Securisea Resources

The primary reason an organization decides it’s necessary to start the ISO 27001 process is simple: their customers are asking for it, and refuse to do business without it. 

Having an ISO27001 certification demonstrates to your customers that your organization is committed to maintaining high standards of information security. Here are some key points it conveys:

1. Trust and Confidence: It reassures customers that their data is handled securely and is protected against breaches, unauthorized access, and other security threats.
2. Compliance: It indicates that your organization meets international standards for information security management, which can be crucial for regulatory compliance and contractual obligations.
3. Risk Management: It shows that your organization has a systematic approach to managing sensitive company and customer information, including risk assessment and mitigation strategies.
4. Operational Excellence: It highlights that your organization follows best practices in information security, which can improve efficiency and reduce the risk of data-related incidents.
5. Competitive Advantage: It sets your organization apart from competitors who may not have such certifications, potentially attracting more security-conscious customers.
6. Continuous Improvement: It signifies that your organization is committed to continuous improvement in information security practices, as ISO27001 requires regular reviews and updates to the security management system.

Overall, having an ISO27001 certification can enhance your organization's reputation, build customer trust, and open up new business opportunities. 

Preparing for An Internal ISO 27001 Audit

An internal ISO 27001 audit is a process that evaluates an organization’s information security management system (ISMS) against the requirements of the ISO 27001 standard. This audit is conducted by internal staff with the assistance of an external auditor like Securisea to ensure compliance, identify areas for improvement, and prepare for external certification audits. 

Steps Involved in an Internal ISO 27001 Audit:

1. Planning: Define the scope, objectives, and criteria of the audit. Develop an audit plan and schedule.
2. Documentation Review: Examine the ISMS documentation to ensure it meets ISO 27001 requirements.
3. Conducting the Audit: Perform the audit through interviews, observations, and reviewing records and processes.
4. Reporting: Document the findings, including non-conformities, observations, and opportunities for improvement.
5. Corrective Actions: Implement corrective actions to address non-conformities and improve the ISMS.
6. Follow-Up: Verify the effectiveness of corrective actions and ensure ongoing compliance.

How Securisea Can Help

Navigating the intricacies of an ISO 27001 internal audit can be challenging. This is where Securisea comes in. Our team of experienced professionals is dedicated to helping organizations achieve and maintain ISO 27001 certification with ease and confidence.

Here’s how Securisea can assist:

1. Expert Guidance: Our consultants have extensive experience with ISO 27001 standards and can provide expert guidance throughout the internal audit process. From planning to execution, we ensure that every step is conducted thoroughly and efficiently.
2. Comprehensive Audit Services: Securisea offers comprehensive internal audit services tailored to your organization’s specific needs. We assess your ISMS against ISO 27001 standards, identify areas of non-conformity, and provide actionable recommendations for improvement.
3. Training and Education: We believe in empowering your team with the knowledge and skills necessary to maintain ISO 27001 compliance. Securisea provides training sessions and workshops to educate staff on information security management best practices.
4. Continuous Support: Achieving ISO 27001 certification is just the beginning. Securisea offers ongoing support to help you maintain compliance and continuously improve your ISMS. Our team is always available to answer questions, provide guidance, and assist with any challenges that arise.
5. Tailored Solutions: Every organization is unique, as are its information security needs. Securisea takes a personalized approach, tailoring our services to align with your specific requirements and business objectives.

Final Thoughts:

An ISO 27001 internal audit is a critical component of maintaining a robust and compliant information security management system. With Securisea's expert assistance, your organization can navigate the complexities of this process with confidence. Our comprehensive audit services, expert guidance, and continuous support ensure that your ISMS not only meets ISO 27001 standards but also evolves to address emerging security threats and challenges.

Ready to take the next step in securing your organization’s information assets? Contact Securisea today and let us help you achieve ISO 27001 certification and maintain the highest standards of information security.

