Deciding to undergo an information security audit can be daunting for the sole reason that there are so many frameworks and regulations to learn about. SOC 1, SOC 2, SOC for Cybersecurity, PCI DSS, HIPAA/HITECH, HITRUST CSF, ISO 27001, GDPR, FISMA, and FERPA – what do they all mean? Which framework or regulation does your organization need to comply with? Which one best suits your organization’s needs? In this guide, you’ll learn about the 10 most common information security frameworks, who they apply to, and how they can benefit your organization.
Commonly Used Frameworks
Of the 10 commonly used information security frameworks included in this guide, the top three frameworks are SOC 1, SOC 2, and PCI DSS. So, what are they?
SOC 1: A SOC 1 audit is an audit that is performed in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18). SOC 1 reports are designed to report on the controls at a service organization that could impact their clients’ financial statements. A SOC 1 audit is not a review of a service organization’s financial statements, but rather a review of internal controls over financial reporting.
SOC 2: As a service provider, how do you validate the security of your services? A SOC 2 audit evaluates internal controls, policies, and procedures as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. These five established categories, known as the Trust Services Criteria, address the questions like: How are your policies and procedures relative to the standard documented? How do you communicate those to all interested parties? How do you monitor that those controls are being effectively performed?
PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) is a robust information security standard that encourages and enhances cardholder data security by providing industry-recognized data security measures. In other words, a PCI audit is an information security audit focused on the protection of credit card data. All PCI audits must be performed by a PCI Qualified Security Assessor (QSA) and are designed to test whether an organization is compliant with the 12 technical and operational requirements established to protect cardholder data.