Industry Standard IT Security Certifications for Companies

Industry Standard IT Security Certifications for Companies

ISO/IEC 27001:2005 (Information technology – Security techniques – Information security management systems – Requirements) is a widely recognized certifiable standard. ISO/IEC 27001 specifies a number of firm requirements for establishing, implementing, maintaining and improving an ISMS.

ISO/IEC 27002 is an advisory standard that is meant to be interpreted and applied to all types and sizes of organization according to the particular information security risks they face. In practice, this flexibility gives users a lot of latitude to adopt the information security controls that make sense to them, but makes it unsuitable for the relatively straightforward compliance testing implicit in most formal certification schemes.  An organization cannot be certified against ISO/IEC 27002.

The ISO 27000 series of standards are a compilation of international standards all related to information security. The difference is that the ISO 27001 standard has an organizational focus and details requirements against which an organization’s Information Security Management System (ISMS) can be audited. ISO 27002 on the other hand is more focused on the individual and provides a code of practice for use by individuals within an organization. If you compare them you will see that they’re structured similarly and that they map to each other.

The difference is in the level of detail, ISO 27002 explains one control on one whole page, while ISO 27001 dedicates only one sentence to each control.  ISO 27002 provides best practice recommendations on information security management for use by those who are responsible for implementing or maintaining the Information Security Management Systems (ISMS). Whereas ISO 27001 defines the audit requirements.

SOC 1 (SSAE 16) – A SOC 1 is a report on controls at a service organization that may be relevant to user entities’ internal control over financial reporting.  Its value is best suited for financial processing systems such as payroll system. SOC 1 does not look at technology. According to French Caldwell, VP and Gartner Fellow, “So, to be clear, SSAE 16 (or SOC 1) is relevant for compliance with Sarbanes-Oxley and similar laws. It does not provide comprehensive assurance for security, availability, processing integrity, confidentiality or privacy controls. That’s the purpose of SOC 2, a companion standard to SOC 1.”

SOC 2 – A SOC 2 report is based on the existing SysTrust and WebTrust principles.  The purpose of a SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality and privacy.

SOC 3 – A SOC 3 report is like a SOC 2 report.  The difference being, the report does not detail the testing performed and is meant to be used as a marketing material.

PCI DSS – PCI-DSS is a standard of data security for the credit card industry, and applies only to companies that process, store, or transmit credit card data. For these companies, compliance with the standard is obligatory, though depending on the volume of cards processed, different requirements or obligations may apply.

Industry Standard IT Security Certifications for Companies