16 Do’s and Don’ts of Claiming Compliance Publicly

August 27, 2024 | CSA STAR, HITRUST, ISO 27001, PCI DSS, SOC 2

Achieving compliance against an industry-leading standard like SOC 2 or ISO 27001 is a major accomplishment for any organization, regardless of growth stage. Once you have your compliance report in hand, your team will be eager to share the news with customers, partners, and stakeholders.

Before you jump in, it’s important to understand how and when to communicate your compliance to ensure you’re adhering to local and federal regulations as well as the rules put forth by the governing bodies behind each framework.

Below, we’ve listed the do’s and don’ts of publicizing your compliance accomplishments against the following standards:


SOC 2 Reports


Do
: Spread the word of your completed SOC 2 report far and wide.

Completing a SOC 2 examination is a feat worth celebrating, so don’t be shy about sharing the news. Check out our step-by-step guide to curate a collection of campaign assets that you can share with customers, partners, and other stakeholders on your website, in emails, on social media, and more.

Don’t: Announce that your organization is “SOC 2 certified.”

While this is a common misconception, the truth is that completing a SOC audit does not result in any certification. Instead, the resulting report provides a CPA’s opinion on the design, effectiveness, and implementation of a service organization’s relevant internal controls. While no organization can technically be “SOC certified,” completing a SOC examination with BARR will help you demonstrate your commitment to protecting customer data.

Do: Request permission from the AICPA to use the SOC logo in marketing materials.

The AICPA SOC logo is a registered trademark. Organizations may only use the logo if authorized to do so by the AICPA. The good news is that the AICPA has created a simple process for cloud service organizations to request permission to access and use their SOC logo. Anyone from your team can create a free account and access the instructions here.


ISO 27001 Certification


Do:
Share the news with your network. 

Organizations that achieve ISO/IEC 27001 certification can and should spread the word across their owned channels, from their website to social media, as well as with stakeholders, partners, customers, and local and industry news organizations. When you work with BARR to achieve ISO 27001 certification, your team will gain access to a complimentary promotional package with sample materials to kickstart your campaign.

Don’t: Use the ISO logo in your promotional materials.

Even organizations that hold current ISO/IEC 27001 certifications may not use the ISO logo in any marketing materials. This is because the ISO logo is a registered trademark, and use of the ISO logo is not allowed by anyone outside of ISO. If you’d like to include a badge signifying your certification within your website footer or company email signatures, you may choose to create your own or ask your auditor if they can provide a graphic fit for distribution.

Do: Use the correct terminology to describe your engagement.

Achieving initial certification against the ISO/IEC 27001 framework is a huge accomplishment for any organization. These certifications remain valid for three years, during which time you’ll work with your audit firm to complete annual surveillance audits. At the end of the three-year period, the process restarts as your team pursues ISO 27001 recertification. When creating marketing materials, be sure to use the correct term to describe the engagement that your organization most recently completed. If you’re not sure which terminology to use, your auditing firm can help.


HITRUST Certification


Do:
Share your HITRUST Letter of Certification with customers and prospects.

At the conclusion of your HITRUST engagement, your HITRUST Authorized External Assessor will provide you with a letter verifying your certification. Use this letter to help your organization communicate with stakeholders about your compliance with the highest standards of information security. 

Don’t: Forget about the complimentary press kit provided by HITRUST.

Organizations that successfully achieve certification against the HITRUST CSF can expect to receive a press kit from HITRUST within seven to 10 business days of completing their engagement. If you have any questions about the press kit and how to best use it to promote your company’s compliance accomplishment, don’t hesitate to reach out to your HITRUST representative for assistance.


CSA STAR Assessments


Do:
Add your organization to the CSA STAR Registry.

Organizations that complete CSA STAR Level 1 or Level 2 attestations or certifications can sign up to be included in the CSA STAR Registry, a publicly accessible database of more than 2,000 providers that documents the security and privacy controls provided by popular cloud computing offerings. Publishing to the registry not only helps build trust with stakeholders, but also helps alleviate the need to fill out lengthy customer security questionnaires.

