A Buyer’s Guide to Security and Privacy Certifications

Know what they are, why they matter, and which ones to look for in your provider.

Ten years ago, it was common to evaluate a potential IT or hosting vendor with a series of pointed questions in an Excel spreadsheet. At first, the questions were simple and few, but over the years, these “security questionnaires” have expanded to hundreds of questions covering everything from proximity to flood zones to the level of encryption on a hard drive.

IT procurement teams now have difficulty asking the right questions to shine a light on policies that govern their sensitive data and, perhaps more importantly, verify the accuracy and ongoing adherence to those policies.

In fact, this process has become so tedious and daunting for both sides, that everyone is looking for a way out. The solution, of course, is to settle on the exact standards that buyers are looking for and have third-party audits to ensure that the standards are actually in place. Verifying standards can become complex for the buyer, but it’s doable if you know what to look for and what to ask.

The following is a guide for using these standards when evaluating vendors. To help organize, we broke it up into three sections: organizational certifications, compliance, and individual certifications.

Organizational Privacy & Security Certifications

For the reasons stated above, it’s important to understand what each set of standards actually does (and does not) say about the security posture of the provider. Some certifications aren’t nearly as impressive as they may sound but the below are solid certifications proving an organization’s level of security.

ISO (International Organization for Standardization)

ISO standards were born out of the question, “what’s the best way of doing things?” They are created and agreed upon by independent subject matter experts all across the world. There are ISO standards for all sorts of things, like making sure kid’s toys don’t have sharp edges (ISO 8124-1) and reducing environmental impacts (ISO 14000), but for our purposes here, we’ll focus on those applying directly to data security and privacy. 

All ISO certifications run on a three-year renewal cycle, so the organization needs to be audited again for their cert to stay valid. In the first year, ISO experts work with the organization to audit the controls (or “requirements”) listed in the specific certification. The second and third years include what’s called a “surveillance audit,” where ISO monitors the security controls put in place to ensure they’re being followed and carried out correctly. Overall, the goal here for the organization is continuous improvement.

  • ISO 27001 –The organization has put in the work to implement a comprehensive “Information Security Management System” or ISMS. It focuses on protecting your information’s confidentiality, integrity, and availability. Basically, ensuring that only authorized persons have access to your information, are able to make changes to the information, and can access the information any time it’s needed.
  • ISO 27017 –Specific to cloud service providers. ISO 27017 adds cloud-specific security controls to the baseline set by ISO 27001, covering security techniques, risk management, access management, and beyond.
  • ISO 27018 – When it comes to personal information stored in the cloud, extra precautions to protect it should be in place. That’s what ISO 27018 is: additional controls to protect PII in cloud environments. It ensures the provider has identified potential risks and has measures in place to manage or reduce them.
  • ISO 22301 – Not only does this cert make an organization prove they have a business continuity plan in place, but that it also has the appropriate security measures built into it. The ISO 22301 certifies that the organization’s business continuity plan has been evaluated thoroughly and works effectively. 

ISO standards are working quietly in the background of our lives, making things safer, better, and more effective. When things don’t work as they should, it often means that the standards are absent.

A Buyer’s Guide to Security and Privacy Certifications

Ask the scope of the provider’s certifications. Sometimes, the cert covers only a portion of the business (company data vs. client data, etc.) instead of everything they touch. Look for “all services provided by ISO partners,” because it’s demonstrable evidence that the entire business is certified, not just a portion of it.

SOC (Systems and Organization Controls)

SOC was created by the AICPA (American Institute of Certified Public Accountants) which represents the CPA profession nationally regarding rule-making and standard-setting. The certification examines controls to ensure “Trust Services Criteria,” or privacy, confidentiality, processing integrity, availability, and security. There are different levels and types of SOC, each for different purposes and different kinds of organizations.

  • SOC 1 (Internal Control over Financial Reporting) – Provides guidance for auditors assessing financial statement controls at service organizations.
  • SOC 2 (Trust Services Criteria) – Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 2 details the descriptions of the service auditor’s tests of controls and results.
  • SOC 3 (Trust Services Criteria for General Use) – Essentially the same as SOC 2 but doesn’t include descriptions of the tests or results and is much less detailed.
  • Type I: confirms that the controls exist.
  • Type II: confirms that the controls exist and that they actually work.

The audit process depends on which SOC you go for, but generally lasts six to twelve weeks and is carried out by an accredited, independent third party hired by the AICPA. Over the review period, the third-party auditor works with the business to assess their controls, while the business works exhaustively to get their controls up to SOC-status.

A Buyer’s Guide to Security and Privacy Certifications

SOC 2 Type II is the most important report an IT vendor can hold. It guarantees they’re annually meeting (or exceeding) SOC’s industry-specific standards for privacy and security. Ask to see their SOC audit report so you know where they fell short and if they’ve since remedied those issues.

FedRAMP (Federal Risk and Authorization Management Program)

FedRAMP is one of the most rigorous certifications in the world. It’s the US government’s standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It is governed by different Executive Branch entities like the Joint Authorization Board and Department of Defense.

