Over the last few years, there has been a push to obtain cloud computing solutions at almost every turn. A plethora of companies continue to provide cloud services to their existing clientele; however, much of the federal clientele remains untouched. The Federal Risk and Authorization Management Program (FedRAMP) provides the ability for companies to follow a standardized approach in terms of security assessments, authorizations, and continuous monitoring of cloud products and services offered to the federal government.
When you think of a data breach, what comes to mind? It’s probably the image of a hacker stealing data from a large business or company that stores an abundance of customer data—like Target, for instance. Data breaches are expanding from companies and healthcare organizations and are also becoming a real concern for law firms.
The intent of achieving and maintaining compliance with ISO 27001 is for an organization to demonstrate its continuing ability to proactively assess their information security risk posture and manage that risk according to the organizations’ risk appetite. The focus is truly on the governance and maintenance of the information security management system (ISMS).
Introduction ISO/IEC 27001:2015 (ISO 27001) certification is becoming more of a conversation in most major businesses in the United States. To provide some depth, there was a 20% increase in ISO 27001 certificates maintained globally (comparing the numbers from 2014 to 2015 as noted in the recent ISO survey). As for North America, there was a 78% growth rate in ISO 27001 certificates maintained, compared to those in North America in 2014. So it is clear evidence that the compliance effort known as ISO 27001 is making its imprint on organizations in the United States. However, it’s just the beginning. Globally, there are 27,563 ISO 27001 certificates maintained, of which only 1247 are maintained in the United States; that is 4.5% of all ISO 27001 certificates.
With the rising popularity of compliance efforts today driven by factors such as customer demands, regulatory requirements, and/or a company’s willingness to demonstrate their internal control environment to external parties, the question often arises as to which compliance undertaking is the most beneficial for organizations to undergo. Lately, we’ve noticed a large surge in both our SOC 2 and ISO 27001 service lines, but which is the better for your organization? To begin to tackle this question, it’s important to first get some background information on both SOC 2 and ISO 27001 to understand their differences, similarities, and how they could potentially complement each other.
TAMPA, FL— August 25, 2016 – Schellman & Company, LLC (Schellman), a leading provider of compliance services, has been awarded accreditation by the ANSI-ASQ National Accreditation Board (ANAB) for ISO/IEC 20000-1 certification services. The new accreditation adds to the existing ISO 9001 accreditation Schellman received from ANAB in December, as well as the ISO/IEC 27001 accreditation Schellman received from the ANAB ANAB in 2011 and from the United Kingdom Accreditation Service (UKAS) in 2015.
An internal audit process should be present within the organization, and is vital to the design and effectiveness of any information security program. The requirements of an internal audit can be referred to in Clause 9.2 within the ISO-27001 standard. The process and time constraints of an internal audit vary based on the size and structure of the company. Also, a greater sense of detail and effectiveness of an internal audit should be similar across all organizations. Initially, a plethora of clients believe that an internal audit is a simple walkthrough of organizational specific processes and applicable controls; however, the internal audit requires the organization to review the ISO-27001 framework and all in-scope Annex A controls based on the Statement of Applicability (SOA). As a result, the ISO-27001 internal audit happens to be more stringent and control focused than many organizations believe it to be prior to beginning the audit.