SOC2

SOC2 are the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy used by auditors to evaluate the controls within an organisation's cyber risk management program.

Overview

SOC 2 (Service Organization Control 2) is a framework for managing data protection that focuses on non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. Developed by the American Institute of CPAs (AICPA), SOC 2 is specifically designed for service providers storing customer data in the cloud, making it a crucial component of information security and management for technology and cloud computing companies.

Purpose

The Office of the Australian Information Commissioner (OAIC) will refer to this guide when undertaking its Privacy Act functions, including when investigating whether an entity has complied with its personal information security obligations (s 40) or when undertaking an assessment (s 33C). Information on when and how we might exercise our regulatory powers is available in the OAIC’s Privacy regulatory action policy.

Principles

SOC 2 reports are unique to each organization, reflecting the specific business practices and the services they provide. However, the framework is built around five trust service principles: 1) Security: The system is protected against unauthorized access (both physical and logical). 2) Availability: The system is available for operation and use as committed or agreed. 3) Processing Integrity: System processing is complete, valid, accurate, timely, and authorized. 4) Confidentiality: Information designated as confidential is protected as committed or agreed. and 5) Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice. Organizations can choose which of these principles are relevant to their business and will be included in the SOC 2 report. The auditing process for a SOC 2 certification requires companies to establish and follow strict information security policies and procedures, encompassing the security, processing integrity, and confidentiality of customer data. The result of the audit is a detailed report that includes the auditor’s opinion on the effectiveness of the controls in place related to the trust service principles.

Details

ISO 27001 sets out the specification for an information security management system (ISMS) and consists of two parts: 1. The first part includes mandatory requirements that focus on ensuring an Information Security Management System (ISMS) has been developed. An ISMS includes a range of policies and supporting standards, objectives, resource support and governance programs such as reviewing security controls, managing non-compliance and ensuring continual improvement. This part has a strong focus on ensuring board and top level management provide approach support to the ISMS. 2. The second part is called Annex A or 27002 and this is list of controls that are used by auditors to measure an organisation when applying for certification. An organisation will stipulate which controls are in scope of their ISMS, during the audit process in a document called the Statement of Applicability (SoA), typically most are.

Get certified

Businesses can self assess themselves using the Assessment process in Assuredly for Tiers 1-3 and get certified. Once complete businesses can request certification without needing to engage an independent auditor. The certification is built around five areas of focus that each have a set of requirements. The areas of focus are: 1. Technology Management 2. Access Management 3. Backup & Recovery 4. Policies, Plans, & Procedures 5. Education & Training

Maturity Levels

Maturity Level 1 - ASD state that generally, Maturity Level One may be suitable for small to medium enterprises. The focus of this maturity level is to put in place the key controls to combat against adversaries who are looking for any victim rather than a specific victim. Maturity Level 2 - ASD state that generally, Maturity Level Two may be suitable for large enterprises. The focus of this maturity level is to enhance controls for companies who have valuable enough data or market presences that makes investment by threat actors in developing tools and deploying more advanced techniques worthwhile. Maturity Level 3 - ASD state that generally, Maturity Level Three may be suitable for critical infrastructure providers and other organisations that operate in high threat environments. The focus of this maturity level is to enhance controls for companies who have valuable enough data or market presence where threat actors are a significant concern and are likely to be deploying adaptive techniques.

Background

The health check is a pragmatic approach to assessing the most basic controls in an organisation before they embark on standards which require significant time and investment.

Practice Areas

NIST CSF was primarily created to help US federal agencies and organisations better manage their risk. NIST CSF is a set of just over 100 requirements that cover a broad range of practice areas. Compliance with NIST CSF can ease the way to compliance with other security frameworks including the Payment Card Industry Data Security Standard (PCI DSS) and IT general controls for Sarbanes-Oxley Act (SOX). NIST CSF is a sub-set of NIST 800-53 which are security rules that cover 18 areas, including access control, incident response, business continuity and disaster recovery.

Included

Part A discusses five general circumstances that affect what steps an entity should take to protect personal information. Under nine broad topics, Part B outlines examples of key steps and strategies you should consider taking to protect personal information including a number of questions you should ask yourself when considering or implementing these steps or strategies.

