Big Four & Leading Accounting and Consulting Firms – news, opinion and career opportunities for aspiring & current professionals & alumni

So Many Security Standards, Audits, and Certifications. Which One is Right?!

By Jon Long, Guest Blogger
I had a great conversation recently with a prominent member of the information security community (@HackSec), and he raised the following concern:  Many are confused about when to use ISO 27001 certificationPCIcertification, SOC 1 (aka SSAE16), SOC 2 & 3, NIST, and CSA STAR to give customers comfort about their security.  I explained my position that I think organizations should use SOC2 as an umbrella for all of them especially because many service organizations are required by their customers to comply with multiple standards and produce multiple reports. 
To this, he expressed his frustration that if the information security community cannot decide which one to standardize on, how can customers be expected to know what to do? He said: “We’ll stay in this nexus of confusion where every attestation is required, and yet customers still do not have confidence in our security and demand the right to audit.” He went on to explain that the Trust Services Principles and Criteria (TSPC), that a SOC 2 is based on, is not detailed enough, and that CSA STAR and NIST are much more thorough standards for ensuring security.
In our continuing dialogue, I explained the idea that they can all get along under the SOC2 umbrella.  Here’s why: Accountants understand auditing, security professionals know security, and the international standards organization is just that…international.  Each has something that the other does not, and if you bring it all together, you have one heck of a team.  Let me explain a little more about each:
 Accountants understand auditing:  Accountants can trace the history of auditing back to ancient Egypt, but in its more modern form of independent CPA accounting back to 1593.  They were auditing and being held responsible for their opinions (through lawsuits) long before information security was invented.  By this I am trying to say that there is an audit process that is missing from the security assessment space.  PCI and ISO 27001 assessments provide a point in time assurance which is no assurance at all, and CSA STAR is a self-assessment at this point.  While I agree that the TSPC is a weak standard, at least with SOC2 you get a period of time assurance by taking advantage of the audit process that the attestation standard requires.  Then all you have to do is add the other standards into the covered areas and enhance the audit procedures to ensure that the controls are not only “in place”, but that they “have been in place” for the period of time that is covered by the report.
Security professionals know security:  CSA STAR, NIST, and ISO27001 are great standards, and security professionals are the only ones who can test them.  Accountants know that they cannot test security which is probably why the TSPC are so vague.  Security professionals have the right security standards, but they do not understand what assurance is, or how it is achieved.  The very fact that entire industries throw around words like “certification” and “compliant” demonstrate this.  Accountants understand that when you use words like this, the entity providing the attestation is opened up to huge liability.  Accountants are very careful to design and perform their tests to mitigate this risk, and use terms like “reasonable assurance”, “in all material respects”, and “in our opinion” to ensure that organizations that rely on their opinion know exactly what they can rely on.
ISO is international:  Professionals in other countries resist “American” standards because it makes them feel less sovereign.  They hate the arrogance of it.  Right now there are no International Standards on Attestation Engagements (ISAEs) for security because ISO 27001 dominates in that space, and international accountants are not so brazen that they think they can get into the security space like the AICPA is.  So for now SOC2 is all there is for period of time attestations, and it is embraced by Canada because they invented TSPC.  That is a start, and if we add ISO 27001 under a SOC2 umbrella, we’re golden with the international community.  They would get period of time coverage, and strong security controls.

The SOC2 attestation standard is flexible enough to incorporate “additional subject matter”, and all of the previously mentioned standards can be covered in the auditor’s opinion as long as accountants use competent “technical specialists” to test the controls.  This has led some to argue that SOC2 is the “Silver Bullet” that satisfies all compliance and reporting requirements.  However, even if accountants use competent security professionals, there is still a problem; they cannot issue the reports that customers want such as ISO 27001 certifications, PCI Reports on Compliance (ROCs), or CSA STAR attestations because they are controlled by governing bodies that CPA firms are not registered with.  The Big 4 CPA firms will never subject themselves to these organizations because they lack influence in them, and consequently cannot control the risk it exposes them to.
There is a way that service organizations can avoid the dilemma of having to undergo multiple audits to satisfy their customer’s demands for multiple reports.  The way it works is that a CPA firm partners with an ISO certifying organization, security firm proficient in CSA STAR, or QSA (in the case of a PCI report) to jointly conduct the testing.  Because there is significant overlap in the standards, service organizations can take advantage of the testing efficiencies that result. At the completion of the engagement, the organization will receive multiple reports from a single attestation engagement.  This approach takes advantage of the best of all worlds: great audit process, the best security standards, and risk assurance for their client that is meaningful.
Cross posted from The Risk Assurance Guy

Jon Long, CISA, QSA is a Senior Manager and Practice Builder at CompliancePoint  and is currently championing an audit approach that allows organizations to combine multiple compliance requirements into a single SOC2 engagement.


<div class=”statcounter”><a title=”customizable counter” href=”” target=”_blank”><img class=”statcounter” src=”” alt=”customizable counter”></a></div>

Share this post:

One Response to So Many Security Standards, Audits, and Certifications. Which One is Right?!

  1. K.A. says:

    Some CPA firms already offer above mentioned attestation services including ISO, PCI, and so on. It is not new.