Compliance

When it comes to protecting your data, you’re in safe hands. We’re at the forefront of cyber security and data protection. Today, we’re proud to say that we’ve helped numerous organisations big and small successfully prepare for
their Cyber needs.

Our passion is helping organisations protect themselves, their customers and their data from the ever-evolving threats of the digital world – whether through consultancy, toolkits, training, management system standards or penetration testing.

Our mission is to help you safeguard your organisation through cost-effective solutions designed by experts. We’re a leading provider of cyber risk and privacy management solutions, and have built a strong global presence with our deep technical expertise and proven track record.

Our comprehensive range of end-to-end solutions, combined with years of experience implementing fit-for-purpose solutions and assisting organisations to achieve regulatory compliance, means we can support you throughout your project.

PENETRATION TESTING

ISO 27001

SOC Audit

What is Penetration Testing?

Penetration testing is a systematic process of probing for vulnerabilities in your infrastructure networks and software applications. It can also examine physical security measures or identify security weaknesses in people with social testing.

Penetration testing is essentially a controlled form of hacking. The ‘attackers’ act on your behalf to find and test weaknesses that criminals could exploit.

These might include:

Inadequate or improper configuration;
Hardware or software flaws;
Operational weaknesses in processes or technical countermeasures; and/or
Employees’ susceptibility to phishing and other social engineering attacks.

Our experienced penetration testers mimic the techniques used by hackers to probe these vulnerabilities – individually or in combinations – without causing damage. This enables you to address the security flaws that leave your organisation vulnerable.

Penetration Testing Types

1. Web application penetration testing is a process of testing a web application to find security vulnerabilities that could be exploited by attackers.

This includes:

Testing user authentication to verify that accounts cannot compromise data;
Assessing the web applications for flaws and vulnerabilities, such as XSS (cross-site scripting) or SQL injection;
Confirming the secure configuration of web browsers and identifying features that can lead to vulnerabilities; and
Safeguarding database server and web server security.

2. Internal network penetration testing focuses on what an attacker with inside access could achieve.

An internal test will generally:

Test from the perspective of both an authenticated and non-authenticated user to identify potential exploits;
Assess vulnerabilities affecting systems that are accessible by authorised login IDs and that reside within the network; and
Check for misconfigurations that could allow employees to access information and inadvertently leak it online.

3. External penetration tests identify and attempt to exploit security vulnerabilities that might allow attackers to gain access from outside the network.

An external test will generally:

Identify vulnerabilities in the defined external infrastructure, such as file servers and web servers;
Check authentication processes to ensure there are appropriate mechanisms to confirm users’ identities;
Verify that data is being securely transferred; and
Check for misconfigurations that could allow information to be leaked.

4. Social Engineering Penetration Testing, as technical security measures improve, criminals increasingly use social engineering attacks such as phishing, pharming and BEC (business email compromise) to access target systems.

So, just as you should test your organisation’s technological vulnerabilities, you should also test your staff’s susceptibility to phishing and other social engineering attacks.

5. Wireless Network Penetration Testing, If you use wireless technology such as Wi-Fi, you should also consider wireless network penetration tests.

These include:

Identifying Wi-Fi networks, including wireless fingerprinting, information leakage and signal leakage;
Determining encryption weaknesses, such as encryption cracking, wireless sniffing and session hijacking;
Identifying opportunities to penetrate a network by using wireless or evading WLAN access control measures; and
Identifying legitimate users’ identities and credentials to access otherwise private networks and services.

Penetration Testing Phases

1. Plan – We start by defining the aim and scope of the test. To better understand your needs, we collect intelligence about your functions and any possible weaknesses.

2. Scan – We then move to static or dynamic analysis to scan the network. This informs our experts of how the applications respond to various threats.

3. Gain access – We locate vulnerabilities in the target applications using pen testing strategies such as cross site scripting and SQL injection.

4. Maintain access – We then check the ability of a cybercriminal to maintain a persistent presence through an exploited vulnerability or to gain deeper access.

5. Analyse – We assess the outcome of the penetration test with a report detailing the exploited vulnerabilities, the sensitive data accessed, how long it took the system to respond to the pentester’s infiltration and recommendations to help you be better prepared.

What is ISO 27001?

ISO/IEC 27001:2013 is the international standard for information security. It sets out the specification for an information security management system (ISMS).