There are three main parts to the FedRAMP process:

  • A RAR (Readiness Assessment Report) is done by a third-party auditing organization that reviews the provider’s standards.
  • If their standards meet the requirements, the third-party auditing body then submits the RAR report to FedRAMP for review and consideration. If that’s successful, the organization is then declared “FedRAMP-ready.” This places the organization inside a Federal Marketplace.
  • Any federal organization can select the provider from the Marketplace directory and then must hold a SAR (security assessment report) to ensure the provider meets the federal agency’s specific security needs. If they do, the federal organization gives the provider “Authority to Operate,” which means they have the ability and permission to work only with that specific federal organization.

Obviously, becoming a FedRAMP-authorized provider is not for the faint-hearted; the level of security required is mandated by the Federal Government. So, any provider with this authorization is solid—they’ve gained the approval and trust of the US Federal Government!

Compliance Standards

Compliance is different from any kind of certification because it’s required by law.  Failing to meet compliance requirements can land organizations with serious fines or even jail time.

Mostly, self-attestation is all that’s required here. There’s no auditing by third parties—only internal review and evidence gathering.

  • HIPAA (Health Insurance Portability and Accountability Act) – HIPAA is a US healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities, doctors’ offices, hospitals, health insurers, and other healthcare companies with access to patients’ protected health information (PHI), as well as to business associates, such as cloud service and IT providers, that process PHI on their behalf.
  • ITAR (International Traffic in Arms Regulations) – ITAR is a set of regulations ensuring the protection of government defense data, including articles and services on the United States Munitions List (USML) and all related technical data. This is required for any provider or subcontractor handling defense data.
  • PCI/DSS (Payment Card Industry/Data Security Standard) – Being PCI compliant means the organization follows all standards to safely and securely accept, store, and process cardholder data used in credit card transactions to prevent fraud and reduce the volume and impact of data breaches. Providers will usually have an official certification of their PCI compliance granted by the PCI Security Standards Council.
A Buyer’s Guide to Security and Privacy Certifications

Ask how they keep track of the controls and processes in place for meeting compliance regulations. This ensures they are maintaining compliance standards and tracking all updates to their system—which any smart provider will keep in well-maintained logs.

Individual Certifications

Just like organizational certifications prove a system has met certain standards, individual certifications do the same on a per-person level. They guarantee certain people on the team have tested, specific, and unique knowledge and experience to guide and add value to the organization and its clients. There are tons of individual certifications available out there, but the below certs are the most common and trusted by experts in the tech world.

  • CISA (Certified Information Systems Auditor)CISA is the world-renowned standard for IS professionals managed by ISACA, an international membership community started in 1967 to provide guidance and research in the IT field. CISA proves expertise in auditing, controlling, monitoring, and assessing information systems. This is an essential certification for any IT/IS professional.
  • CISM (Certified Information Security Manager) – Similar to CISA. Indicates expertise in information security governance, program development and management, incident management, and risk management.
  • CISSP (Certified Information Systems Security Professional) – Managed by (ISC)², is an international nonprofit membership association. CISSP validates an information security professional’s deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization. Receiving a CISSP requires a combination of exams and five years of cumulative paid work experience in related fields.
  • MCSE (Microsoft Certified Software Engineer) Core Infrastructure – MCSE validates that you have the skills needed to run a highly efficient and modern data center, identity management, systems management, virtualization, storage, and networking. To achieve the cert, you have to take multiple courses (held by Microsoft) on subjects like Windows servers, infrastructure, hybrid cloud, etc., and then pass three exams. Getting most Microsoft certifications takes time, money, and effort, but definitely proves you’ve got the right skills.

There are thousands of individual certifications available in the market. Again, finding which are important to you and your organization depends on what kinds of technology you work with: Linux, Windows, VMware, etc. Seek out organizations with people on staff who hold certifications related to your technology and goals.

The Most Valuable Question to Ask

You may be asking, ‘How do big companies with all the right certs get hacked?’ It’s a fair question, and the answer is that nothing can guarantee safety from the possibility of human error, which causes approximately 90% of all security incidents. Most of the “big hacks” we hear about these days start with simple social engineering tactics (phishing, USB drops, tailgating, etc.) and then advance in severity from there. These can only be avoided when companies are providing employees with regular, effective, and engaging security education.

A Buyer’s Guide to Security and Privacy Certifications

Find out how the provider educates its employees on security and privacy safety. Always, always understand the level of education that a company provides to its employees and what that training program includes.

Employee education is key: without it, it really doesn’t matter what certifications the organization has earned. They can all be brought down in a single moment of human error. While all security-based standards require (and will be audited for) employee security education and awareness, the auditor isn’t responsible for grading the quality or frequency of the training. That’s just another aspect for you to verify by asking the right questions.

Although concerns about data security and privacy are nothing new, the process for evaluating IT service providers has evolved significantly over the last five years to meet the challenges posed by modern threats. Certifications minimize the work involved in the procurement process, but they don’t remove it. The remaining responsibility falls on the buyer to understand the standards and ask questions to make sure their privacy and security needs are truly covered.