Risk Assessments

 View Only
  • 1.  SOC 2 vs ISO 27001 & ISO 27701

    Posted 01-05-2022 05:42 PM
    Because we share confidential corporate and PHI information with a law firm we asked them to provide a SOC 2. The firm responded to our request by providing ISO 27001 & ISO 27701 certificates. They further commented "We do not undergo SOC audits, as we provide legal services, so we have provided an ISO27001 certificate (valid through 07/15/2024) as well as a certificate for the ISO27701 Privacy extension (we were the third firm to be granted that certification.)"

    As the certificates provide no detailed information like a SOC, do you accept the documents on their face  value and move on? Do you do something else?  Our CISO indicated the provided ISO27701 indicates they have established processes, but the process doesn't actually test them the way a SOC review would.

    Advice?


    ------------------------------
    Mark Ewert, CPCU, CIC
    Director Vendor Management
    Penn National Insurance
    ------------------------------


  • 2.  RE: SOC 2 vs ISO 27001 & ISO 27701

    This message was posted by a user wishing to remain anonymous
    Posted 01-06-2022 08:24 AM
    This message was posted by a user wishing to remain anonymous

    I'm trained as a lawyer and served as in house counsel at three different companies for approximately 15 years before becoming a risk person. It is very likely that you're dealing with major law firms. Those major law firms are exceptionally unlikely to undergo SOC testing. If you work for a huge S&P top 25 type company - go for it. An uphill battle all the way, though. If you're not at a huge company of that type, you aren't going to get anything else from them.


  • 3.  RE: SOC 2 vs ISO 27001 & ISO 27701

    Posted 01-06-2022 09:06 AM
    There may be some adjunct policies that could be provided that would document that test plans exist and have a required schedule- DR/BCP Policy, Audit Policy, TPRM Policy, InfoSec Policy.  That might add the connection you are looking for between having controls in place and actively testing those controls although the results of those tests would still be absent.

    Honestly, in a situation like this I would look to see what they can provide versus requiring something that they don't have.  Run into similar situations with financials allot.  For legal resources, we do modify the due diligence requirements based on the nature of the services provided and would not require a SOC.  We do have an InfoSec/Data Privacy Questionnaire that we require depending on the volume of NPPI involved.

    As an earlier poster noted, this is not usual for this kind of third party relationship (legal) so foregoing this relationship may not be a viable option.

    Shelly

    ------------------------------
    Shelly Chase
    Senior Risk Analyst Officer
    ------------------------------



  • 4.  RE: SOC 2 vs ISO 27001 & ISO 27701

    Posted 01-06-2022 09:16 AM
    Michelle, would you be willing to share your InfoSec/Data Privacy Questionnaire? 

    Thank you,
    Kelly


  • 5.  RE: SOC 2 vs ISO 27001 & ISO 27701

    Posted 01-06-2022 09:46 AM
    We are a MA based bank so our questionnaire is based on MA privacy requirements.  We essentially took each of the MA data privacy requirements and turned it into a question (17.03 section 2 a through j and section 17.04 sections 1 thru 8).

    201 CMR 17.00: Standards for the protection of personal information of residents of the Commonwealth

    We have added to it recently to try to get a better handle on where our data is located as well, specifically have added the following:
    1) Do you have internationally located data centers (outside US)
    2) Please list locations of all data centers- international and US located 

    Also looking to add some questions specific to IoT (internet of things) as this is our next area of focus from a data security/privacy standpoint.  For IoT the initial plan is to start small and then tailor based on risk so something like:
    1) Do you have an IoT Policy?
    3) If "no", do you maintain a complete, up to date inventory of IoT devises and applications?
    4) Are IoT devices and networks secured with proper controls and are those controls monitored?

    Hope this is helpful,
    Shelly



    ------------------------------
    Shelly Chase
    Senior Risk Analyst Officer
    ------------------------------



  • 6.  RE: SOC 2 vs ISO 27001 & ISO 27701

    Posted 03-11-2022 09:19 AM
    A little late to this thread to help, but thought this comment might help someone else in the future.

    Like SOC attestations, ISO 27001 certifications include a rigorous audit process from an independent third party.  An ISO 27001 certification has a correlating statement of applicability (SoA).  The SoA lists the control categories/families and individual security controls.  A company can choose to exclude control categories/families and individual security controls.  The SoA should contain a management explanation when controls are excluded.  Asking for a copy of the SoA or simply asking if any controls were excluded will provide insight.

    When it comes to comparing criteria across framework standards, you should be able to find a control mapping, e.g. SOC 2 to NIST 800-53 / ISO 27001, etc.