ISO 27001, SOC2, & GDPR – WHICH DOES MY BUSINESS NEED

ISO 27001

ISO 27001 is generally considered a gold standard in managing Information Security.

Many of our clients come to us for help in navigating the Information Security standards and certification landscape. Implementing and certifying a robust Information Security Management System (ISMS) is not a trivial exercise, so understanding which standard and certification will give you the biggest bang for your Info Sec investment is key.

Here are the major Info Sec standards and where they apply. You may find that more than one standard applies to your business.

SCOPE OF ISO 27001:

An extensive IT-Centric standard whose focus is HOW an organization should manage their data in order to prove they have an effective ISMS.

ISO 27001 RECOGNITION:

Global, universally recognized standard.

GOVERNING BODY: The International Accreditation Forum is worldwide association of regional accreditation bodies consisting of 94 regional members, such as

• Standard Council of Canada (SCC),
• The ANSI National Accreditation Board (ANAB) of the US,
• Germany’s Deutsche Akkreditierungsstelle (DAkkS)
• The UK Accreditation Service (UKAS)

APPLICABILITY: Any Technology-intensive business in any industry, irrespective of size, with valuable, confidential, sensitive or personal data needing protection. A few examples:

• IT Service, Business Process Outsourcing, or Cloud Service Organizations – any company that interacts with another company’s client data, or sensitive, confidential, proprietary data.
• Health Care companies processing, managing or storing patient data
• Financial Services companies processing clients’transaction and storing personal details
• R&D companies in most industries ( Automotive, Pharmaceutical, Aerospace, Defence, etc) where proprietary information and activities need to be kept secure from breach by unfriendly actors
• Any business that stores sensitive information of their suppliers. Surprisingly, just under half of all breaches of a company’s information happens WITHIN a supply chain. An example would be your order details being exposed by a attack on your suppliers’ data.

CONTROLS: 114 controls across 14 domains of such as:

• Information security policies
• Organization of information security
• Human resource security
• Asset management

PRINCIPLES:

• Confidentiality
• Integrity
• Availability

NOTES: A new version of this standard is scheduled for release in late 2022. Current certificate holders will be required to implement the 2022 changes by late 2025.

• SOC 2 / Type II is the System of Organization Controls for Information Security standard developed by the AICPA (American Institute of Certified Public Accountants) and administered by the CPA profession.
  • SCOPE: Focuses on assessing how well an organization’s data security controls work. It does not prescribe how an ISMS should be managed.
  • RECOGNITION: Global, universally recognized standard, particularly associated with North America, gaining adoption by non-US companies with clients in North America, as these clients look for SOC 2 compliance in their international suppliers.
  • GOVERNING BODY: American Institute of Certified Public Accountants (AICPA)
  • APPLICABILITY: Any business in any industry with any amount of, with valuable, confidential, sensitive or personal data needing protection.
    • Particularly relevant if doing business with US clients or participates in a supply chain with US components.
    • Example industries and implications are same as for ISO 27001 above
  • CONTROLS: Over 300 controls across 5 domains with some degree of overlap.
    PRINCIPLES:
    • Security
    • Availability
    • Confidentiality
    • Process Integrity
    • Privacy

• GDPR (General Data Protection Regulation) is a set of data privacy laws protecting EU Residents and how their data is used by business.
  • SCOPE: European Union Law that protects EU Residents’ legal rights to data privacy
  • RECOGNITION: EU and (indirectly) Global. Like SOC 2, compliance is often required for non EU companies doing business with EU markets, as EU companies are required by law to ensure their international vendor’s pr.
  • GOVERNING BODY: European Union
  • APPLICABILITY: Pre-requisite for any business that processes or maintains data about individual EU residents, regardless of their jurisdiction of operation.
  • CONTROLS: (GDPR “Security Controls”)
    • Identity and Access Management (IDAM)
    • Data Loss Prevention (DLP)
    • Encryption & Pseudonymization
    • Incident Response Plan (IRP):
    • Third-Party Risk Management
    • Secure Access Service Edge (SASE)
    • Policy Management
  • PRINCIPLES:
    • Lawfulness, fairness, and transparency
    • Purpose Limitation
    • Data minimization
    • Accuracy
    • Storage Limitation
    • Security (aka Integrity and Confidentiality)
    • Accountability

This is not an exhaustive list of Information Security standards – just those relevant to global business Many countries have some version of these standards on their books with varying levels of adoption and relevance.

So which standard is best suited to your business depends on where your business is, where your clients are, what business you are in, and what business your clients are in.

About T-Next:

T-Next (TranscendNext Quality Management Inc.) is a Burlington ON based Quality Management consultancy with expertise in navigating the sea of global standards and working with clients to select, implement and gain certification in the standards most beneficial to their business.

To contact us:

Email michael.blazevic@transcendnext.ca

Call us at 1 888 517 3335

For more information, please visit our website www.transcendnext.ca