Why get an audit or a certification?

Audit reports and certifications can be a useful investment in your overall security governance strategy to enable your company to:

• maintain adequate security controls for your company and clients;
• provide appropriate levels of assurance to clients that you are governing security in line with their expectations; or
• deliver to specific contractual certification/audit requirements in agreed contracts with clients

What audit reports or certifications will our clients request from us?

Your clients may request various types of audit reports or certifications depending on the geographic location and the industry your business operates in.  The list below outlines are the most commonly requested audit reports and certifications and their primary purpose.

SOC 1 Audit

AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, of Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification.

Why

A SOC 1 Audit Report gives your customers the assurance that your organisation’s controls are designed and operating efficiently and that these controls don’t negatively impact their financial statements.

You may need to comply with SOC 1 as part of a compliance requirement. For example, if your company is publicly traded, you will have to undergo a SOC 1 audit as part of the Sarbanes-Oxley Act (SOX).

Best for…

• Payroll processing companies
• Healthcare benefit processing companies
• Trust departments of banks and insurance companies,
• Custodians for investment companies, and mortgage servicers, or
• Depository institutions that service loans for others.

Pros

• Reduce compliance costs and time spent on other audit activities
• Help you meet contractual obligations
• Enable you to proactively address existing risks across your organisation that would negatively impact on yours or your clients financial reporting.

Cons

• SOC 1 reports are restricted in use and can only be viewed by the management of the service organisation, user entities, and user auditors.  
• Audits are expensive.

Cost

SOC 1 audit costs vary, but audits typically range from $15,000 – $100,000 in cost.

SOC 2 Audit

AICPA Trust Services Criteria

Why

A SOC 2 report gives your customers the assurance that your organisation’s security and privacy controls are designed and operating efficiently and that these controls don’t negatively impact or put at risk services you provide to them.

Best for…

• A SOC 2 report is useful for companies that collect, process, transmit, store, maintain or dispose of their client’s data.

Pros

• Complying with the SOC 2 requirements enables your organisation to provide clients with assurance from an independent auditor that you are effectively operate controls relating to AICPA's Trust Services Criteria.
• SOC 2 Type II requires the implementation of long-term, ongoing internal practices that will ensure the security of customer information and, in turn, the success of your business.

Cons

• SOC 2 reports are restricted in use and can only be viewed by the management of the service organisation, user entities, and user auditors.
• Audits are expensive.

Cost

SOC 2 audit costs vary, but audits typically range from $25,000 – $200,000 in cost.

IRAP Assessment

Australian Government Information Security Manual and PSPF

Why

By meeting the requirements of the PSPF and ISM commercial entities can be IRAP Assessed which could open doors in providing services to Australian Government entities.  The ISM is also very comprehensive and has some great guides and technical advice on how to implement controls across a a broad range of practice areas.

Best for…

• Australian Government agencies and companies wishing to supply services to the Australian Government

Pros

• Enable your organisation to meet the requirements set by Government agencies under the ISM and related PSPF.
• Help prepare your organisation for an IRAP Assessment.

Cons

• The ISM is a lengthy set of controls coming in at almost 4 times the number of recommended controls when compared to ISO 27001 or the NIST high level framework

Cost

IRAP assessments cost between $50,000-$200,000

ISO 27001 Certification

ISO/IEC 27001 - Information technology -  Security techniques, Information security management systems Requirements - Second edition 2013-10-01

Why

The ISO 27001 standard outlines the key processes and approaches to help your organisation  manage information security controls using a risk-based approach. ISO 27002 Appendix A of ISP 27001 is a well defined list of controls that you are likely to be audited on when you apply for ISO 27001  certification.

Best for…

• ISO 27001 is best for any company that manages information assets that if not managed securely put them or their clients at risk. ISO 27002 is good list of controls that will help your organisation identify what security controls are typically expected under each practice area.

Pros

• ISO 27001:2013 is a well-respected international information security standard.
• It is a risk based approach so it does not prescribe controls that are not relevant to your organisation.

Cons

• Certifications can be expensive and are ongoing.

Cost

ISO 27001 Certifications can be between $10,000 to $60,000 and requires additional spend every other year or so to pay for surveillance which ensures ongoing certification of your organisation.

Other types of Assessments and Compliance Requirements

The list is long so here are a few of the key ones you should know about.

PCI Assessments and Compliance Reviews

Payment Card Industry's (PCI) Data Security Standard (DSS) - Requirements and Security Assessment Procedures

Why

The breach or theft of cardholder data affects the entire payment card ecosystem. Customers suddenly lose trust in merchants or financial institutions, their credit can be negatively affected -- there is enormous personal fallout. Merchants and financial institutions lose credibility (and in turn, business), they are also subject to numerous financial liabilities.

