More customer wins. Better organizational security. Efficient compliance management. These are just a few of the business benefits available to organizations that achieve a cybersecurity certification. You might want to pursue a certification for your organization, but you don’t know where to start. How do you know which certification is right for your organization, and how can you begin preparing for it? Maybe you’re an army of one attempting to prove SOC 2 compliance, or maybe you’re a part of a larger team looking to rapidly gain certification with a specific framework that’s necessary for your next merger. Regardless, you need to be aware of the top cybersecurity regulations and standards today.
This blog will help you get a handle on the most common cybersecurity certifications, arming you with the knowledge to improve your organizational security.
NIST 800-53 is a framework of over 1000 controls that was originally developed by the National Institute of Standards and Technology in 2006 to help US government agencies implement effective cybersecurity controls. However, as it contains over 1000 controls, it can be unwieldy for anything other than large departments, so NIST developed a smaller, more streamlined version of NIST 800-53 called the Cybersecurity Framework (CSF) to help companies in all sectors develop their information security, risk management and control programs.
NIST CSF offers broad applicability and basic cybersecurity coverage. The framework consists of three major components – the framework core, implementation tiers and profiles – and helps to baseline your program and highlight areas for improvement. Comprehensive documentation of the standards is available free of charge via NIST’s website.
NIST CSF is a great fit for organizations that are in the initial stages of their cybersecurity efforts. It is designed to be leveraged as a tool or guide to benchmark your program and develop a maturity roadmap aligned with your organization’s growth. NIST does not offer an official certification path.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law instated by the U.S. Department of Health and Human Services to protect sensitive patient data. This law created national standards to protect information related to a patient’s health and medical history via best practices.
Healthcare organizations and all organizations that handle sensitive health information are required to comply with HIPAA. Additionally, partners of healthcare organizations need to demonstrate compliance. HIPAA certification is available through an external audit and training course.
The General Data Protection Regulation (EU) (GDPR) is the European Union’s framework for data protection that has been a mandatory compliance requirement for all data-handling and processing businesses since 2018.
There is no mandatory certification for GDPR, yet compliance is demonstrably possible.
Businesses are responsible for proving compliance with GDPR by documenting all data processing activities; implementing data protection measures such as policies, training and audits; and, where possible, appointing a Data Protection Officer (DPO). The Information Commissioner’s Office (ICO) will review and assess this documentation and if a GDPR breach is suspected and failure to comply is identified, businesses can be liable to hefty fines of up to 4% of annual turnover.
Since the UK’s recent exit from the EU, they are no longer regulated domestically by GDPR, but have instead instigated their own version known as the UK-GDPR, which sits alongside an amended Data Protection Act 2018.
The International Organization for Standardization (ISO) is an international standard-setting body based in Geneva, Switzerland.
ISO published ISO 27001 in 2005 as a control framework to identify risk-based processes to incorporate measures for detecting security threats. This was later updated in 2013 and will be released again later in 2022, and in total there are currently 114 controls.
It includes information security management system requirements and defines the main focus areas in building a security program. ISO mostly focuses on technical controls and IT security.
ISO 27001 is a good fit for mature organizations that already have established, mature cybersecurity programs in place. The framework offers a widely recognized certification through an external audit process. However, the external audit can be long and costly, so your organization may want to pursue it in a phased approach in line with their cybersecurity program maturity.
The Payment Card Industry Digital Security Standards (PIC-DSS) was developed by a consortium of credit card companies including Visa, MasterCard and American.
The standard consists of a set of digital security standards that any company that accepts, processes, stores or transmits credit card information has to comply with.
There are four PCI compliance levels, which are determined by the number of transactions the organization handles each year.
- Level 1: Merchants that process over 6 million card transactions annually.
- Level 2: Merchants that process 1 to 6 million transactions annually.
- Level 3: Merchants that process 20,000 to 1 million transactions annually.
- Level 4: Merchants that process fewer than 20,000 transactions annually.
The standard itself is assessed via 7 different levels of self-assessment questionnaires (SAQ) depending on the merchant level and the way they process payment card information:
- SAQ A: For merchants that outsource their entire card data processing to validated third parties. This includes e-commerce transactions and mail/telephone order merchants.
- SAQ A-EP: For e-commerce merchants that outsource their payment processing but not the administration of the website that links to it.
- SAQ B: For e-commerce merchants that don’t receive cardholder data but control the method of redirecting data to a third-party payment processor.
- SAQ B-IP: For merchants that don’t store cardholder data in electronic form but use IP-connected point-of-interaction devices. These merchants may handle either card-present or card-not-present transactions.
- SAQ C-VT: For merchants that process cardholder data via a virtual payment terminal rather than a computer system. A virtual terminal provides web-based access to a third party that hosts the virtual terminal payment-processing function.
- SAQ C: For merchants with payment application systems connected to the Internet (no electronic cardholder data storage).
- SAQ D: For all other merchants not included in SAQ types A–C.
- SAQ P2PE: For merchants that use point-to-point encryption. It’s therefore not applicable to organizations that deal in e-commerce.
Selecting the correct SAQ beforehand is critical as each has specific compliance requirements based on the ways payment card data is processed. Failure to comply with the standards carries with it hefty fines and potential loss of credit card handling privileges.
SOC 2 was developed by the American Institute of CPAs (AICPA) in 2010 and is a type of audit report that is primarily used to assess the risks associated with using SaaS providers. It defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.
Unlike the rigid requirements outlined in PCI DSS, SOC 2 reports are unique to each organization. Whilst aligning with their specific business practices, each designs its own controls to comply with one or more of the trust principles.
There are two types of SOC reports:
- Type I SOC reports describe a vendor’s systems and whether their design is suitable to meet relevant trust principles.
- Type II SOC reports details the operational effectiveness of those systems.
SOC 2 certification is issued by external auditors and based on their assessment of the vendor’s compliance with one or more of 5 trust principles, namely:
- Security – how the vendor protects system resources and data against unauthorized access;
- Availability – how the vendor ensures continued accessibility of their systems, products or services as stipulated by a contract of service level agreement (SLA);
- Processing integrity – how the vendor ensures that data processing is complete, valid, accurate, timely and appropriately authorized;
- Confidentiality – how the vendor ensures data is restricted to a specific set of persons or organizations. This also includes ensuring protecting confidentiality of data during transmission using appropriate levels of encryption; and
- Privacy – how the vendor addresses the collection, use, retention, disclosure and disposal of personal information in conformity with an organization’s privacy notice, as well as with the generally accepted privacy principles (GAPP) as outlined by the AICPA.
No matter your business’s objectives and needs, achieving a cybersecurity certification can help you prove your program’s value. Certifications are becoming increasingly lucrative and even necessary for modern business, meaning the right certification can provide a significant competitive advantage.
If you’re ready to pursue certification, the Exam and Certification Readiness capabilities in ProcessUnity Cybersecurity Performance Management (CPM) are here to help. Click here to learn more about how ProcessUnity CPM can help you collect and document evidence to accelerate your certification path.