Choose the Right Assessment Framework
April 4, 2017
25 min read
SOC vs ISO vs HITRUST CSF — Which to use?
An information security framework organizes the requirements that your security program will be built on and measured against, so choosing the right framework is important.
Many times, organizations choose their frameworks based on what a client, partner, or external assessor suggests.
This is a big mistake!
Your organization’s framework should be based on your internal business objectives, so your organization can select the framework that best meets your needs.
Examples of Frameworks Supporting Objectives
This isn’t a comprehensive list, but it should provide a good idea of how frameworks can support your objectives.
“We want a framework to use as a benchmark to see how our current security program stacks up.”
For this, we use a combination of the ISO 27001 standard as well as NIST 800-53 as a starting point to get a good set of safeguards that you can compare your environment against.
If you’re in healthcare, you can also use the HITRUST framework, but it may be more than you need, especially if you don’t already have a benchmark established.
“We want to impress our customers with security.”
Many times people think ISO-27001 certification or some other certification framework will impress their customers.
The problem is that it can take years to get through all of the certification steps for these programs. Certification can also take a lot of resources and red tape. All of this effort can help with certification, but it doesn’t necessarily increase security.
In most cases, your organization is better off implementing a security program that aligns with ISO, but doesn’t focus on the certification elements.
There are also other suggestions for quick things any organization can do that will make your organization appear more secure to customers.
“We’re a service provider that must demonstrate our service is secure.”
In these situations, if your service is critical to your customers (ie. A data center, process financial transactions for customers, etc), a SOC assessment process might be the way forward
You have to be in the core value chain for another business, which should be fairly easy to determine.
Be aware, many organizations are requesting their customers to get SOC audits and remediation without any real justification.
Don’t fall into this trap if you don’t have to.
“We process, store, or transmit credit cards on behalf of people or customers.”
You should align to the Payment Card Industry (PCI) guidance.
“We want to certify our security effort.”
Ask yourself, why do you want to do this? Remember, there’s no correlation between increased security and certification.
However, if your organization aligns to ISO in other areas of the business, ISO-27001 probably makes the most sense.
In healthcare, HITRUST is available, but has seemed excessive in every organization it’s been implemented in.
“We want to make informed decisions about information security to protect our business.”
This is the methodology we teach at CISOSHARE. If you can make informed business decisions, you will always be best situated to implement an informed approach.
It’s important to note that you can align to other frameworks, even certified, but still not have the ability to take an informed approach.
If you have any questions, connect with us and let us know how we can help you move your security program forward.