At InfusionPoints, we have just gone through the onsite portion of our audit for ISO 27001 and SOC 2, and should have those certifications along with our ISO 9001:2015 certification for our Cyber Security Center in the near future.
We've been supporting our customers for years with improving their security posture and helping them be compliant. However, there were lessons to be learned by going through the audit ourselves. InfusionPoints' President, Gary Daemer and CTO, Jason Shropshire took some time to sit down and discuss their thoughts on the audit process, and how this will help us better support our customers going forward.
InfusionPoints started as a traditional cybersecurity firm. In 2013, we began operating the Dell Cloud for US Government, resulting in the establishment of our Cyber Security Center in western North Carolina, and the development of our VNSOC360 managed security service. ISO 27001 and SOC 2 are key certifications that our customers look for to ensure that we are adhering to security best practices in our own internal security operations. ISO 27001 and SOC 2 will provide the credibility and confidence to our cloud, and managed security services practice going forward.
Preparation began by establishing an internal project for the effort, leveraging InfusionPoints’ program management capabilities. We then went through a process of mapping the security control frameworks that we are most familiar with, including NIST 800-53 and FedRAMP to ISO 27001 and SOC 2. Next, we went through the process of discovering gaps, which mostly related to the ability to generate appropriate evidence. Other areas that we improved involved improvements to our internal audit, mock audits, quality reviews and development of live test scenarios.
The actual audit process was a bit eye opening for us. It’s one thing to sit in an audit alongside of a customer, but it is a different experience when it is your own organization under the microscope! Part of the stress came from the need to understand the auditor’s language and how the ISO framework maps to NIST. This process has given us some great first-hand insights. The first is the importance of organizational change management, and how it can be more difficult for our customers than it might be for us. The second is the need to have a firm understanding of how the audit preparation process impacts the organization and the other initiatives that are underway. The third is the need to implement a long term continuous improvement approach.
Overall, we think our customers should have some good guiding principles around the process, specifically around continuous improvement for security. This is nothing new -- security is a process, and you can never be done. Make sure to know what you’re doing, have good documentation, and focus on meeting the requirements and measuring results through testing. Make ISO 27001 and SOC 2 work for you and leverage these as tools to benefit your organization.
InfusionPoints can help! Contact us today!