You might start out by asking; which compliance standard is best for us? But once you explore the realm of standards, it's common to land on more than one!
You might have customers asking about multiple standards. Or you might operate across different geographies, industries and have a mix of regulations and customer requirements involved. Everyone knows there’s huge duplication across standards, so it often makes sense to do them together.
Our new packages have been popular for that reason; why not achieve multiple business outcomes from a single project with a marginal extra cost and effort?
Here's the 10 standards commonly considered by cloud services companies looking to satisfy their global customers across industries.
System & Organisational Control 2 (SOC 2) Trust Services
SOC 2 is referred to as the most commonly accepted standard. It works best to open doors by proving a base level of maturity for information security. It satisfies most customers needs to start doing business with them. Its flexibility also enables various ways to expand it; with optional trust services criteria for availability, confidentiality, processing integrity and privacy that can be added to the base criteria for security. It’s also commonly used for “SOC 2 +” to combine other bespoke requirements or regulations into a single report. SOC 2 is difficult for any business to achieve, but the flexible criteria and practical focus makes it an adaptable standard that any business can achieve.
Difficulty rating: 4/10
ISO/IEC 27001 Information Security Management
This international information security standard has a best practice focus. Its prescriptive nature in terms of both the requirements to comply, and for the audits conducted, tend to give this standard a bad name. It can be very painful with a broad and stringent set of requirements, and several days of business disruption for the audits. It’s not easy to achieve, but it is viewed favourably around the world by large enterprise. There are additional ISO standards like ISO 27701 (Privacy) and ISO 22316 (Resilience) to cover other areas like the SOC 2 Trust Services Criteria has as optional additions within the same standard.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is the de facto expectation or even requirement to do business in the healthcare industry. Although it’s a regulation that applies to American patient data, in practice it’s often used to satisfy non-American healthcare customers, and to verify service providers even where there’s no collection or use of patient data. It has some prescribed requirements and a broad set of regulatory criteria that can be daunting for those without experience in this regulation. Since there’s no formal certification scheme or accreditation, it allows a lot of flexibility with how it’s achieved and demonstrated to stakeholders, which makes it a little easier to combine with other standards and work with a preferred audit partner.
General Data Protection Regulation (GDPR)
The European Union’s General Data Protection Regulation (GDPR) was a sweeping step forward in consumers privacy rights introduced in 2018. Various countries, even states, have taken their own steps forward in refining or introducing new privacy regulations. But GDPR is seen as the global benchmark. It applies to EU citizens data, regardless of the location or type of service and therefore impacts most global technology companies, and is a key point of consideration for ambitious growing companies. The key difference based on your type of service is if you’re B2C, you’re regulated and may be fined for non-compliance. If you’re B2B that also applies, but perhaps more significantly is you also need to prove and attest to your compliance to large enterprise, to satisfy their obligations and mitigate their own risk of non-compliance.
Californian Consumer Protection Act (CCPA)
The California Consumer Protection Act (2018), that’s set to be preceded by the California Privacy Rights Act (2020), has similarities with the GDPR in how it applies to consumers personal data for Californian citizens. In contrast, it puts additional focus on the sale of data, offering financial incentives for collection of data, and has thresholds for number of records processed that triggers additional obligations. Many providers dabbling in data for Californian residents can dodge the heaviest obligations of the CCPA. Although it requires some subject matter expertise and the requirements vary according to your use of data, it’s generally an easy regulation to comply with and prove your compliance.
Australian Open Banking / Consumer Data Right (CDR)
The Consumer Data Right is Australia’s Open Data scheme that requires compliance in order to be able to receive data from those covered by the scheme (eg. Banks, and in time economy-wide enterprise that collect consumer data). Although this is an Australian slant, similar regimes are anticipated or already in action in other countries (eg. UK with the compliance rules built on PSD2). These have a similar focus on core information security and privacy to ensure consumers rights are protected through the data sharing and use of that data. It’s early stages for open data standards, but widely anticipated to transform the tech industry’s products and use of data.
