In a previous blog post, we discussed the differences between SOC 2 vs ISO 27001. In this post, we will look at the factors affecting the decision of choosing which of the two compliance frameworks best aligns with your business needs. Client Expectations The choice to adopt a compliance framework is often driven by client expectations. Clients may stipulate in [...]
Navigating the ins and outs of two of the most popular compliance frameworks. When it comes to vendor due diligence, many companies are raising the bar. This article will help you weigh the difference on SOC 2 vs ISO 27001. In addition to evaluating vendor revenue, growth, and skills, security is becoming an important focus of client reviews. With almost half [...]
Answering some of the most commonly asked questions around ISO 27001 implementation. At risk3sixty, we have helped many clients implement ISO 27001. Through this work, we have pinpointed a few common misconceptions surrounding the framework. In this post, we will dig into these misconceptions and shed some light on the ISO 27001 implementation process. Misconception #1: An organization must implement all [...]
Tips for security administrators during the COVID-19 pandemic We have seen a massive increase in the number of employees working from home due to the COVID-19 pandemic. System administrators must ensure that employees can still securely access corporate resources. The transition to the cloud both for corporate activities (Office 365, G Suite) and for service hosting (AWS, Azure) has relieved some [...]
Understanding the results of a HITRUST engagement and how to use them. During your vendor due diligence process, a vendor sends you their HITRUST report. What exactly does this report tell you? How can you use this information to properly evaluate the vendor? In this blog, we will give a brief overview of the HITRUST CSF framework and then dive into [...]
Correcting mistakes that arise in the day-to-day management of access control. Organizations can take many steps to manage access, such as adopting documented registration and de-registration processes, maintaining a list of service accounts, and segmenting networks. While all are effective ways of managing access, they occasionally fail. For example, a step may be missed in the on-boarding process. A [...]
How to leverage information security policies into leveling up your security program. People often regard information security policy as a "check-the-box" compliance initiative. Many organizations will copy a policy template, make small revisions applicable to their context, and then forget about it. But, an information security policy that directs the organization is as crucial to a security program as [...]
How to keep the keys to the kingdom from escaping the kingdom. Proper password management is a huge step that an organization can take to strengthen security. It also addresses multiple criteria for all the major security frameworks. For example, see examples from ISO 27001 and SOC 2 as of the date of this writing: ISO 27001 A9.4.2: Where required by [...]