that space, and international accountants are not so brazen that they think they can get into the security space like the AICPA is.  So for now SOC2 is all there is for period of time attestations, and it is embraced by Canada because they invented TSPC.  That is a start, and if we add ISO 27001 under a SOC2 umbrella, we're golden with the international community.  They would get period of time coverage, and strong security controls.

The SOC2 attestation standard is flexible enough to incorporate "additional subject matter", and all of the previously mentioned standards can be covered in the auditor's opinion as long as accountants use competent "technical specialists" to test the controls.  This has led some to argue that SOC2 is the "Silver Bullet" that satisfies all compliance and reporting requirements.  However, even if accountants use competent security professionals, there is still a problem; they cannot issue the reports that customers want such as ISO 27001 certifications, PCI Reports on Compliance (ROCs), or CSA STAR attestations because they are controlled by governing bodies that CPA firms are not registered with.  Most of the large CPA firms will never associate with those organizations because they lack influence in them, and consequently cannot control the risk it exposes them to.

There is a way that service organizations can avoid the dilemma of having to undergo multiple audits to satisfy their customer's demands for multiple reports.  The way it works is that a CPA firm partners with an ISO certifying organization, security firm proficient in CSA STAR, or QSA (in the case of a PCI report) to jointly conduct the testing.  Because there is significant overlap in the standards, service organizations can take advantage of the testing efficiencies that result. At the completion of the engagement, the organization will receive multiple reports from a single attestation engagement.  This approach takes advantage of the best of all worlds: great audit process, the best security standards, and risk assurance for their client that is meaningful.




20 comments:

  1. Great post and happy to continue the conversation in open forum. See you and others at the next CSA Atlanta Chapter meeting: http://linkd.in/zXnxNg

    Regards,

    Phil Agcaoili

    ReplyDelete
  2. Great post. This is some very interesting reading. Thanks!

    But it is not up to a CPA firm to partner up with any ISO certifying organization, security firm proficient in CSA STAR, or QSA (in the case of a PCI report) to jointly conduct the testing.

    None of the big four would ever expose themselves to something like PCI compliance report, the risk vs. reward calc is not in their favor.

    And if you find an individual CA, or a small firm willing to do so. They cannot, public accounting practioners are bound by GAAS.

    In order to do so, we need a regulation guildance changes, which can only be driven through the Standard Board or the Institution or large firm's influences.

    So we are stuck and we will be that way for a long time.

    ReplyDelete
    Replies
    1. This looks like it could be the core challenge to achieve efficiency.

      What regulations would need to change and how in order to allow the risk/reward equation to change such that a CPA firm would want to issue a PCI compliance report?

      Hiring security experts into a CPA firm seems more efficient than teaming agreements.

      Delete
  3. John, thank you very much for your comment. The AICPA has made this possible through AT-101, and specifically says that it is in the SOC 2 guide, and mentions it again in the recent TPA-9203. Please check out my links in my other posts. I think you may be referring to the fact that CPA firms cannot issue the other reports. That is my point about the need to partner up. The other reports are issued by the other firms but the testing is only conducted one time. Of course, all of the testing must be conducted under the supervision and review of the CPA firm for them to comply with AT-101.

    ReplyDelete
  4. Although no Big 4 firm is a QSA firm for the US region, there are many US CPA firms that are QSA companies. There is also one US CPA firm (BrightLine) that is a QSA firm and an ISO 27001 registrar. The Big 4 perform ISO 27001 certifications outside the United States, but none of them are accredited by ANAB, the US accreditation body. My point being that there are plenty of CPA firms that can perform SOC 1-3, PCI DSS validation, and in one instance, ISO 27001 certification, through a single entity. Therefore, there is no need to resort to any arrangement where an inexperienced CPA firm has to rely on a third party to supplement it's lack of expertise.

    ReplyDelete
  5. Hedge Hog, thank you for your comment. Boutique CPA firms like Brightline (formerly SAS70 Solutions), A-lign (also formerly SAS70 Solutions), Kirkpatrick Price (formerly SAS70 Corp.), and others are a fit for a particular market segment. Regional CPA firms that partner with QSAs and ISO 27001 registrars enjoy both the home field advantage, and the advantage of strong reputations spanning decades. Service organizations also recognize the concept of "Jack of all trades, master of none."

    ReplyDelete
  6. Great article, thanks ...

    Question: Could you tell us whether a SOC2 report would meet the requirements for SOx compliance which, today, are satisfied by SSAE16/SOC1 reports, or would it depend on the scope of the services/controls for the SOC2 engagement ?

    As an outsourcing services company, we’re trying to understand when we should/could recommend a SOC2 engagement to our clients vs. SSAE16/SOC1.

    Thanks again,
    Richard

    ReplyDelete
  7. Richard,

    Thank you very much for your comment.

    SOx is concerned with Internal Controls over Financial Reporting (ICFR), so technically only SOC1 is relevant. However, over the years, SOx audits have included non-ICFR controls in their scope for whatever reason. If you still require assurance from your vendors regarding the non-ICFR controls, you will need to ask for a SOC1 and a SOC2.

    Please see my post on "Examples of Non-ICFR Controls in an Actual SSAE16" for how to distinguish between an ICFR and a non-ICFR control.

    ReplyDelete
  8. Good stuff, Jon. As a service provider, I can tell you that buyers and providers alike are still very confused by the current slate of standards, audits, attestations, reports and certifications. It's definitely time to start bringing clarity to this entire arena.

    ReplyDelete
  9. Thank you very much Fred. I look forward to interviewing you for my blog, and to the world getting to hear your point of view.

    ReplyDelete
  10. nice blog I read your blog seems me like very much informative thanks for posting.

    ISO Certification

    ReplyDelete
  11. Thank you isocon. We should connect, and explore partnership scenarios.

    Jon

    ReplyDelete
  12. ISO truly helps certain business bodies to become distinct among the others and build up trust from current and prospective clients. However, there are some organization that neglect their duties and responsibilities after being ISO-certified. It’s important to note that it is a badge of credibility. The performance must be progressive, or otherwise uphold the current meta.

    Barton Wilson

    ReplyDelete
  13. Nice post, I bookmark your blog because I found very good information on your blog, Thanks for sharing more information
    Quality Services & Training Pvt.Ltd.

    ReplyDelete
    Replies
    1. I have read your blog its very attractive and impressive. I like it your blog.

      Java Training in Chennai Core Java Training in Chennai Core Java Training in Chennai

      Java Online Training Java Online Training JavaEE Training in Chennai Java EE Training in Chennai

      Delete
  14. Before putting my trust into a company, I first check if they have ISO certification. This is because being ISO certified means they are trusted. Their products and services are in a high standard. One of my most trusted company is PAPTI-ISO certified company in the Philippines.

    ReplyDelete
  15. B M Saraf & Co is a Chartered Accountant firm in Ahmedabad, India which has been delivering high quality Professional services to their satisfied clients since 1978. Our office is centrally located in Ahmedabad and is fully equipped with the latest communication means to enable us to provide faster and high quality services.
    Chartered Accountant In Ahmedabad
    Taxation Consultants In Ahmedabad
    Best Chartered Accountant In Ahmedabad

    ReplyDelete
  16. Excellent ISO certification Process and also provide ISO training ,best customer satisifaction Quality Services in singapore Qscert

    ReplyDelete
  17. The information on this blog is very useful and very interesting. If someone needs to know about the just click
    ISO certification cost in india | ISO certification cost | ISO certification cost in bangalore

    ReplyDelete