ISO 27001’s best-practice approach helps organisations manage their information security by addressing people, processes, and technology.

Certification to the ISO 27001 Standard is recognised worldwide to indicate that your ISMS is aligned with information security best practices.

Part of the ISO 27000 series of information security standards, ISO 27001 is a framework that helps organisations establish, implement, operate, monitor, review, maintain and continually improve an ISMS. The latest version of the ISO 27001 information security standard was published in September 2013, replacing the 2005 iteration.

How to get ISO 27001 certified?

To achieve ISO 27001 certification, we must first develop and implement an ISMS that meets all the requirements of the Standard. Once the ISMS is in place, we can then register for certification with an accredited certification body.

The certification body will carry out an audit of the ISMS to ensure it meets the requirements of ISO 27001. If the ISMS is found to be compliant, the certification body will issue an ISO 27001 certificate.

1. Get started

ISO 27001 is the standard that outlines the specifications for an information security management system, while ISO 27002 provides best practice guidelines for implementing the 114 controls. Familiarise yourself with the requirements first.

2. ISO 27001 gap analysis

A gap analysis by our ISO 27001 professionals gives you a pretty accurate idea of what you will need to do to achieve compliance. We points out potential gaps in your security programme and give you an assessment of resources and budget requirements.

3. Start planning

We work with your team to guide them through an ISO 27001 ISMS project planning & deployment. Benefit from our proven step by-step approach that has been tried and trusted over the years.

4. Start implementing

Two of the most challenging aspects of an ISMS project are conducting the risk assessment and developing the necessary documentation to prove compliance. We can help you tackle both of these and get it right the first time, saving you heaps of time and effort.

5. Contact us for an internal audit

It’s always best to call in the experts to assess whether your ISMS is working as intended and will meet the requirements of the certification body. We can help you assess your certification readiness with an internal audit.

Prepare for Certification

There is no one-size-fits-all answer to this question, as the amount of preparation required will vary depending on the size and complexity of your organisation, as well as your current level of compliance with the Standard. However, some tips on how to prepare for ISO 27001 certification include the following:

1. Perform a gap analysis to identify any areas where your organisation does not meet the requirements of the Standard.

2. Develop an implementation plan that outlines how you will close any gaps identified in the gap analysis.

3. Train your staff on the requirements of the Standard and on your implementation plan.

4. Create or update your organisation’s ISMS documentation, including policies, procedures, and other supporting documents.

5. Conduct internal audits to verify that your ISMS is functioning as intended and that all employees are following the required procedures.

6. Schedule and complete an external certification audit with a certification body.

Certification

Once you are ready for certification, you will need to engage the services of an independent, accredited certification body. These certification bodies have been assessed by the relevant national authority based on their competence, impartiality and performance capability through a rigorous assessment process.

The ISO 27001 accreditation process consists of two stages and is conducted by a qualified auditor.

Stage 1

The auditor will review your documentation to check that the ISMS has been developed in accordance with the Standard. You will be expected to present evidence of all critical aspects of the ISMS, but how much depends on the certification body’s requirements.

Stage 2

If you pass the first stage, the auditor will conduct a more thorough assessment. This assessment will involve reviewing the activities that support the development of the ISMS. The auditor will analyse your policies and procedures in greater depth and check how the ISMS works in practice with an on-site investigation. The auditor will also interview key staff members to verify that all activities are undertaken following the specifications of ISO 27001.

ISO 27001 Implementation

1. Assemble an ISO 27001 implementation team

We begin the implementation process by appointing a project leader, who will work with other members of staff to create a project mandate.

This is essentially a set of answers to these questions:

What are we hoping to achieve?
How long will it take?
What will it cost?
Does it have management support?

2. Develop the ISO 27001 implementation plan

The next step is to use project mandate to create a more detailed outline of your information security objectives, plan and risk register.

This includes setting out high-level policies for the ISMS that establish:

Roles and responsibilities;
Rules for its continual improvement; and
How to raise awareness of the project through internal and external communication.

3. ISMS initiation

We then pick a methodology for implementing the ISMS. The Standard recognises that a “process approach” to continual improvement is the most effective model for managing information security.

Part of this process involves developing the rest of document structure. We recommend using a four-tier strategy:

Policies at the top, defining the organisation’s position on specific issues, such as acceptable use and password management.
Procedures to enact the policies’ requirements.
Work instructions describing how employees should meet those policies.
Records tracking the procedures and work instructions

4. Management framework

At this stage, you need to gain a broader understanding of the ISMS’s framework. The process for doing this is outlined in clauses 4 and 5 of the ISO 27001 standard.

