Whether or not you are a tinfoil-hat wearing paranoid, you need a strong cybersecurity posture to support sales! These days most of your customers will ask you to demonstrate your security profile in one form or another. The fact is that most, if not all your customers now want to know and see that you are taking security very seriously. These requests often come in the form of time-robbing security due diligence questionnaires that your sales team needs to have filled out before they can lock in the deal. While a SOC 2 report may be one of the most common requests that you get from your customers these days, it is not the only one. ISO27001, CIS Controls, PCI DSS and others are often requested and/or inquired about regularly. I will try to break these down in a real-world, pragmatic view in terms of level of rigor, and what it will take to achieve these badges of cyber security prowess.
SOC 2 reports come in two flavors; a type-1 report which is a point in time, and the more highly coveted type-2 that is assessed over a period. Generally, you will start by getting your SOC 2 Type-1 report before getting your Type-2. The reason for this is simply that you must first build-out your security governance, architect, and implement your information security controls before you can audit your programs effectiveness over time. To get your SOC 2 report you should work with a security advisory firm like Truvantis who will build out your security program and get you prepared for the audit. Then you need to engage with an AICPA certified audit firm who will conduct the audit and write the report. Note that the SOC 2 rules prohibit you from getting the advisory service from your auditor. All-in, from zero to SOC 2 (Type-1) report will cost a small organization from $50k to $90k including the audit (or more depending on your size and scope) and it will take about 8 to 12 weeks to complete.
ISO27001 is an internationally recognized security standard, with a relatively high benchmark and rigor to achieve as compared to SOC 2. This is particularly true of its administrative process and governance charter. In fact, it is usually a good idea and common practice to start off with SOC 2 and progress into ISO as a next step in your security program maturity. While SOC 2 is a simple report and an opinion on your security controls as practiced, ISO is a true certification. ISO27001 is a highly respected benchmark of security posture and maturity. Remember, no one ever got fired for using ISO as their information security governance program. Like SOC 2, ISO will require you to engage with an independent auditor, and again, seek out the security program development guidance from a trusted advisor. Truvantis can help you fast-track and pass your ISO certification audit. From zero to ISO27001 certification will usually take six to nine months to complete with the actual certification audit coming at the end of the period. A full ISO27001 certification exercise will cost a small organization from $75k to $150k (or more depending on your size and scope). Starting with SOC 2 can help speed things up because much of the information security governance and program development can be recycled and/or uplifted to ISO standards.
PCI DSS is about the “strongest security” of all the common security compliance merit badges. However, sadly it is very rare for a company to implement PCI unless they handle payment card data—in which case it is compulsory. There are different levels of required reporting depending on how many payment card transactions you process annually. The rules are complicated, but typically, for most small companies, you can self-assess with a form called an SAQ-D (or similar). However, if you process more than six million card transactions per year you may be required to hire a Qualified Security Assessor Company (QSAC) like Truvantis to facilitate your assessment and provide you with a Report on Compliance (ROC). Even if you self-assess it is highly recommended to partner with a PCI security advisory company to help you along the way. PCI DSS is a great framework to base your security program on and it is easy to follow as it is highly proscriptive in its control definition.
The Center for Internet Security (CIS) controls is another excellent framework to build your program on or to bolster your existing security controls to the next higher level. CIS Controls are consensus-based guides curated by security practitioners focused on performance, not profit. Basically, they got a bunch of tinfoil-hat, paranoids, and cybersecurity luminaries from around the world into a room together. They all took part in answering the basic question of “what keeps us all up at night” with respect to cybersecurity? They voted and ranked the answers by risk weight and the CIS Top-20 controls was borne. The CIS controls and associated Risk Assessment Methodology (CIS RAM) are highly respected in the security community, and adherence to the framework will show strong security practice within your business. Truvantis can help you with a gap assessment against the CIS Controls and help you build a business as usual program around the CIS framework.