Best for…

• The PCI Data Security Standards set the operational and technical requirements for organisations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.
• If you accept or process payment cards, the PCI Data Security Standards apply to you. These standards cover technical and operational system components included in or connected to cardholder data.

Pros

• Reduce fraud losses and loss of customer confidence.
• Avoid a scenario where the card providers will terminate your ability to accept payment cards.

Cons

• Cost of compliance.

Cost

The fees to become PCI compliant, and maintain that standing annually, can range from approximately $1,500 AUD annually to over $100,000 AUD annually, depending on the size of your business.

CPS 234 Assessments

APRA Prudential Standard CPS 234 Information Security

Why

The purpose of CPS 234 is to ensure that APRA-regulated entities have implemented sufficient information security protections.

Information security is no longer considered the sole responsibility of the information technology (IT) team, so CPS 234 requires finance sector organisations to consider the breadth of responsibilities across the organisation and their supply chain.

Best for…

• CPS 234 applies to all APRA regulated entities.
• These include: Banks, credit unions and other authorised deposit taking institutions (ADIs), Superannuation funds, Life insurance companies, Friendly societies, General insurers, Non-operating holding companies and Private health insurers.

Pros

• By aligning to CPS 234 as a regulated entity you can avoid fines and/or scrutiny by APRA.
• If you are not a regulated entity aligning to these standards will help your organisation provide assurance to regulated clients that you meet the needs of their business.

Cons

• If you are not a regulated entity this is another set of standards that will cost you company money and resources to adhere to.  Your security governance may already be well managed under other security audits or programs.

Cost

The cost of compliance depends on the current maturity of your company.  If you have a robust information security program in place then it may not take much to complete an audit against the regulation.  if you do not then it may cost between $20,000-$100,000 ion consulting and business process improvement to put in place rigorous methods of internal assessment and supply chain governance.

NIST Cybersecurity framework

NIST Cybersecurity framework with links to NIST 800-53 - Security and Privacy Controls for Information Systems and Organizations

Why

The NIST CSF comprises a risk-based compilation of guidelines that can help organisations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues.

Best for…

• NIST CSF is useful for all private enterprises wanting to improve their cybersecurity.
• Due to its high-level scope and clear language, the Framework is also more suitable for reading by executives of an organization who may not have a technical background. The Framework could be more useful to achieve the buy-in of C-level executives necessary for the success of a cyber-security initiative.

Pros

• Splits out controls into language which most people understand such as Protect, Defend etc.
• Good to get you started on your alignment to U.S Standards if you wish to provide service to U.S Government agencies in the future..

Cons

• The downside to the NIST CSF is that its brevity makes it incompatible with common compliance requirements, such as NIST 800-171, PCI DSS, and HIPAA. NIST CSF is managed by the US and subject to change with U.S law.

Cost

To conduct an assessment against the NIST CSF a risk assessor would typically cost between $10,000 - $50,000 depending on scope.

FISMA / FedRamp Certification

NIST 800-53 - Security and Privacy Controls for Information Systems and Organizations

Why

U.S Government agencies and their third-party contractors must comply with the Federal Information Security Management Act of 2002 (FISMA)–now the Federal Information Security Modernization Act–which NIST 800-53, Security and Privacy Controls for Federal Information Systems, helps them to do.

Best for…

• The U.S Federal Information Security Management Act (FISMA) and the Department of Defense Information Assurance Risk Management Framework (DIARMF) rely on the NIST 800-53 framework, so vendors to the US federal government must meet those same requirements in order to pass these rigorous certification programs.
• For entities that are not U.S federal agencies and are not affiliated with the U.S. federal government, compliance with any NIST framework or publication is voluntary

Pros

• If you are an Australian entity consider using the Australian Gov ISM instead.  
• This list of controls is one of many Special Publications required by the U.S Government for agencies to adhere to.
• Audits are expensive.

Cons

• The downside to the NIST CSF is that its brevity makes it incompatible with common compliance requirements, such as NIST 800-171, PCI DSS, and HIPAA. NIST CSF is managed by the US and subject to change with U.S law.

Cost

Cost of auditing NIST SP implementation can be between $50,00-$200,000 depending on scope.

What if my client is telling me I have to get a certification?

If the market needs move, such as a regulator requiring regulated entities to perform certain types of audits our advice is to agree internally how you will deal with these demands from clients who are regulated by these requirements and ensure you have an appropriate response. Lean back to your overall strategy and stick to your guns.

If only the lawyers and the sales team have been involved in the contract negotiations, get in the room with the team and their Security team and explain your overall strategy so that they can incorporate reasonable clauses to your agreement that ensure you deliver adequate security controls in line with your own security strategy.