Trust tomorrow.

In this article, find out how your domain is exposed to the public after a Qualys SSL Server Test?

ISO 27001 certification can be a complex process and challenging for any business not quite prepared for the audit. Organisations often fail to fully understand how the standard translates into real-world security control implementations, and what is needed to gain that all important approval from the assessor. The most important thing to understand is that to be certified, an approved ISO 27001 assessor needs to review your information security management system and agree that you meet all the minimum requirements. You must demonstrate your organisation’s compliance against each of the in-scope controls, which must be supported by operational evidence that you are using the controls. Preparing your Information Security Management System Before applying for certification, you will need a compliant Information Security Management System (ISMS) that allows the auditor to cross-reference your ways of operating controls against those specified in the standard. This ISMS is your management system, which tells your staff how they should undertake security activities and records audit trails of decisions and outcomes of security processes. Once you have the ISMS integrated into your overall business management systems, certification follows across three main phases: Engage an assessment organisation that can audit your ISMS and issue your certification if you pass the assessment. They will begin with a basic review of your ISMS documentation, looking at the overall structure and documented processes covering all relevant controls. This assessment will identify the gaps that need remediating before you invest in a real certification audit. When ready, the certification organisation …

Two popular security standards commonly referenced these days are SOC 2 and ISO 27001 certification. These two standards have many shared requirements, especially in how you implement and operationalise certain controls, including policies, processes and the technical solutions you’ve used to meet their requirements (and protect your information).  The reality is that as many as 96% of the requirements stated in both standards overlap. So, if this is the case, how do you decide which standard to go for, if you are beginning the process of improving your security capability without the decision being driven by an external party (such as an industry body or customer market)?  Let’s look at what matters when making this selection, and the requirements that both standards demand you meet. Scope SOC 2 and ISO 27001 are similar in that they are both designed to portray trustworthiness in your organisation insomuch that you are attesting to the fact that you will protect the information and systems relating to your customers. First, let’s look at the overriding principles of each standard. They both entrench the principles of securing information in terms of confidentiality, integrity and availability. The differences lie in which security controls you implement. Both ISO 27001 and SOC 2 state that organisations need only adopt a control if it applies to them, but the approach to implementation is slightly different for each. The primary difference between SOC 2 and ISO 27001 is that SOC 2 mainly focuses on you proving the security controls that …