Types of Reports

There are two types of SOC 2 reports: Type I reports on a service organization's systems and the suitability of the design of controls at a specific point in time. Type II reports on the effectiveness of these controls over a period, typically a minimum of six months. SOC 2 compliance is not a one-time event but an ongoing process that requires regular audits to maintain. It's seen as a benchmark in the industry, providing assurance to clients and partners that a service organisation has implemented robust controls to protect their data in accordance with industry best practices.

Updates

In 2022, 12 changes were made to the mandatory ISO 27001 requirements including the addition of one new requirement. In Annex A 27002 there are 7 new controls and 7 have been scrapped, a number of controls have been merged and some definitions have changed. The ISO 27001 standard also sets out mandatory requirements for setting information security objectives, ensuring necessary support for the ISMS such as providing resources and training, protecting relating documents and requiring an overall evaluation of the ISMS is implemented. Evaluation includes monitoring, analysis, auditing, management review and continual improvement. It is expected that an information security management system implementation will be scaled in accordance with the needs of the organisation.

Principles

Principles of SMB1001 are that they are: Updated annually by a steering committee comprising of experts from public and private sector. 5 levels of requirements are updated to latest cyber threats, for the right organisational profile Affordable (Level 1 certification starts from only AUD 95) Allows SMBs to align to multiple standards as they progress up the levels (e.g. ASD Essential 8, UK Cyber Essentials, CMMC Level 1) – 1 certification to cover all standards. Easy-to-understand language. Encourages directors to take ownership of cyber (aligning to government expectations). Certifiable, requiring an annual recertification (i.e. an annual vaccination against latest threats).

Practice Areas

When looking at standards from across all sectors and industries common practice areas are found. The health check covers the most commonly required controls in each of the 16 practice areas.

History

The Essential Eight Maturity Model, first published in June 2017 and updated regularly, supports the implementation of the Essential Eight. It is based on ASD’s experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations to implement the Essential Eight. When implementing the Essential Eight, organisations should identify and plan for a target maturity level suitable for their environment. Organisations should then progressively implement each maturity level until that target is achieved. As the mitigation strategies that constitute the Essential Eight have been designed to complement each other, and to provide coverage of various cyber threats, organisations should plan their implementation to achieve the same maturity level across all eight mitigation strategies before moving onto higher maturity levels.

NIST 800-53

Implementing the security controls needed to comply with NIST 800-53 brings entities and their technology products or services in line with the U.S Federal Information Security Modernization Act (FISMA) and with the U.S Federal Information Processing Standard Publication 200 (FIPS 200). NIST is the abbreviated name for the National Institute of Standards and Technology. It’s one of many federal agencies under the U.S. Department of Commerce, and is one of the oldest physical science laboratories in the United States.

Requirements

Under nine broad topics, Part B outlines 252 questions organisations can consider.

5 broad categories, 12 sections, 61 subsections, 296 criteria

123 controls including 30 controls in Part A which are mandatory Requirements and 93 optional/suggested controls.

46 controls stepped across 5 Tiers. Tier 1 is 6 controls while Tier 5 is all 46 controls. The 46 controls are set out in 5 Categories (Technology Management, Access Management, Backup and Recovery, Policies, Processes and Plans and Education and Training.)

25-30 key controls across 16 practice areas

8 strategies, 91 controls

Circa. 120 requirements.

Governed by

Office of the Australian Information Commissioner

American Institute of Certified Public Accountants, Inc. (AICPA)

International Organization for Standardization (ISO)

Cyber Security Certification Australia and CyberCert

The Australian Cyber Security Centre (ACSC)

InfoSecAssure

National Institute of Standards and Technology (NIST)

Region focus

Australia

Global

Global

Australia

Australia

Global

US

How Assuredly can help

By conducting an Assuredly Privacy Reasonable Steps Assessment companies can instantly access maturity scores against every requirement set out by this standard and get automated suggested action plans and access to a broad range of tools and templates to uplift controls. Assuredly could be your ultimate partner in safeguarding your business against cyber threats! Our platform offers a seamless and guided assessment process tailored to your specific needs. By utilising our expert guidance, you gain access to valuable information that demystifies the Privacy Reasonable Steps Guide. Easily understand control requirements, learn how to effectively test them, and be equipped with the exact evidence auditors look for. The results are displayed instantly on our intuitive dashboard, empowering you with real-time insights. Additionally, you can effortlessly generate comprehensive reports that align findings with risks and controls, ensuring you stay ahead in the ever-evolving world of cybersecurity. Join Assuredly now and embark on your journey to fortified digital security!