System & Organisational Control 1 (SOC 1)
The System and Organisational Control standards are the oldest on this list, dating back to the early 2000’s. SOC 1 was the first generation of these standards, which had various iterations and country-specific versions (FRAG21, SAS70, ISAE/ASAE 3402, SSAE 18, and so on). These standards are each focused on financial reporting objectives to report on the controls at a service organisation with the general purpose of satisfying external audit requirements that may include Sarbanes Oxley internal controls. It became more broadly used for information security before SOC 2 was introduced for that general purpose. SOC 1 continues to be common where you have publicly listed enterprise customers.
Cloud Security Alliance STAR Program (CSA STAR)
The Cloud Security Alliance (CSA), Security Trust, Assurance and Risk (STAR) program includes a level one self assessment, level two certification (or attestation), and level three continuous auditing certification based on the cloud controls matrix (CCM). This program and standard are rapidly growing as cloud security threats evolve and the general and older above only go so far to address those threats and modern assurance requirements. Level two is where CSA STAR is most commonly used to satisfy stakeholders including customers that the security practices satisfy their requirements.
HI-TRUST is a private organisation that developed a master standard designed to be the all-inclusive approach. You’ll hear most people say this is one to avoid at all cost, but enterprise healthcare in particular drive this standard to ensure their interests and compliance requirements are covered. That often includes HIPAA as a sub component, general information security like what’s covered in ISO 27001, and just generally a rigorous, best practice, focus of governance, risk and compliance.
Environmental, Social, Governance (ESG) / Sustainability Reporting
The list can’t be complete without a mention of environmental, social, governance. It’s in its early stages, but all signs are pointing to this becoming as significant as information security assurance as public pressure mounts and enterprise need to satisfy their commitments which includes their use of third parties and those impacts by extension. ESG is not a standard per se, it’s a topic matter; we have developed our own ESG standard to plug a market gap and enable any business to report their ESG practices to satisfy enterprise customers and other stakeholders. In the broader market there’s GRI, SASB, CDP, and B Labs, B-Corporation, as a few of the main standards and certification schemes.
What's best for your business?
Most B2B cloud services businesses comply with at least one of the above standards. Most commonly that's starting with SOC 2 or ISO 27001. These two standards benefit from broad recognition. They establish a baseline of information security and compliance practices that lays a good foundation for working with enterprise customers and the other compliance standards on the list.
About 50-70% of those companies also comply with one or more other standards from the list above. Despite being very similar, SOC 2 and ISO 27001 are often both achieved to satisfy varying preferences of enterprise. SOC 1, HIPAA and the Consumer Data Right (CDR) all fit seamlessly with the SOC 2 standard, and are largely also addressed by ISO 27001. It's common that these are added to the baseline in order to satisfy large publicly listed companies (SOC 1), healthcare customers (HIPAA), or to achieve accreditation to participate in Open Banking as a Fintech (CDR). For companies operating globally and collecting some form of personal data (most cloud services businesses), the privacy regulations apply based on region; the GDPR in Europe, and CCPA in California.
Then there's a smaller ~10% that see compliance as a competitive advantage, or otherwise just want to ensure all bases are covered to reduce the friction in selling into and serving enterprise customers. That's where CSA STAR, HI-TRUST, and/or ESG Reporting are used to bolster the compliance program and demonstrate best-in-class compliance.
Where to start?
After reading this list, you may still be wondering; What's actually involved in each standard? How long would it take to achieve? What sort of cost can you expect (including your teams time)? Is it realistic and achievable for your business?
The good news is, we've free software to help you answer those questions. In ~60-90 minutes you can assess the above standards to see exactly where you do and don't comply. The tailored outputs will give you a baseline of your existing state, with recommendations to solve the gaps and achieve compliance. Our software is also a world-first to remove the crazy amount of duplication between these standards, so there's no harm starting with a longer list of potential standards, then narrowing it down later.