ISO27K vs. SOC2 vs. NIS2/DORA

Introduction?

Both ISO27K and SOC2 are certifications, i.e. you get audited to get a certificate, which shows that you are living up to certain standards. These are concerned with IT-systems and the running and delivery to customers of IT-services. Both are also concerned with the security aspects of these system, but not solely security.

Mostly these certifications prove that you have policies in different areas, and that you do what your policies state.

Both frameworks test your whole operation, and not just your cybersecurity.

NIS2 and DORA are regulations that stipulate certain levels of cybersecurity in different areas. These you have to comply with by law, or you will face repercussions in the form of monetary penalties, personal fines for the management and barring from leadership positions, and even closing of the business.

NIS2 and DORA

The details of these frameworks have already been handled in detail in other articles.

These can be found here:

NIS2 - The NIS2 Directive & Cybersecurity

DORA - DORA or NIS2

Whitepaper on DORA - You can read our DORA whitepaper, which can be requested on [email protected]

However, the essence is that these are frameworks for cybersecurity, which only relates to operation, organization, and other aspects, if it has influence on the cybersecurity risks.

The ISO27K framework

ISO27K includes 8 areas, which are to be audited.?

1. Context of the organization
2. Leadership
3. Planning?
4. Support
5. Operation
6. Performance evaluation
7. Improvement
8. Information security control?

In general ISO27K does not allow for shopping around in these 8 categories. There needs to be some policies regulating each area.

Context of the organization. This calls for an understanding of? the organizational context, the needs and expectations of stakeholders, and defining the scope of the Information Security Management System (ISMS).?

The ISO guidelines states that “The organization shall establish, implement, maintain and continually improve” the ISMS. So this implies that the system must be operational, not merely designed and documented.

Leadership. Top management must exercise leadership and commitment to the ISMS. I.e. this means that they must be aware of and sanction policy, and designate information security roles, responsibilities and authorities.

Planning. This entails actions to identify, analyze, and plan to treat information risks, to clarify objectives of security, and to manage ISMS changes.

Support. The whole organization must support the ISMS, so that adequate, competent resources are assigned, awareness is pervasive in the organization, and documentation is prepared and controlled.

Operation. Not only in the design of the system, but also in performing what the business does day to day, information risks must be assessed and treated with actions, changes should be managed, and first and foremost everything done should be documented.?

Performance evaluation. This calls for a regular process to monitor, measure, analyze, and evaluate the information security controls, processes and management system in total. The system should be improved according to the findings during operation.?

Improvement. An organization should address the findings of audits and reviews. I.e. all nonconformities and corrective actions should systematically be addressed to refine the ISMS.

Information security control. Annex A names the controls documented in ISO/IEC 27002:2022. The annex is ‘normative’, i.e. so that certified organizations should use it to check their ISMS for completeness. However, that does not imply that they are required to implement all the controls.

ISO27K gives you a stamp of approval, but the auditor's report is not directly meant for marketing purposes, or to be exchanged between parties, even though it can be in close partnerships.?

In general, once you have the certificate from the accredited auditor, then you are in compliance, and that is thought of as enough evidence of a well-functioning system.

The SOC2 framework

SOC2 is a framework invented by American Institute of Certified Public Accountants (AICPA).

There are 2 types of SOC2 reports.

Type 1: Evaluates the design effectiveness of controls at a single point in time.

Type 2: Evaluates the design and operational effectiveness of controls over a period of time (usually 12 months).

You may choose to be certified in one or more of the total SOC2 scope, which includes 5 areas called trust services categories :

1. Security,?
2. Availability,?
3. Processing integrity,?
4. Confidentiality, and?
5. Privacy

Criteria for controls that are included in an audit can be common to all 5 areas, or they can be individual.

The common criteria constitute the complete set of criteria for the security category.

The 5 areas can be elaborated as done in the guideline by AICPA.?

Here below a short summary of each area is given:

a. Security. This means that controls should be in place that secure that information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives.

b. Availability. Controls should be designed, which ensure that information and systems are available for operation and use to meet the entity's objectives.

c. Processing integrity. Again procedures and policies should be implemented, so that system processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.

d. Confidentiality. This should secure that information designated as confidential is protected to meet the entity's objectives.

e. Privacy. As a sort of mimic of the GDPR-regulation, controls should be in place to ensure that personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.

An organization's system of internal controls is evaluated by using the trust services criteria to determine whether the service organization's controls provide reasonable assurance that its business objectives and sub-objectives are achieved.

Additional areas can be included in a SOC2 Report including a specific evaluation regarding cybersecurity.

As it requires considerable knowledge to understand a SOC2 report, the AICPA has introduced the SOC3 report, which is a report format for SOC2, which is for marketing purposes, and can be read without background knowledge.

Difference between SOC2 and ISO27K

In both frameworks to achieve compliance, you must conduct a risk assessment, identify and implement security controls and regularly review their effectiveness.

However SOC2 is more flexible, as you can get a one-time report, which does not require regular audits. In ISO27K a yearly audit is standard, but can carried out more often.

Also in SOC2 the mandatory requirements are less.

However, if you implement policies in both frameworks in all areas they will be almost similar, around 90% overlapping.

Both frameworks are recognized globally, but SOC 2 is more closely associated with North America.

In North America both SOC 2 and ISO 27001 are common.?

Outside of North America, ISO 27001 is the predominant used framework.

Difference between NIS2/DORA and SOC2/ISO27K

As stated the one set of frameworks are regulations, whereas the others are certifications.

If you are SOC2 or ISO27K certified you might be compliant with NIS2 or DORA, but it is not certain that you are.

The controls you have specified could be too weak to comply with the regulations, and as long as they apply in general and that you adhere to your own policies you will be certified in both SOC2 and in ISO27K. I.e. you can be certified but not compliant.

On the other hand the reverse is also true; even if you are both NIS2 and DORA compliant you are not certain to be able to be ISO27K or SOC2 certified. However being NIS2 or DORA compliant will in general make it easier to be certified in either of the other two frameworks.

Compliance Assessments

If you want to become either ISO27K or SOC2 certified it will often be a good idea to do a compliance assessment before opting for the audit.

In a compliance assessment you will be questioned and evaluated in all the necessary areas, and you will receive a report stating the results. In addition you will get an action report, which will tell you which areas you need to improve, and what generically needs to be done.

QCA’s compliance assessment tool can be used to do a pre-scan of your organization before an audit, and it will also give you an idea of what resources you need to expend in order to become SOC2 or ISO27K certified.

In addition if you are using your ISO27K or SOC2 framework for cybersecurity it will be best practice to evaluate your supply-chain.?

Third-party risk assessment is at the heart of QCA’s software, and will in one easy and controlled flow ensure risk evaluation of your supply-chain, as required in both NIS2 and DORA.

Read more at?:

https://quantumcyberanalytics.com/