HIPAA. NIST. ISO. FedRAMP. FISMA. SOC 2. These are just a few of the acronyms for compliance frameworks that your customers may be asking you about. The big question your organization needs to answer is, “Which compliance is right for me?” This blog post will focus on helping you understand some of the popular compliance frameworks, and specifically how they relate to SOC 2.
HIPAA vs SOC 2
HIPAA (Health Insurance Portability and Accountability Act) is a United States law developed by the Department of Health and Human Services. The main objective of HIPAA is to protect patients’ medical and health information - such as health plan details and doctor visits. However, the protections HIPAA aims to provide will not attest to your organization’s maturity in terms of privacy and security.
This is where SOC (Service Organization Control) comes in. SOC was created by the AICPA (American Institute of Certified Public Accountants), and examines the effectiveness of an organization’s controls as it relates to security, privacy, availability, processing integrity and confidentiality. To better understand how HIPAA and SOC 2 look at risk, consider this example: if your database goes down, HIPAA doesn’t care - as long as the data is secure. SOC 2 cares about the security of the data, but also about the availability of the system hosting the data.
ISO27001 vs SOC 2
The goal of ISO (International Organization for Standardization) is to keep information assets secure. ISO focuses heavily on the technical and security components of IT, and these components apply even if you’re not a service provider. Overall, ISO is zeroed in on technical controls, and has less to say about the ethical and legal frameworks by which your employees are bound to deliver your services. SOC 2, on the other hand, is focused on the end-to-end maturity in your service delivery. If you follow ISO, you will need to adhere to a strong password policy, which SOC 2 also cares about. But if you encourage employees to defraud customers, ISO won’t care, but SOC 2 will.
NIST 80053 vs ISO27001
NIST (National Institute of Standards and Technology) is an inventory of technical practices as recognized by US federal agencies. These practices overlap with the technical practices you would implement to achieve ISO27001 certification, but have the additional benefit of being aligned with the requirements of FISMA (Federal Info Security Management Act). Choosing one or the other really depends on whether the practice is more important or the certification is, and whether you plan on doing business with federal or other governmental agencies.
FedRAMP vs SOC 2
FedRAMP (Federal Risk and Authorization Management Program) is an assessment and authorization process that US federal agencies use to determine that sufficient security is in place when accessing cloud-hosted software and services. It is a successor to the guidance from FISMA focused on the modern era of software deployments, where cloud deployments are increasingly the norm. Achieving official authorization as a FedRAMP authorized cloud service provider is a substantial and costly process. To put it in perspective, there are only 124 authorized providers at the time of this blog’s publication. However, if you can get on this list, your company will have high visibility on the FedRAMP marketplace. If you need to grease the compliance skids at a high volume and have the full weight of a very detailed standard, you should add FedRAMP to your roadmap. SOC 2 will be your first step on that path.
The number of compliance acronyms and frameworks can be dizzying. By gaining a better understanding of these frameworks, as well as which one is the best fit for your company, you can increase the maturity of your security controls and assure customers that their security is of utmost importance. And SOC 2 is a great starting point, regardless of which compliance path you choose.