Standards and frameworks (referred to as “standards” in this article) are sets of rules, practices, or measures which are implemented by an organization as activities to be performed periodically or at a point in time to achieve a certain objective. These rules, practices and measures are generally known as controls.
There are standards recognized internationally for a wide variety of objectives, ranging from environmental management (ISO14000), to food safety management (ISO22000), to medical devices (ISO13485). (See all ISO standards at https://www.iso.org/standards.html)
Examples of standards for data protection and privacy purposes are as follows:
The standards usually address the same areas of focus or domains, although bearing different names. Most standards include controls for overall governance, performing risk assessments and controlling relationships with third parties such as vendors of information services.
There are many resources that demonstrate detailed mappings of the controls of one standard against another. For example, the mapping produced by AICPA for SOC2 against NIST 800-53 and ISO 277001. However, the remainder of this article will focus more broadly on what factors to consider when deciding which standard is right for your organization.
Implementing a standard to support your overall data protection and privacy compliance efforts will pay off in the long term. Those outcomes are better decisions on purchases of technology, increased confidence in the organization’s capability to protect its data and better positioning against the competition during new client acquisition activities such as responding to RFPs. A successful implementation will require dedication, focus and resources ranging from staff being available to project manage and support the implementation to financial.
Choosing the right standard is a careful balancing act requiring the judgement of a number of internal and external factors.
The costs of the implementation usually play a large part in the decision. Organizations often weigh these two options:
ISO standards can be initially implemented without any outside help and organizations can market themselves as following such a standard.
There are a number of vendors offering support through ISO implementation toolkits which include all of the necessary templates. However, it is recommended to ask for a demo to check the quality of the templates included in the package.
A SOC2 report can only be obtained through engaging an independent, qualified third party to audit the organization’s environment and issue the report. The usual time period covered by the report is annual. The cost of obtaining such a report may be substantial and incurred annually; subsequent years’ reports may not see a significant reduction in price from Year 1.
ISO certifications are the final step in an ISO implementation. This is likely to be another substantial investment as it involves a detailed audit carried out by the certification entity. Repeat audits are required every three years, although less detailed.
Hiring consultants to project manage the standard’s implementation and guide the organization through the process will incur additional costs but may be beneficial in the long run, especially in situations where there is no internal staff available to run the project.
This article focused on ISO and SOC2 standards, but a custom or hybrid standard can also be built for any organization by mixing controls from different standards or adding other standard’s controls to the chosen one, to obtain more specific controls for certain security areas. However, the minimum required controls will have to be implemented for each standard if certification or third-party assurance is intended.
As the final investment in the implementation of the standard is likely to be significant, choosing a standard is an important decision in the lifecycle of any organization. Researching the different standards to understand their coverage, advantages and disadvantages cannot be underestimated. There are a lot of free resources available and a lot of vendors willing to support your implementation. Once implemented, make the most of it and include it in your marketing materials.
ComplyWorks' Compliance Management Platform can help you securely implement and maintain data protection controls by helping you:
Privacy Consultant, YYC Privacy