By conducting an Assuredly SOC2 Assessment companies can instantly access maturity scores against every requirement set out by this standard and get automated suggested action plans and access to abroad range of tools and templates to uplift controls required to achieve their certification. Discover the exceptional world of Assuredly - your ultimate platform for achieving unparalleled business excellence! We offer an exclusive guided process designed to seamlessly assess your business against the coveted SOC2 requirements. Experience a personalised journey with expert assistance at every step, empowering you to access invaluable information on control requirements, testing procedures, and even the precise evidence auditors seek. With just a click, witness the magic unfold as outcomes are instantly showcased on a dynamic dashboard. But that's not all – brace yourself for the added advantage of creating meticulously detailed reports, effortlessly aligning findings to risks and controls. Elevate your security standards and join the Assuredly revolution today! Sign up now for a secure future! ‍

By conducting an Assuredly ISO 27001 Assessment companies can instantly access maturity scores against every requirement set out by this standard and get automated suggested action plans and access to abroad range of tools and templates to uplift controls required to achieve their certification. Discover the power of Assuredly, your ultimate ally in safeguarding your business! Unveil a seamless journey towards ISO 27001 compliance as our platform offers expert guidance throughout the assessment process. Unravel vital insights into control requirements, conduct efficient control testing, and grasp the exact evidence an auditor seeks. Behold the magic of instant dashboard feedback, unveiling your outstanding achievements. Additionally, create meticulously detailed reports that seamlessly align findings with risks and controls. Join Assuredly today and unlock the realm of security and success for your business!

Assuredly offers a seamless, guided process that will effortlessly walk you through assessing your business against the SMB 1001 Requirements. Whether you are small business looking to get your first security certificate and want to achieve Tier 1 or your are a professional advisor looking to support companies achieve Tier 5 Assuredly allows you to Instantly access Help Guides that assist you in implementing controls which you don’t yet have in place. Be told up front what auditors would require to verify the control is in place. Add evidence to your assessment which can be audited if required. Get instant and automated suggested action plans for weak controls. Automatic risk registers created with associated risk treatment plans. A clear view of how well your business has achieved against the SMB 1001 standard in easy-to-understand graphs. Certification process. Get your SMB 1001 Certification Today!

By conducting an Assuredly Health Check companies can instantly access maturity scores against every requirement set out by this standard and get automated suggested action plans and access to abroad range of tools and templates to uplift controls required to achieve a secure business and get their foundation security in place. Unlock the full potential of your business's security with Assuredly, your trusted partner in safeguarding success! Our platform offers a unique guided process to assess your business against fundamental security requirements, providing you with expert support every step of the way. Gain exclusive access to essential information, demystifying control requirements, testing procedures, and auditor expectations. Experience the thrill of instant dashboard feedback, revealing your triumphs in real-time. Moreover, craft detailed reports aligning findings with risks and controls, effortlessly shareable with stakeholders, freeing you from ever answering a security questionnaire again. Elevate your security game and sign up for Assuredly today, because a secure future awaits!

Discover the empowering world of Assuredly - your ultimate partner in ensuring your business's security! Our platform offers a seamless, guided process that will effortlessly walk you through assessing your business against the crucial Essential Eight requirements. Say goodbye to confusion, as our expert guidance provides you with invaluable insights into control requirements, testing procedures, and even auditor expectations for evidence. With lightning-fast outcomes displayed on our intuitive dashboard, you'll feel in control like never before. Take it a step further and create comprehensive, detailed reports that align findings back to risks and controls. Join Assuredly today and embark on a journey towards a secure and fortified future for your business! ‍

By conducting an Assuredly NIST CSF Assessment companies can instantly access maturity scores against every requirement set out by this standard and get automated suggested action plans and access to a broad range of tools and templates to uplift controls required to achieve their certification. Assuredly could be your ultimate partner in safeguarding your business against cyber threats! Our platform offers a seamless and guided assessment process tailored to your specific needs. By utilising our expert guidance, you gain access to valuable information that demystifies the NIST Cybersecurity Framework requirements. Easily understand control requirements, learn how to effectively test them, and be equipped with the exact evidence auditors look for. The results are displayed instantly on our intuitive dashboard, empowering you with real-time insights. Additionally, you can effortlessly generate comprehensive reports that align findings with risks and controls, ensuring you stay ahead in the ever-evolving world of cybersecurity. Join Assuredly now and embark on your journey to fortified digital security!