Boards get it, they need to exercise the same level of oversight regarding cybersecurity as they do with financial statements. The difference is there is a well-developed set of standards governing financial accounting with associated audits and examinations. The standards are not as well defined for cyber security and it is important for directors to know exactly where their company stands in terms of adhering to an accepted framework and third-party certification and audit options.
In 2014 the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity. The framework has come to be known as just “NIST” when used by some in the context of “Oh, yeah, our company is NIST compliant.” And so starts a trail of confusion regarding certification, compliance and standards pertaining to cybersecurity.
The NIST Framework for Improving Critical Infrastructure Cybersecurity is an excellent resource for organizing, planning and implementing cybersecurity controls in any environment, not just in a critical infrastructure company. For Directors, it is easy to grasp how the controls are organized around the five functions of Identify, Protect, Detect, Respond and Recover. It has other features that allow companies to tailor their controls to enterprise risk appetite and resource constraints and to facilitate program management in the sense of “we are here now and we want to be there next year.” All good, but Directors should understand there is no such thing as “NIST certified” or “NIST compliant” in relation to the framework. The NIST framework is increasingly gaining adoption as the de facto “standard,” however there is no third party that can come in and certify a company as meeting the “NIST standard.”
The NIST framework is an excellent tool to prepare the company to achieve certification to an information security standard and a widely accepted international standard is the ISO 27001 certification. Published by the International Organization for Standardization, ISO 27001 defines the management processes and structures that must be in place to reduce the risk of information compromise. It also provides guidance on embedding the information security procedures within the larger risk management process of the company. ISO 27001 certifications are issued for three years and require periodic audits to ensure compliance. It is important to note that the ISO 27001 certification just indicates that the company has satisfactorily designed and documented an Information Security Management System. ISO 27001 certification does not capture how well the system works. ISO certification must be accomplished by an accredited certifying body and costs range from ~$20K to over $300K depending on how much consulting support the company needs to prepare for the certification, the auditor selected and the complexity of the company’s information environment.
In 2011 the American Institute of CPAs issued its Service Organizational Control (SOC) reporting framework. Within that framework, the SOC 2, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, is the examination relevant to cybersecurity. The SOC 2 examination is essentially an outside audit that verifies controls are in place and they are functioning. Depending on the nature of the business, the company should satisfy one or more of the five Trust Services Principles and Criteria of: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 examinations can cover a point in time or cover a period of time. If a company has a well-established information security program, one year is typical. SOC 2 examinations must be conducted by an accredited auditor and cost from ~$30K and up depending on the auditor and the complexity of the examination.
Not every company requires an ISO 27001 certification and a SOC 2 examination. But every company should be following the NIST or some other accepted framework to derive their cybersecurity strategy. While there is no defined “standard,” a company that relies on the NIST framework to prepare for and achieve ISO 27001 certification, and then engages an auditor to conduct a SOC 2 examination to prove that the controls are in place and functioning is on pretty solid ground for proving they have taken “reasonable measures” to protect critical information.
Directors who understand the difference between frameworks and certifications and can ask informed questions about why the company does or does not conduct an outside audit are in good standing when it comes to executing their oversight responsibilities regarding cyber risk.