There are a number of security compliance standards and it can be daunting to know which one to aim for, especially when different clients are asking for different standards. We are experienced with ISO27001, SOC2 and HIPPA and can assist you right from the beginning of the process helping you to select the standard that suits your business and client’s needs and can even discuss the compliance journey with your clients on your behalf.

Deciding to implement a security standard is a big decision; there are considerable financial considerations as well as the additional workload on staff to implement all the controls. Getting it right first time it vital to keeping cost and stress levels down; which is why we recommend having an expert by your side to avoid costly, time consuming mistakes and navigate through the myriad of requirements.

Why is security compliance important?

Security compliance shouldn’t just be a box ticking exercise to keep your clients happy; it’s good business practice. The implementation of the required security controls will put you in a much stronger position when protecting your company’s data and reputation.

Below is a list of some benefits of implementing a security compliance standard:

• Provides a recognised attestation of the effectiveness of your organisation’s controls relating to security, availability, confidentiality, processing integrity and privacy.
• Establishes trust with customers by providing an independent audit.
• Identifies and corrects inefficiencies.
• Expands your business capabilities to enterprise customers
• Provides transparency into how your organisation controls and manages risk.
• Reduces overall organisational and cyber risk.
• Improves cyber resilience.
• Lowers the cost of cyber insurance premiums.
• Reduces impact and response times from incidents.

How we work

• We become an integrated member of your team helping you along every step of the compliance journey.
• We first assess the maturity of your security environment and consider your resources to give you a roadmap to reaching compliance.
• We don’t sugar-coat it and will give you a realistic estimate on the time it will take to be audit ready.
• We act as the project manager and integrator, giving you the highest chance of success by your deadline.
• We are in constant contact with you- expect calls every 2-3 days to discuss the plan, the remediation and any roadblocks.
• Come audit time, we’ll lead the audit and discuss any issues with the auditor. And we’ll be there for you at the end to raise a glass in celebration.

Compliance is not a one off exercise and it needs to be maintained. If you decide at the end of the engagement you’d like to keep us on to help ensure ongoing compliance, we’re happy to help.

Why Simplify Security for your compliance journey?

• We have working relationships with auditors to negotiate better terms.
• We have a breadth of knowledge on security tools and can advise on the best ones to use that align with your business and meet compliance requirements.
• You have a better chance of success with us by your side; we know where the roadblocks often lie, so will make sure these are addressed early.
• We are effective project managers. The journey to a compliance standard can involve the implementation of over 100 controls. With Prince 2 qualifications, our security officer has frequent contact with the team to make sure actions are on track.
• We have personality! Security compliance doesn’t have to be dull. You’ll be working closely with you security compliance partner so you don’t want that time to be a drag.

But don’t take our word for it – have a look at what our customer Figured said about us assisting them to obtain SOC2.

 

Below is a brief overview of the security compliance standards we assist with:

SOC2

Service Organisation Control 2 (SOC2) is an adaptable security framework that can be acquired in stages; SOC2 type 1, SOC2 type 2 and SOC type 3. You can choose to adhere to only the common criteria of the security trust principle, or increase the scope to one or more of the other trust principles; privacy, confidentiality, availability and integrity.

SOC2 is primarily aimed at businesses who store customer data in the cloud and is popular with businesses who offer software as a service (SaaS).  SOC2 type 2 evaluates operating effectiveness over a period of at least 6 months, and for this reason can offer a higher level of assurance than ISO27001 which only evaluates design effectiveness.

SOC2 audits are undertaken by licenced CPAs. At the end of a successful SOC2 audit you will be granted formal attestation of your business’s internal controls. The report will contain a determination by the accounting firm, as to whether the appropriate controls are in place to address each of the selected Trusted Service Criteria.

ISO27001

ISO27001 is a very well recognised security standard with similar security controls as SOC2; in fact there is approximately 80% overlap in the prescribed controls.

ISO 27001 focuses on the development and maintenance of an information security management system with 117 prescribed control practices that are to be implemented for all businesses. To achieve compliance, you must conduct a risk assessment, identify and implement security controls and review their effectiveness regularly.

It is not as flexible as SOC2 and generally thought to be harder to achieve.

At the end of a successful audit undertaken by a Qualified Security Assessor, your business will be granted certification. The certification only covers a point of time, hence a 3 year period of surveillance audits is required to maintain the certification.

HIPAA

HIPAA stands for Health Insurance Portability Accountability Act of 1996 and is an American standard for the protection of patient information in the healthcare industry. It is legal requirement that all businesses that create, access, process, or store protected health information (PHI) from the USA are HIPPA compliant. There are heavy penalties and criminal charges for entities that don’t comply with HIPAA when they fall into its scope.

The HIPAA security rule involves the implementation of technical safeguards, physical safeguards and administrative safeguards. There is a degree of flexibility in that some specifications are ‘addressable’ rather than required. With an ‘addressable’ specification, businesses can choose to introduce an appropriate alternative or not introduce the safeguard at all, however there must be a risk assessment when this route is taken.

HIPAA compliance also requires implementation of privacy controls under the HIPAA privacy rule. This rule dictates that appropriate safeguards are implemented to protect the privacy of Personal Health Information. It also sets limits and conditions on the use and disclosure of that information without patient authorisation.

The American Department of Health and Human Services’ Office for Civil Rights (OCR) conducts periodic audits to ensure that applicable companies and their third parties comply with the requirements of HIPAA’s regulations. The OCR conducts both in person and desk audits. If selected for an audit, you will be contacted by the OCR and asked to submit pre-audit documentation within 10 business days.

Why Simplify Security for your compliance journey?

• We have working relationships with auditors to negotiate better terms.
• We have a breadth of knowledge on security tools and can advise on the best ones to use that align with your business and meet compliance requirements.
• You have a better chance of success with us by your side; we know where the roadblocks often lie, so will make sure these are addressed early.
• We are effective project managers. The journey to a compliance standard can involve the implementation of over 100 controls. With Prince 2 qualifications, our security officer has frequent contact with the team to make sure actions are on track.
• We have personality! Security compliance doesn’t have to be dull. You’ll be working closely with you security compliance partner so you don’t want that time to be a drag.

 

But don’t take our word for it – have a look at what our customer Figured said about us assisting them to obtain SOC2.