‍

Systems East Inc. reached out to Securisea based on a referral from their hosting provider. Although Systems East had an exceptionally mature PCI compliance program, their existing assessor company had become disorganized as it had grown, leading to their auditors repeatedly asking for the same evidence multiple times which in turn delays completion of the entire engagement. Systems East was working with one of the largest PCI compliance advisors in the country, had gone through the entire process for PCI, submitted evidence, and were left waiting in the cold for weeks. After multiple calls, inquiries, with no reply - Systems East learned that their QSA had been pulled from the project, assigned to a much larger client where they were needed, and there was no timeline for completing their certification.

‍

Systems East selected Securisea as their PCI compliance partner in response to their existing hosting provider’s strong recommendation. According to Peter Rogati, “Securisea came in right away and understood our business, our past experiences, our needs, and helped us move forward.”

‍

According to Rogati, other firms in the past had presented a menu of a la carte services for them to choose from, and everything had a cost. There was little guidance, it was “tell us what you want and we’ll sell it to you”. With Securisea, Systems East found a partner that took the time to listen to their wants, their motivations, and then advise them on the best path forward. Securisea was able to guide Systems East through the audit process, while also keeping them from doing things they really didn’t need to do. 

‍

At Securisea we are often asked to combine the work of two or more of the many audits we are licensed to perform in order to reduce, if not eliminate, repeat work of preparing for and completing audit evidence collection. While we are highly effective at multitasking across a range of assurance engagements, one of the most direct ways of achieving this is the SOC2+ audit, which allows us to issue under our CPA license a combined audit or SOC 2 as well as any additional engagement type. The most common case of this by far is the SOC2+HIPAA engagement.

SOC 2 and HIPAA are two critical regulatory frameworks that provide detailed guidelines for securing and protecting customer and patient data. Compliance with both SOC 2 and HIPAA not only shields organizations from potential data breaches, but also demonstrates a strong commitment to information security and privacy, fostering trust.

Understanding SOC 2

SOC 2, which stands for Service Organization Control 2, outlines standards for companies to securely manage customer data. Created by the American Institute of CPAs (AICPA), SOC 2 is crucial for organizations providing SaaS (Software as a Service) and cloud services.

The framework is built around five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

• Security ensures data protection against unauthorized access.
• Availability ensures that systems are operational and accessible when needed.
• Processing Integrity ensures data processing is complete, accurate, and authorized.
• Confidentiality protects sensitive information.
• Privacy governs the collection, use, retention, and disposal of personal information according to an organization’s privacy policy and applicable laws.

SOC 2 has two types of audit reports:

• Type I assesses the design of internal controls at a specific point in time.
• Type II evaluates both the design and operational effectiveness of controls over a period.

Understanding HIPAA

HIPAA, or the Health Insurance Portability and Accountability Act, is a US federal law that sets standards for protecting sensitive patient data. Enacted in 1996, its main goal is to protect the confidentiality and integrity of patient health information, also known as PHI (Protected Health Information).

HIPAA consists of several rules:

• The Privacy Rule sets standards for using and disclosing PHI.
• The Security Rule addresses electronic PHI (ePHI) and requires administrative, physical, and technical safeguards to ensure its security.
• The Breach Notification Rule mandates reporting of any data breaches involving PHI.

Compliance with HIPAA is mandatory for covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates.

Benefits of SOC 2 + HIPAA Compliance

Achieving compliance with both SOC 2 and HIPAA offers numerous benefits for healthcare organizations handling sensitive patient data.

1. Enhanced Security Controls: Adhering to both regulations ensures robust security measures, reducing the risk of data breaches and associated financial and reputational damage.
2. Customer Trust: Compliance demonstrates a commitment to protecting customer data, enhancing trust with current customers and attracting new ones.
3. Complementary Frameworks: SOC 2’s Trust Services Criteria align with HIPAA’s Security Rule, making compliance efforts more efficient and effective.

Securisea Simplifies SOC 2 + HIPAA Compliance

The complementary nature of SOC 2 and HIPAA allows for a unified approach to compliance, benefiting organizations in the healthcare sector or those working with healthcare data.

