The Skinny on IT Compliance Certifications from Hardest to Easiest
By Angela Polania
I find that many clients ask the question, how much work is it to become ISO 27001 compliant vs. SOC 2 compliant or other certifications/ regulations? Obviously, different companies have different requirements (clients, regulators, industry, etc.) and, sometimes do not get to pick what they must do to become compliant. Here is our ranking from the hardest to easiest certifications and who usually gets them and why:
- FedRAMP – Companies that provide cloud software to the federal government shall seek FedRAMP compliance. Companies like AWS for GovCloud, Microsoft Azure Government obtain these certifications (segregated environments) to work with the Federal Government. This is by far the hardest certification process due to the large scope of controls (NIST SP 800: 53 rev. 4 controls= 297 controls), documentation requirements, review by 3PAO (third party auditors), review of the agency that is sponsoring you (if you are being sponsored) and overall process to change, improve the controls prior to getting either a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) or an Agency Authority to Operate (ATO). In addition, the maintenance of this certification requires a lot of work to manage the Continuous Monitoring required. The minimum amount of time that we have seen a company obtain the authorizations is almost two years.
- HITRUST – For many companies that provide cloud software and services to insurance companies or very large healthcare companies, HITRUST has become a part of the requirements in order to do business with these entities. HITRUST was a framework created by industry personnel (e.g. people from Big 4, healthcare insurance companies) that leverages ISO 27001 + all HIPAA requirements + some NIST. To get this audit, you must use the HITRUST tool (MyCSF) to enter and have the audit evidence for the audit, and have the third-party assessor audit you inside the MyCSF tool. There are 3 levels of requirements depending on the scope and 5 areas of maturity, assessed by control for each control in place. Although, supposedly, the minimum set of controls is 75 controls, this really translates to hundreds of controls to be fully documented, tested and showing evidence of continual process improvement. Like FedRAMP, this is an expensive audit and requires a lot of work prior to getting it.
- SOC 2 Type II – All Principles. Like any other audit, these audits grow and/or shrink depending on the scope, but with the 2017 TSPC (Trust Service Principles Criteria), the control listing has grown significantly. Depending on how many controls you add for processing integrity and, if you are including Privacy Principle, you are looking at 250+ controls to be evaluated. Note that a Type II audit requires sample auditing over the period of audit being attested on and, you must show you have operating effectiveness of controls. Other audits like ISO 27001, PCI do not require such rigorous sampling.
- PA DSS or PCI DSS Compliance – If you have to get an actual audit (ROC) by a QSA, you must ensure you are in compliance with all 190+ controls for these audits. Some of the controls for this audit are very prescriptive (e.g. review of firewalls rules every 6 months) .
- ISO 27001 Certification – The main reason why this certification is somewhat complex is because of the mandatory requirements (regardless of the scope) that require specific ways in which information must be provided and documented. In addition to the mandatory requirements, there are an additional 110 controls for the Annex A (the detailed controls) that must be evaluated and documented. However, the auditor sampling is light like a Type I audit for SOC audits.
- SOC 1/SSAE 18 Type II – Although a Type II audit requires testing (random sampling) of control effectiveness, the SSAE 18 audits give the companies the lead way on which controls to select. Usually, there are about 50-60 controls in scope. This alone makes the audit simpler and more manageable. Now days, unless you are certifying financial type controls (e.g. payroll, loan servicing, etc.), most of the recipients of this report request a SOC 2 Type II audit (with a minimum of Security, Availability and Confidentiality principles) as the audit of preference because many recipients know that the SSAE 18 audit can be very light.
- HIPAA Compliance – As you may know, there is no HIPAA certification per say, but some companies obtain HIPAA compliance audits by using the AICPA AT 101 attestation standards and selecting the controls relevant to HIPAA. The reason why HIPAA is ranking lower that others here is because the Security Rule is missing key controls on change management, patch management and systems development life cycle. Therefore, unless these controls are picked through the Risk assessment process, which is required, these do not need to be evaluated. For some organizations (e.g. physician practices, and/ or companies that do not make software) not including these controls may not be that critical, but for organizations that develop their own software that hosts, process PHI, being HIPAA compliant does not include their key development processes to be evaluated.
There are other audits and assessments that we see being performed, but we selected the ones we see most often. However, GDPR is now becoming more popular and others will arise as time passes.