The most important part of this process is helping you define the scope of your ISMS – i.e. which parts of your organisation you’ll be protecting. Creating an appropriate scope is an essential part of your ISMS implementation project.

If your scope is too small, then you leave information exposed, jeopardising the security of your organisation, but if it’s too large, your ISMS will become too complex to manage.

5. Baseline security controls

An organisation’s security baseline is the minimum level of activity required to conduct business securely.

We help you define your security baseline using the information collected during ISO 27001 risk assessment.

6. Risk management

Risk management is a core part of any ISMS. After all, it’s no good identifying and prioritising information security threats if you’re unable to deal with them effectively.

This stage isn’t about managing risks themselves but establishing how to approach the task.

After identifying, evaluating and assigning values to your threats, you’ll know which risks pose the biggest problem.

We then help you determine whether to:

Treat the risk by applying information security controls laid out in ISO 27001
Terminate the risk by avoiding it entirely
Share the risk (with an insurance policy or via an agreement with other parties)
Accept the risk (if it doesn’t pose a significant threat)
Any risks that you treat should be documented in an SoA (Statement of Applicability). This should explain which of the Standard’s controls you’ve selected and omitted and why you made those choices.

7. Implement the risk treatment plan

Now it’s time to implement the risk treatment plan. To ensure these controls are effective, you will need to check that staff are able to operate or interact with the controls, and that they are aware of their information security obligations. You will also need to develop a process to determine, review and maintain the competences necessary to achieve your ISMS objectives.

This involves conducting a needs analysis and defining a desired level of competence.

8. Measure, monitor and review

The best way to tell if your ISMS is on track or not is to review it. We recommend doing this at least annually, so that you can keep track of the way risks evolve and identify new threats.

The main objective of the review process is to see whether ISMS is in fact preventing security incidents, but the process is more nuanced than that.

We advice comparing its output to the objectives laid out in the project mandate. These can be measured quantitatively and qualitatively.

Quantitative assessments are useful for measuring things that involve financial costs or time, whereas qualitative assessments are better suited for objectives that are hard to define, like your employees’ satisfaction with new processes, for example.

9. Certification

Once the ISMS is in place, we guide you through certification process from an accredited certification body.

This proves to stakeholders that the ISMS is effective and that the organisation understands the importance of information security.

The certification process will involve a review of the organisation’s management system documentation to check that the appropriate controls have been implemented. The certification body will also conduct a site audit to test the procedures in practice.

SOC Audit

SOC (System and Organization Controls) audits are an independent assessment of the risks associated with using service organisations and other third parties.

They are essential to regulatory oversight, vendor management programmes, internal governance and risk management.

There are three levels of SOC audit for service organisations:

SOC 1 audits relate to organisations’ ICFR (internal control over financial reporting). They are conducted against the assurance standards ISAE (International Standard for Assurance Engagements) 3402 or SSAE (Statement on Standards for Attestation Engagements) 18.
SOC 2 audits assess service organisations’ security, availability, processing integrity, confidentiality and privacy controls against the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria), in accordance with SSAE 18. A SOC 2 report is generally used for existing or prospective clients.
SOC 3 audits are like SOC 2 audits, but their reports are much more concise and designed for a general audience.

SOC 1 and SOC 2 audits are divided into two types:

Type 1 – an audit carried out on a specified date.
Type 2 – an audit carried out over a specified period, usually a minimum of six months.

SOC 3 audits are always Type 2.

The AICPA has also developed SOC for cybersecurity and SOC for Supply Chain.

We operate in the cyber security domain.

What is SOC 2 Audit Report?

A SOC 2 audit report provides detailed information and assurance about a service organisation’s security, availability, processing integrity, confidentiality and privacy controls, based on their compliance with the AICPA’s TSC, in accordance with SSAE 18.

It includes:

An opinion letter.
Management assertion.
A detailed description of the system or service.
Details of the selected trust services categories.
Tests of controls and the results of testing.

Optional additional information, such as technical information or plans for new systems, details about business continuity planning, or the clarification of contextual issues.

It also specifies whether the service organisation complies with the TSC.

SOC 2 vs ISO 27001

Certification to ISO 27001, the international standard for information security management, shows that an organisation has implemented an ISMS (information security management system) that conforms to information security best practice.