Securisea’s integrated approach to security and compliance translates into real savings of both time and money for our clients, helping them reach their goal of achieving and maintaining SOC 2 and HIPAA compliance more quickly. 

As a trusted advisor, Securisea will work alongside you to understand your business, and help you meet your security and compliance objectives. 

FAQs

Does SOC 2 cover HIPAA compliance?

While SOC 2 does not specifically cover HIPAA, a SOC 2 report can include controls relevant to HIPAA, particularly in security and privacy areas. SOC 2 compliance can complement HIPAA efforts by ensuring robust security practices, but it does not replace a comprehensive HIPAA compliance assessment.

How does SOC 2 map to HIPAA?

SOC 2’s security and privacy principles align with HIPAA’s Security and Privacy Rules. For example:

• SOC 2’s Security Principle aligns with HIPAA’s administrative, physical, and technical safeguards for ePHI.
• SOC 2’s Privacy Principle can be adapted to meet HIPAA’s standards for PHI use, disclosure, and protection.

What is the difference between HITRUST and SOC 2?

HITRUST is designed for the healthcare industry, providing a framework for HIPAA compliance, while SOC 2 applies to any service provider managing customer data. HITRUST certification demonstrates compliance with healthcare-specific requirements, whereas SOC 2 ensures adherence to general data management standards.

By understanding and implementing both SOC 2 and HIPAA frameworks, organizations can significantly enhance their data security and privacy measures, ensuring comprehensive protection for sensitive information.

SimpliGov selected Securisea as their comprehensive audit partner in 2023. According to CEO David O’Connell, “We started our search looking for auditors on the FedRamp Marketplace. Securisea stood out to us as an auditor that was just the right size - they had demonstrated experience, and had been recognized since 2020; but appeared to be an agile organization  where we would get a level of responsiveness that we were looking for. 

SimpliGov first tasked Securisea with their PCI and HIPAA audits in early 2023. According to O’Connell, “the process was great, there were absolutely no issues whatsoever”. The Securisea team delivered an exceptional customer experience and SimpliGov specifically noted the speedy turnaround, frictionless communications, and general openness and candor they experienced in working with Securisea. 

Securisea is now helping SimpliGov with a FedRAMP Readiness Assessment. As one of only 43 FedRAMP approved 3PAOs, Securisea has the ability to leverage existing controls from other audits for greater efficiencies through the FedRAMP process.

‍

‍

While the FedRAMP process can proportionately require more company resources for a small business, there are also advantages. With a smaller team where team members wear multiple hats, in many cases the FedRAMP accreditation process can happen faster than it does for a large corporation burdened with more layers of bureaucracy and silos.

Securisea works with businesses of all sizes, but we offer some strategic advantages when it comes to FedRAMP for small businesses and startups. We are an agile, nimble organization ready to meet you where you are, helping you create a path to FedRAMP ATO tailored specifically to your organization and your cloud-based offering. 

Securisea’s Offerings for Achieving FedRAMP ATO as a FedRamp-Authorized 3PAO

1. FedRAMP Advisory & Consulting. Our team provides guidance on business strategy and methodologies, system design, remediation efforts, and documentation of the environment and security control implementations. Additionally, Securisea is capable of developing a system security plan (SSP), crafting policies and procedures, and creating other essential system documentation.
2. FedRAMP Readiness Assessment. Your 3PAO performs the necessary readiness capabilities assessment to evaluate your cloud's preparedness for the complete FedRAMP assessment. 
3. Pre-Assessment. Securisea conducts a brief "gap" analysis or review of your existing cloud system documentation. The result is a high-level roadmap outlining the next steps along with the estimated levels of effort required for completion.
4. Assessment. Your 3PAO prepares the necessary FedRAMP documentation, which includes:some text
   1. A Security Assessment Plan (SAP) that utilizes the SSP and inventory gathered in the third step.
   2. A Security Requirements Traceability Matrix (SRTM) to record assessment results.
   3. Vulnerability scans of operating systems, databases, and web applications.
   4. A Penetration Test Report.
   5. A Security Assessment Report (SAR).
   6. A recommendation for authorization.
5. Continuous Monitoring. Monthly, quarterly, and annual continuous monitoring is required to achieve and maintain the ATO.

