How to Choose a Security Assessment Framework | SOC vs ISO vs HITRUST CSF
The most important thing that should drive which framework you select is to always begin by understanding your internal business objectives for information security and then to select the framework that best supports this objective.
While this is what you should do, many times organizations go with a particular framework because a client or partner or external assessor tells them they should.
This is a big mistake!
How Security Assessment Frameworks Support Objectives
Common objectives for an organization with the frameworks that work best for each approach. This list is not comprehensive but should give you an idea on how frameworks support objectives.
“We want a framework to use as a benchmark to see how our current security program stacks up.”
I like to use a combination of the ISO 27001 standard as well as NIST 800-53 as a starting point to get a good set of safeguards that you can compare your environment against.
If you’re in healthcare, you can also use the Hitrust framework, but I think this is overkill, especially if you do not have an established benchmark to begin with.
“We want to impress our customers with security.”
Many times people think ISO 27001 certification or some other certification framework will do this. The thing that people forget is that these programs take years to get thru all of the certification steps. It also takes a great deal of resources to get thru the certification red tape; an effort that helps with certification but not actually increases security.
For most organizations, you’re better served focusing on just implementing a true security program that aligns to ISO but does not focus on the certification elements.
I’ve also written some other suggestions on quick things any organization can do that will make your organization appear more secure to customers to also help in this area.
“We are a service provider that must demonstrate our service is secure.”
In these situations, if your service is critical to your customers (ie. A data center, process financial transactions for customers, etc), a SOC assessment process might be the way forward. In these situations, you have to be in the core value chain for another business, which should be fairly easy to determine.
Be aware, many organizations are requesting their customers to get SOC audits and remediation without justification in my opinion.
Don’t fall into this trap if you don’t have to.
“We process, store or transmit credit cards on behalf of people or customers.”
You should align to the Payment Card Industry (PCI) guidance.
“We want to certify our security effort.”
Again, why do you want to do this? In my opinion, there is no correlation between increased security and certification.
However, if your organization aligns to ISO in other areas of the business, ISO 27001 probably makes the most sense. In healthcare, HiTrust is available but I really think it is overkill in almost every situation in which I’ve seen it applied.
“We want to make informed decisions about information security to protect our business.”
This is the methodology we teach at CISOSHARE. If you can make informed business decisions, you will always be best situated to implement an informed approach. It is also important to note you can align to other frameworks, even certified, but still not have this most critical capability.
If you have any questions, connect with us and let us know how we can help you move your Security Program forward.
CISOSHARE’s President and CEO
Mike Gentile has been helping organizations build Information Security Programs for more than 20 years. He has written multiple recognized books on the subject, provided hundreds of presentations, and built many Security Programs in both internal and external consulting roles