Do SOC 2 and ISO 27001 the Right Way with CSA STAR
Published 06/21/2024
At the CSA Cloud Trust Summit 2024, CSA’s CEO Jim Reavis gave the presentation “Do SOC 2 and ISO 27001 the right way with CSA STAR.” In this condensed transcript of the presentation, Jim provides an overview of the SOC 2 and ISO 27001 frameworks and how they relate to the CSA STAR program. You can watch Jim’s full presentation here.
Two Cardinal Conformance Frameworks That Guide CSA STAR
I find that there's an awareness gap on what we’ve developed with CSA STAR. It leverages SOC 2 and ISO 27001, resulting in more efficient compliance and assurance. In this presentation, I want to provide an overview of cloud assessment, how it works with these different frameworks, what they mean, and then how it relates to what we're doing with STAR. Let’s start with understanding what SOC 2 and ISO 27001 are.
About SOC 2
Note that I'll be referring to AICPA SOC 2 Type 2 just as “SOC 2.”
SOC 2 was developed by AICPA to be used by service organizations of many types. Its forerunner, SAS 70, was developed in 1992 for auditing information security controls. In 2010, SSAE 16 was created and it replaced SAS 70 with SOC 2, which is when the internal controls for the Trust Services Criteria were articulated. The current version of this is SSAE 18. It's also important to know that SOC 2 reports are restricted use reports that cannot be released publicly.
About ISO/IEC 27001
This comes from British standard BS 7799 - a very long and esteemed heritage. ISO 27001 v1 was published in 2005, with a couple of revisions in 2013 and 2022. It was designed for traditional IT environments, focusing on very comprehensive information security management systems. It's the gold standard. It's applicable to any type of organization, not just IT companies or cloud service providers.
Critical Foundations for STAR
Very early on, when we were starting to create our own cloud-specific control frameworks, we looked at whether we needed to create our own conformance framework for auditing in the cloud.
And we came back and said absolutely not - the ISO tools and the AICPA SAS 70 were terrific. They were doing everything they needed to do. We didn't need to reinvent the wheel and create our own completely new audit framework and procedures. ISO and AICPA are good tools, but we think they have the wrong use in many cases.
The Key Elements Needed in a Cloud Security Assurance Program
Accounts for Complexity
It's very important to understand that modern SaaS applications are complex. You have an infrastructure provider, and you may have a lot of other services that are mashed up into a single cloud SaaS application. It can be a lot of players, a lot of vendors, and a lot of different technologies that make their way into it.
Clear Scope of Applicability
Then we go into the scope of an audit. We're thinking about the people, process, and technologies that interact and could impact the security of a system. We don't want to be too broad and we don't want to be too narrow. We want to be just right to make sure that we get the correct results. We don't want vulnerabilities and control weaknesses to go undetected because we just didn't feel they were in scope.
Transparency
Transparency is obviously really important as well. There's the phrase “don't do security by obscurity,” but it's extra important when you are a cloud customer. And maybe in previous generations, where it was all on-premise, you had it all in your purview. Now, the more transparency we have, the easier the evaluation and procurement phases are.
Shared Security Responsibility Model
It's really important that the service providers and the customers understand that shared responsibility. What's the provider responsible for? What am I responsible for? Where are there things that we're both responsible for?
Introducing the STAR Program
The CSA STAR program is something that's been around for a long time. We started it in 2011 and now we have over 2,500 registered provider entries. We have several countries that have adopted this, such as Italy, which requires STAR for cloud providers that provide services to government ministries. It's also required by a lot of enterprises before they'll do business. We see this referenced in many different industries, sectors, and countries around the world.
There are six pillars to the program. It's very comprehensive. I'm going to drill down a little bit on the Cloud Controls Matrix (CCM), our STAR Assessment Portfolio, and the STAR Registry.
The Cloud Controls Matrix
The CCM was first released in 2010. This is the industry standard for cloud control objectives. We have 197 controls and 17 domains. These are integrated with our CAIQ questionnaire, which has the questions that assessors use to determine the presence of controls that meet those 197 control objectives.
The STAR Assessment Portfolio
STAR Level 2 is our third-party assessment. It has different iterations: STAR Attestation is SOC 2 enhanced with CCM and cloud-specific guidelines, while STAR Certification is ISO 27001 enhanced with CCM and some other guidelines.
STAR Level 1 is our self-assessment, something that an organization can fill out themselves to describe their controls. For someone to qualify as a Level 2, not only do they have to do the third-party assessment, but they also have to have a companion self-assessment that is published on our STAR Registry. This is where the transparency aspect comes in. It becomes a very good companion for people to make sure that cloud providers are doing the right thing.
So again, STAR Certification is completely compliant with all of the ISO requirements you'd expect for a 27001 certification body. STAR Assessors have to have our Certificate of Cloud Security Knowledge (CCSK). We really make sure that they understand the cloud.
Similarly, with STAR Attestation we're combining the Trust Services Criteria with the CCM. The CPAs doing this have to have our CCSK.
Using the STAR Registry
To look at that Level 1 self-assessment, you can go here. You'll find all the leading cloud security companies, SaaS providers, and many more. You can drill down and understand their responses on a control-by-control basis. It's very rich information, but it gets even better than that. Because the Level 2 cloud providers are required to have that self-assessment, you can see what they believe their responsibilities are and what you're supposed to do.
Breaking Down STAR by Stakeholder
Enterprise Cloud Consumers
Instead of asking for a SOC 2 from your cloud service provider, ask for a STAR Attestation because then you essentially get both.
By the same token, instead of asking for an ISO 27001 certificate, ask for a CSA STAR Certification. Again, you're getting both.
Then use that companion STAR Level 1 self-assessment and the newly-released CCM Implementation Guidelines to really assure that the cloud service meets your exacting requirements and to understand the additional steps you must take to really lock it down.
Cloud Service Providers
Work with your auditor or your certification body to achieve STAR Level 2 instead of just a SOC 2 or an ISO 27001. It's not two full separate engagements. Your mileage may vary, but some say it was only 10 extra hours to make sure they covered CCM and the specific cloud requirements. Understand that it's a marginal and incremental cost that you would incur to provide this one engagement that meets both of these needs.
Auditors and Certification Bodies
Offer STAR Level 2 instead of just the more vanilla SOC 2 or ISO 27001. You'll be differentiated in the market and you'll be providing a more appropriate solution.
In Conclusion
To sum it up, ISO 27001 and SOC 2, they're terrific. We love them. We could not have done what we've done without them. However, you have this inappropriate scope of applicability. The shared security responsibility can be unclear. We lack transparency. STAR Level 2 is the answer to all of that.
Related Articles:
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024
Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems
Published: 11/19/2024