Whereas an ISO 27001 certification audit assesses an organisation’s information security controls at a given time, a SOC 2 Type 2 audit is more comprehensive, covering several months, and results in a formal attestation rather than a certificate.

It might therefore be argued that a SOC 2 Type 2 report provides greater – and more specific – assurance than ISO 27001 certification.

However, a SOC 2 audit report is the opinion of the auditor – there is no compliance framework or certification scheme. With ISO 27001 certification, an accredited certification body confirms that the organisation has implemented an ISMS that conforms to the Standard’s best practice.

Just as there are benefits to both ISO 27001 and SOC 2, there is sufficient overlap between SOC 2 and ISO 27001 to justify addressing them simultaneously and incorporating your SOC 2 compliance into your ISO 27001-compliant ISMS.

For instance, you can structure your risk assessment and risk treatment plan to account for the five SOC 2 and SOC 3 trust services categories (security, availability, processing integrity, confidentiality and privacy).

For more information on combining your SOC 2 and ISO 27001 compliance projects, contact us today.

SOC 2 Audit Readiness Assessment and Remediation Service

We can help any organisation prepare for a SOC 2 audit.

Readiness assessment

We can assess your state of SOC 2 preparedness by evaluating the type of service you offer, the trust services categories applicable to that service and the security controls relevant to delivering that service. We will examine and analyse your processes and procedures, system setting configuration files, screenshots, signed memos and organisational structure.

Remediation

After identifying any shortfalls, IT Governance can help you remediate them. We can help with audit scoping, compiling the system or service description, risk assessment, control selection, defining control effectiveness measurements and metrics, or integrating your SOC 2 requirements into your ISO 27001-compliant ISMS.

Testing and reporting

IT Governance has partnered with a leading AICPA- and PCAOB (Public Company Accounting Oversight Board)-registered CPA audit organisation in the US, which will perform the required testing and reporting at considerably reduced rates.

IT Governance can assist with the complete SOC audit process, from conducting a readiness assessment and advising on the necessary remediation measures to testing and reporting, by virtue of our partnership with CyberGuard.

We facilitate the audit process and put the client in contact with our partners, which can deliver the audit at a fraction of the costs demanded by the Big Four accounting firms.

The SOC audit process involves:

Reviewing the audit scope;
Developing a project plan;
Testing controls for design and/or operating effectiveness;
Documenting the results; and
Delivering and communicating the client report.

SOC 2 audit reports enable service organisations to demonstrate to clients and other stakeholders that they have implemented appropriate controls in relation to security, availability, processing integrity, confidentiality and privacy.

This consultancy service has been designed to help you prepare for and pass a SOC 2 audit. It comprises of two parts:

The SOC 2 Audit Readiness Assessment is a report focused on the AICPA’s TSC. We evaluate your organisation’s audit-readiness by assessing the suitability of the TSC risk-mitigating controls to the services you offer.

The SOC 2 Remediation Service highlights the corrective actions your organisation must take to ensure its security controls conform to the TSC before seeking a SOC 2 audit.

The SOC 2 Audit

A SOC 2 audit can only be performed by an independent CPA (certified public accountant) or duly recognised accountancy organisation regulated by the AICPA.

A SOC 2 audit report provides information and assurances about the suitability of the design and effectiveness of the service organisation’s controls. The report is generally restricted-use for existing or prospective clients.

SOC 2 Audit Readiness Assessment

IT Governance can help your organisation throughout the entire SOC preparation, remediation, testing and reporting process.

Our expert cyber security consultants have years of experience helping organisations prepare for SOC audits.

We will identify and advise on the SOC audit that best suits your organisation.

The SOC 2 Audit Readiness Assessment results in a detailed report that identifies any areas in which your controls fall short of the required standard and provides a remediation plan to ensure compliance. (Please see service description table above.)

The SOC 2 Audit Readiness Assessment includes advice on defining a suitable audit scope, guidance in compiling the content of the service or system description, and assistance in identifying which of the TSC are relevant to your organisation’s key risks.

SOC 2 Audit Remediation Service

Once any shortfalls have been identified, the SOC 2 Audit Remediation Service can help you rectify them. Remediation consultancy is specific to each organisation but typically could include the following:

Development of policies/procedures and modification of existing policies/procedures;

Conducting a risk assessment;

Selecting appropriate controls; and

Testing to ensure that new controls have been implemented and are operating effectively.