For small businesses, achieving FedRAMP certification opens up a vast opportunity to enter and compete in the federal marketplace, unlocking new revenue streams and establishing long-term partnerships with federal agencies. The certification not only signifies a commitment to stringent security standards but also provides a competitive edge, positioning small businesses for growth and success in the lucrative federal sector.

‍

The Federal Risk and Authorization Management Program (FedRAMP) has updated its baselines to Revision 5 (Rev. 5), aligning with NIST SP 800-53 Rev. 5. This update introduces new controls, especially in Supply Chain Risk Management and privacy, heightening the alignment between FedRAMP and NIST standards.

Key Updates

Privacy Enhancements: There are updated privacy requirements across multiple control families, such as role-based privacy training (AT-3), privacy impact analysis for configuration changes (CM-3 and CM-4), and system backup requirements for privacy-related documentation (CP-9). Systems processing Personally Identifiable Information (PII) now need to provide results of privacy risk assessments 

New Control Families: A notable addition is the Supply Chain Risk Management (SR) control family, which addresses risks related to third-party services, products, and supply chains comprehensively. There are also new controls like annual training on social engineering and social mining (AT-2(3)) and public disclosure programs for vulnerabilities (RA-5(11))​ 

Red Team Exercises: For Moderate and High systems, an annual Red Team exercise is now required in addition to traditional penetration testing. This aims to provide a more in-depth cybersecurity assessment​.

Password Requirements: Rev. 5 updates password requirements by eliminating specific elements related to password changes, such as minimum age and reuse restrictions. It mandates maintaining lists of common or compromised passwords and implementing password strength meters​.

Encryption and Configuration Settings: New mandates require the encryption of all data-at-rest and data-in-transit using FIPS-validated or NSA-approved cryptography (SC-8, SC-13, SC-28). Configuration settings now require adherence to DoD Security Technical Implementation Guides (STIGs), or CIS Level 2 benchmarks if no STIG exists​.

Continuous Monitoring: Enhanced continuous monitoring requirements include joint monthly meetings for CSOs authorized via the Agency path with more than one agency ATO​.

Transition Guidance: The transition plan for Cloud Service Providers (CSPs) depends on their current phase. For those in the planning phase, it involves implementing and testing the Rev. 5 baseline and using updated templates. CSPs already in the initiation or continuous monitoring phases need to identify and address the differences between their current implementation and Rev. 5 requirements​

Affected Parties

All Cloud Service Providers (CSPs) seeking FedRAMP compliance must transition to Rev. 5, impacting those in various authorization phases: planning, initiation, or continuous monitoring.

Transition Timelines

• Planning Phase: For CSPs new to FedRAMP or in the readiness review process.
• Initiation Phase: For CSPs already undergoing assessments or preparing for them.
• Continuous Monitoring Phase: For CSPs with current FedRAMP authorization.

Each phase has specific deadlines to meet the Rev. 5 requirements.

Steps for Transition

1. Develop a Schedule: Include major milestones and activities for transitioning.
2. Update Documentation: Use new templates provided by FedRAMP.
3. Determine Scope of Assessment: Identify specific controls needing assessment.
4. Complete Security Assessment: Follow updated processes for testing controls.
5. Submit Required Reports: Prepare and submit the Security Assessment Plan (SAP) and Security Assessment Report (SAR).

How Securisea Can Help

As an approved FedRAMP Third Party Assessment Organization (3PAO), Securisea is equipped to guide CSPs through the transition. We offer expertise in developing schedules, updating documentation, and performing security assessments to ensure compliance with the new Rev. 5 standards.

By leveraging our experience and thorough understanding of the FedRAMP requirements, Securisea helps streamline the transition process, ensuring CSPs meet their compliance goals efficiently.

For further guidance on transitioning to FedRAMP Rev. 5, please visit FedRAMP Rev. 5 Transition Guide.