Cybersecurity compliance evaluations like SOC 2, ISO 27001, and HIPAA might have one set of standards set by one overseeing organization, but the independent auditors who audit companies for these standards can have drastically different approaches.
The result? Programs that are compliant being forced to do extra, meaningless work – or worse – companies that don’t meet all of the requirements still squeaking by with their ISO certification, or without an exception on their SOC 2 assessment.
Unfortunately, this is something we’ve seen in practice. Read on to learn more.
What a typical auditor relationship looks like.
External cybersecurity audits are actually more collaborative than you would think. Most auditors don’t sit down with the intention of busting your company on every little thing you’ve done wrong. They usually want to see the companies they work with succeed and sometimes provide help and advice to get them there.
Before COVID made work remote, an audit was typically a very intensive, short period of time where the auditor was on-site. Remote collaboration has slowed down the audit process somewhat. An audit usually starts with a kick-off call with the auditor and key stakeholders at the company present. A plan is created for how the audit will proceed that everyone agrees to, and work begins. Evidence is collected and submitted to the auditor, who reviews it. Once all is collected, a report is created.
Every auditor has their own sorts of preferences on what counts as evidence for various controls, especially for SOC 2. Some auditors focus closely on a certain selection of controls and evidence, while spending less time on others. Good auditors will maintain a two-way road of communication on these subjects, clearly state their preferences throughout the process, and provide feedback as companies submit evidence for them to review.
However, good auditors still must grade your company fairly and mark exceptions on the report or deny you certification if you fail to meet the standard.
Get your ISO 27001 without being ISO 27001 Compliant?
SOC 2 is a lot more customizable than ISO 27001, which has a number of more specific requirements companies must meet in order to get the certification. Because of this, we always tell our clients that “X is what the standard says” and encourage them to meet it.
The following story is real, with fake names.
One audit, we had a client, Sample Co., that did not meet one element of the ISO standard despite what we coached them to do. Why didn’t they bother? Because their ISO auditor didn’t enforce it. They got their ISO 27001 certification, but weren’t fully compliant.
Later on, Sample Co. received an audit from one of their partners, ACME Inc., who was running due diligence for their own vendor management program. The auditor ACME brought in to perform the audit was also an ISO auditor, who easily identified the discrepancy between Sample Co.’s security program and the ISO 27001 standard.
“I don’t understand how you passed ISO,” he said.
While Sample Co. bears the responsibility for not being compliant, it’s understandable how they got there. Like a little kid being told they can’t leave the dinner table until they finish their vegetables, compliance incentivizes action that otherwise might not be performed. If someone isn’t going to check the work, it’s tempting to not do it. If the dog just so happens to eat those lima beans while mom and dad look away, is the kid compliant? Well, it looks like they are.
A good auditor would not have given Sample Co. their ISO 27001 certification.
Our advice for companies pursuing ISO 27001: always meet the standard!
Bad Auditor for HIPAA – You May not Know until Too Late
HIPAA, the law, doesn’t technically require an external audit to be compliant, but many companies will have an external auditor perform an assessment of their compliance program anyways. This is done to help the companies find and remediate holes in their program, and to have a report they can share with key partners or potential clients.
A bad HIPAA auditor might present a long-tailed risk to your business. By approving your HIPAA audit while leaving something unknown, you may have false confidence in your compliance program. And unless your company has a breach, you may never know that something is wrong.
But if there is a breach, and the Department of Health and Human Services comes to give you a real governmental audit, you might end up buried in fines.
How to Select a Good Auditor
There are two things to consider when selecting an auditor for your cybersecurity compliance program: specialization, and reputation.
Any CPA firm might technically be able to do SOC 2 audits, but firms often have specializations. The CPA firm down the street that does taxes for small businesses in town might be excellent at doing just that – but if they aren’t used to SOC 2, they probably aren’t the right choice for your business.
Make sure the firm you select is well-practiced at performing SOC 2 audits specifically!
For ISO 27001, select an auditor that is used to working with companies of your size and scale. If you pick an auditor that usually works with businesses smaller or larger than yours, they may have some habits or practices that have them overlooking something relevant to your environment.
Lastly, make sure the auditor firm you select has a good reputation among other companies. You want to avoid so-called certification mills. They’ll give you a stamp of approval, but other businesses will find out that stamp is meaningless!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.