Part of an elite group, BARR is proud to say that we are one only a handful of firms in the U.S. eligible to perform audits against all three highest regarded frameworks: ISO 27001, SOC 2, and HITRUST. But what does that mean exactly? And how can organizations use BARR to help them leverage existing frameworks to boost their security posture? Let’s take an in-depth look into this statistic.
In 2021, BARR Certifications along with BARR Advisory earned the prestigious ISO 27001, ISO 17021 accreditation for certification to ISO 27001 from the ANSI National Accreditation Board(ANAB). Accreditation from the ANAB, which is the largest multidisciplinary accreditation body in North America, validates BARR’s competence and independence in assessing the people, the processes and technology within a service organization’s ISMS.
These three frameworks ultimately help organizations improve their security posture. However, each of them differ throughout the engagement process and their final deliverables.
ISO 27001 is a globally accepted standard that defines the requirements of an information security management system (ISMS). ISO 27001 certification from an accredited certification body such as BARR means that an organization has demonstrated adherence to those requirements.
SOC 2 examinations report on one or any combination of the AICPA’s Trust Services Criteria, including security, availability, processing integrity, confidentiality, and privacy. It demonstrates an organizations’ commitments to its consumer requirements and cybersecurity best practices.
HITRUST Common Security Framework (CSF) was developed in collaboration with healthcare and information security professionals to provide a prescriptive framework to simplify security requirements. It is the most widely adopted security framework in the U.S. healthcare industry.
As an external assessor, BARR can complete all the necessary tasks and data collection processes for both HITRUST and ISO 27001 audits. At the same time, if an organization has already achieved a HITRUST certification, it’s easy to map the controls that are already in place to ISO 27001 requirements, especially when the assessment data already exists and is immediately available in the MyCSF portal.
Since ISO 27001 auditors aren’t able to provide guidance on how to fix issues or mitigate gaps, HITRUST can serve as a risk assessment for the ISO 27001 audit. If your organization has HITRUST in place already, your external assessor can help by providing expert guidance and feedback on how to close any identified gaps ahead of time. This can help avoid potential nonconformities during your ISO 27001 audit.
In addition to ISO 27001, a HITRUST certification can help satisfy the requirements of other assessments like SOC 2. With SOC 2, the AICPA’s Trust Services Criteria align with the HITRUST CSF criteria, which allows BARR to issue SOC 2 plus HITRUST in a collaborative reporting model.
While the two frameworks cover similar topics, one big difference between ISO and SOC assessments is that certain standards can be certified under the ISO 27001 series while SOC 2 audits result in an attestation report rather than a certification.
Additionally, as an internationally accepted standard, ISO 27001 is great for organizations who serve clients abroad. SOC 2 uses the U.S.-based AICPA Trust Services Criteria to meet the needs of a broad range of users that require detailed information and assurance about the controls out of service organizations.
BARR can leverage your SOC 2 report to include ISO controls and vice versa. This means that organizations seeking ISO 27001 certification and a SOC 2 audit now have a unified team of auditors to perform both assessments. Having both not only increases consumer trust, but also enhances your brand. You’ll stand out as an organization who takes security seriously while instilling the most confidence in your clients.
Organizations who choose to leverage one framework to accomplish another receive many benefits. Not only does this prove your organization’s commitment to security and compliance, but this process allows for an “audit once, report many” approach, which reduces the amount of resources organizations are required to delegate.
To get started, your organization can determine what compliance certifications or reports you may need based on your stakeholders and contractual obligations.
Contact BARR, and we’ll help you through the process and understand how you can reach your potential through your established security and compliance achievements and processes that you already have.