Testing and reporting

IT Governance has partnered with a leading AICPA- and PCAOB (Public Company Accounting Oversight Board)-registered CPA audit organisation based in the US, which can perform the required testing and reporting at considerably reduced rates.

We can help you prepare for a SOC 2 audit by:

Reviewing your current IT status, performing a readiness assessment, and recommending suitable controls and technical measures;
Conducting project and audit scoping;
Guidance in specifying the system or service description based on your core business objectives;
Assistance in defining the trust services categories relevant to your core business;
Performing a risk assessment and selecting controls;
Designing and documenting controls;
Monitoring and measuring the effectiveness of the selected controls; and
Recommending a qualified CPA partner to prepare the SOC 2 report.

Additional services, such as penetration testing or advising on integrating your SOC 2 requirements into your ISO 27001-compliant ISMS (information security management system), can also be provided.

We specialise in international management system standards, IT governance, cyber security, cyber incident response management, risk management and compliance.

Our professional services team has a wealth of consultancy skills and technical expertise. This multi-disciplinary knowledge and experience means we can help you achieve your project objectives wherever you are in the world.

SOC 2 Methodology

1. Preparing for SOC 2

Getting ready for an initial SOC 2 audit can be arduous and time-consuming, depending on the scope and level of complexity in the environment. We begin the process with developing an understanding of what is driving the need for a SOC 2 audit and the systems that are relevant to those drivers. Continuing to a gap assessment and an iterative cycle of remediation and readiness testing, correcting control and design gaps along the way, until results fall consistently within an acceptable range of outcomes

2. Scope

The scope of a SOC 2 report depends on the type of service a vendor provides, as well as the needs of its customer base. A thorough scoping should seek to determine which TSP(s) customers will require assurance with, and which systems and components must be assessed to do that. You can select any number and combination of the TSPs for inclusion in the report, based on customer need and relevant contractual requirements.

The five TSPs include:

Security: The system is protected against unauthorized access (both physical and logical).

Availability: The system is available for operation and use as committed or agreed.

Processing Integrity: System processing is complete, accurate, timely and authorized.

Confidentiality: Information that is designated “confidential” is protected as committed or agreed.

Privacy: Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in generally accepted privacy principles.

Ultimately, the system scope of a SOC 2 assessment is at the discretion of management and will be clearly described within the SOC 2 report. As such, if the scoping exercise does not draw the system boundaries appropriately, customers may not be satisfied with the SOC 2 report and may request additional information, or even a separate audit — limiting the value of the exercise. Getting the scope phase right is critical to the success of the SOC 2 process.

3. Assessment

After the scope has been determined, the next step is to evaluate management’s control environment using the SOC 2 criteria customized to the chosen TSPs to identify gaps requiring remediation.

The assessment process can be broken out into the following high-level steps:

Mapping of existing controls to the framework
Documentation of gaps and “future state” controls
Identification of remediation plans

We tend to start the mapping process with a review of control documentation that may already exist, relevant to the scope and the control objectives identified in the SOC 2 standard.

Walk-throughs of management’s existing processes will provide a more complete view of the relevant processes and controls, and will provide us with most of the information we need to understand where management’s controls align to the standard and where gaps exist.

Remediation

Remediation plans serve as a detailed road map toward the execution of a SOC 2 report.

For every gap in the control environment, we recommend a remediation plan that includes the following elements:

Detailed steps and deliverables to satisfy the control standard
Timelines that are feasible, yet aggressive in meeting goals
Remediation owners to track and motivate progress

The most important goal for us coming out of the remediation phase should be to maximize repeatability of processes and to achieve a stable, consistent control environment that addresses SOC 2 requirements.

Readiness Testing - No matter how ready a service organization may appear on paper, we recommend to conduct readiness testing to ensure the organization’s controls work as intended. This should be done before engaging a service auditor. Readiness testing reduces the risk of exceptions that could result in qualified opinions and serves to validate management’s assertions made during the documentation and remediation phases.

Even when remediation appears to be complete, experience has shown that testing will uncover human error. Controls that were not flagged as gaps during the assessment phase, and in which management has significant confidence, can often be shown to operate ineffectively through control testing. Only when an organization has submitted to readiness testing and addresses its operating effectiveness issues should management feel confident to move forward with its first SOC 2 audit.