Don’t: Miss the chance to maximize your promotional efforts.

Organizations that work with an audit firm like BARR to complete a CSA STAR Level 2 assessment alongside a SOC 2 report or ISO 27001 certification can promote both compliance accomplishments with a single press release or other marketing initiative. If you choose to publish a press release announcing your compliance with CSA STAR, you can also request a quote from a CSA executive. Be sure to send your draft to [email protected] at least five business days in advance of your release date for approval.


HIPAA Compliance


Do:
Be careful about declaring that you are “HIPAA compliant.”

The Federal Trade Commission (FTC) warns against using terms like “HIPAA compliant” and “HIPAA secure” in marketing materials, and cautions against adding a HIPAA seal or badge to your website and social media, because it can be misleading to customers. If you claim to be HIPAA compliant and your organization is later found to be out of compliance—or worse, experiences a breach—you could open the door for litigation or enforcement actions, including hefty fines, from the FTC. 

Don’t: Use the term “HIPAA certified” or “HIPAA certification.”

There is no certification process for verifying HIPAA compliance. The only agency that can make a determination on whether an organization is compliant with HIPAA is the U.S. Department of Health & Human Services (HHS). Organizations that want to provide assurance to customers and stakeholders that they adhere to the cybersecurity standards outlined by the federal law can work with an auditing firm like BARR to complete a report that includes an auditor’s conclusions on their adherence with the HIPAA Security Rule; however, these reports do not constitute a certification of compliance. In fact, because HIPAA is such a broad law, a report on compliance with the HIPAA Security Rule is just one piece of the puzzle.

Do: Assure stakeholders of your commitment to HIPAA compliance by sharing your achievements.

While there is no formal HIPAA certification, there are ways to provide assurance to customers and stakeholders of your HIPAA compliance. For instance, organizations can choose to work with a third-party auditing firm like BARR to assess your compliance with HIPAA data security requirements, either as a standalone assessment or as part of a SOC 2 audit that includes a review of an organization’s compliance with the HIPAA Security Rule. Afterward, you may state publicly that your organization has undergone an audit with an independent auditor to assess your compliance with HIPAA as part of a larger effort to demonstrate your commitment to securing private health information (PHI).


PCI DSS Compliance


Do:
Understand the differences between a PCI SAQ and RoC.

Organizations can complete many different reports to attest to their compliance with the Payment Card Industry Data Security Standard (PCI DSS), including a PCI Self-Assessment Questionnaire (SAQ) and a PCI Report on Compliance (RoC). Depending on how many payment card transactions an organization processes on an annual basis, a company may be required to complete an RoC, which provides the highest level of assurance. Smaller organizations may also choose to complete an RoC to satisfy customer requirements. Understanding which of these reports your organization has received will help you create a smart plan for marketing the accomplishment.

Don’t: Expect to leverage PCI DSS as a major differentiator. 

All organizations that process, transmit, or store consumers’ payment card data, or that could impact the security of the cardholder data environment (CDE), must comply with PCI DSS. Think of PCI DSS as a framework for establishing the foundations of a strong cybersecurity program. To stand out against competitors, your organization may want to pursue an additional compliance attestation against another, more rigorous standard, like ISO 27001 or HITRUST CSF.

Do: Share that you’ve completed a PCI DSS audit.

After working with a PCI Qualified Security Assessor (QSA) company like BARR Advisory to complete a RoC or QSA-assisted SAQ, spread the word by announcing to stakeholders that you’ve undergone an independent audit attesting to your compliance with the Payment Card Industry Data Security Standard (PCI DSS). While there is no formal PCI DSS certification, undergoing an independent assessment helps demonstrate your commitment to adhering to industry standards for data security.

With so many cybersecurity frameworks, understanding how to achieve your security and compliance goals can be complicated. At BARR, we make it simple. Contact us today to find out how.

Let's Talk