Back to Resources | Expert Interviews

cyBARR Chats Episode 21: BARR is 1 in 9 Firms in the U.S. Eligible to Audit Against ISO 27001, HITRUST, and SOC 2

April 17, 2023 | HITRUST, ISO 27001, SOC 2

WATCH:

Transcript:

Hello everybody and welcome to today’s cyBARR Chat. I am Kyle Cohlmia, associate content writer at BARR Advisory, and today we are joined by Angela Redmond, director for BARR’s Attest Services. BARR is so proud to say that we are one in nine firms eligible to perform audits against all three highest regarded frameworks, ISO 27001, SOC 2, and HITRUST.

But what does that mean exactly? And how can organizations use BARR to help them leverage existing frameworks to boost their security posture? Angela’s here to give us all the details about this exciting statistic and how to get started. So let’s begin. All right, Angela. First off, can you explain what it means when we say BARR is one of nine firms eligible in the U.S. To perform audits against ISO 27001, SOC 2, and HITRUST?

Yes, definitely. So in 2021, BARR Advisory earned the prestigious ISO 27001, ISO 17021 accreditation for certification to ISO 27001 from the ANSI National Accreditation Board, otherwise known as the ANAB. Accreditation from the ANAB, which is the largest multidisciplinary accreditation body in North America, validates BARR’s competence and independence in assessing the people, the processes and technology within a service organization’s ISMS. Together BARR Certifications and BARR Advisory are one of only nine firms in the nation that meet requirements of the ANAB AICPA and HITRUST to issue ISO certifications, SOC 2 audit reports and HITRUST testing for validation.

Great. Thank you so much. So each of these frameworks are some of the highest regarded frameworks in the industry. How do you think that these specifically benefit organizations?

Yeah, so these three frameworks ultimately help organizations improve their security posture. However, each of them differ a little bit throughout the engagement process and their final deliverables. So I can go through each of the three of them.

So first off, ISO 27001 is the globally accepted standard that defines the requirements of an information security management system or ISMS. ISO 27001 certification from an accredited certification body such as BARR means that an organization has demonstrated adherence to those requirements.

And SOC 2. So SOC 2 examination reports on one or any combination of the AICPA’s Trust Services Criteria, including security, availability, processing integrity, confidentiality, and privacy. It demonstrates an organizations’ commitments to its consumer requirements and cybersecurity best practices.

And finally, HITRUST. The HITRUST Common Security Framework was developed in collaboration with healthcare and information security professionals to provide a prescriptive framework to simplify security requirements. It is the most widely adopted security framework in the U.S. Healthcare industry.

Great. Thank you so much for those details.

So for our next question, I was wondering if you could talk a little bit more about how organizations can leverage specifically HITRUST for ISO 27001 certification or for SOC 2 reports.

Definitely. So as an external assessor BARR can complete all the necessary tasks and data collection processes for both HITRUST and ISO 27001 audits.

At the same time, if an organization has already achieved a HITRUST certification, it’s easy to map the controls that are already in place to ISO 27001 requirements, especially when the assessment data already exists and is immediately available in the MyCSF portal. Since ISO 27001 auditors aren’t able to provide guidance on how to fix issues or mitigate gaps, HITRUST CSF can serve as a risk assessment for the ISO 27001 audit. If your organization has HITRUST in place already, your external assessor can help by providing expert guidance and feedback on how to close any identified gaps ahead time. This can help avoid potential nonconformities during your ISO 27001 audit.

And in addition to ISO 27001, a HITRUST certification can help satisfy the requirements of other assessments like SOC 2. And with SOC 2, for example, the AICPA’s Trust Services Criteria align with the CSF criteria, which allows us to issue SOC 2 plus HITRUST in a collaborative reporting model.

Great. Thank you. That sounds like a wonderful way to move forward with HITRUST. And then what about organizations who are interested in SOC 2 and ISO 27001? What’s the difference between those two and how can organizations benefit from both?

Yes. So while the two frameworks cover similar topics, one big difference between ISO and SOC assessments is that certain standards can be certified under the ISO 27001 series while SOC 2 audits result in an attestation report rather than a certification.

And additionally, as an internationally accepted standard, ISO 27001 is great for organizations who serve clients abroad. While SOC 2 uses the US-based AICPA Trust Services Criteria to meet the needs of a broad range of users that require detailed information and assurance about the controls out of service organizations.

BARR can leverage your SOC 2 report to include ISO controls and vice versa. So this means that organizations seeking ISO 27001 certification and a SOC 2 audit now now have a unified team of auditors to perform both assessments. And having both not only increases consumer trust, but it also enhances your brand.

You’ll stand out as an organization who takes security seriously while instilling the most confidence in your clients.

Wonderful. That sounds great. Again, so does this mean that organizations will save time and resources when they’re achieving multiple of these certifications or reports simultaneously?

Yes. Organization who chooses to leverage one framework to accomplish another, receive many benefits. Not only does this prove your organization’s commitment to security and compliance, but this process allows for an audit once report many approach, which reduces the amount of resources organizations are required to delegate.

Wonderful. Another great piece of information. And for our final question, we’re wondering how can organizations get started on their journey toward ISO 27001, SOC 2, or HITRUST?

To get started, your organization can determine what compliance certifications or reports you may need based on your stakeholders and contractual obligations.

And contacting BARR is a great place to start. We’ll help you through the process and understand how you can reach your potential through your established security and compliance achievements and processes that you already have.

Great. Angela, thank you again so much for sharing this valuable insight on how BARR can help organizations obtain ISO 27001, HITRUST, and SOC 2 at the same time.

This information is so helpful as organizations look to advance their security programs. We appreciate you joining us for this week’s cyBARR Chat, and we look forward to seeing everybody next time. Thank you.

Thank you!