Incident Response Planning for SOC 2 and ISO 27001

Click here to listen to this article via the BreachRx Blogcast

Incident response planning is a critical component of any organization’s security strategy. It helps organizations anticipate and prepare for potential security incidents, breaches, and other disruptive events, so they can minimize the impact and get back to normal operations as quickly as possible. As part of the planning process and to demonstrate their security posture to customers, partners, and regulators, many organizations build their program against cybersecurity compliance frameworks, standardized sets of guidelines, best practices, and requirements for implementing and maintaining effective cybersecurity controls in an organization.

One common framework that organizations leverage is the Service Organization Control (SOC) 2 framework developed by the American Institute of Certified Public Accountants (AICPA). SOC 2 is a set of security and privacy standards that are specifically designed for service providers. It covers a wide range of security and privacy controls, including physical security, access control, and data protection. The SOC 2 standard includes five trust services criteria, also known as trust service principles:

1. Security: The system is protected against unauthorized access, use, disclosure, disruption, modification, or destruction.
2. Availability: The system is available for operation and use as committed or agreed.
3. Processing integrity: System processing is complete, accurate, timely, and authorized.
4. Confidentiality: Information designated as confidential is protected as committed or agreed.
5. Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles.

To meet these trust services criteria, service organizations must have appropriate controls in place and must be able to demonstrate that these controls, including for incident response, are operating effectively. SOC 2 has two different types of audits, known simply as Type I and Type II, that are conducted to evaluate the trustworthiness of an organization’s controls; Type I audits focus on the design of controls, and are typically audited over a single day, while Type II audits focus on both the design and operating effectiveness of controls, and are typically audited over a few months to a full year.

Another widely used framework is the International Organization for Standardization (ISO) 27001 standard, which provides a set of best practices for managing and protecting sensitive information. ISO 27001 was developed to be a framework for establishing, implementing, maintaining, and continually improving information security for information security management systems (ISMS). It helps organizations protect their sensitive data and systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

ISO 27001 is based on a risk management approach, which means that organizations are required to identify, assess, and prioritize their information security risks, and then implement controls to mitigate those risks. Given incidents and breaches are one of the top risks for most businesses, it includes detailed requirements for incident response processes. ISO 27001 is a widely recognized and respected standard, and it is used by organizations around the world to help ensure the confidentiality, integrity, and availability of their sensitive information.

External Audits

Both ISO 27001 and SOC 2 require external audits to verify that an organization’s controls are operating effectively and meet the requirements of the respective standards. These audits are typically conducted by qualified CPA firms or other auditors that have the necessary expertise and independence to conduct the audits.

In the case of ISO 27001, a certification audit is conducted to verify that an organization’s ISMS meets the requirements of the standard. The certification audit is typically conducted by a third-party auditor who is accredited by a national accreditation body. The auditor will review the organization’s ISMS documentation, observe processes and procedures in action, and test controls to verify that they are operating effectively. The auditor will then prepare a report that summarizes their findings and provides a recommendation for certification.

For SOC 2, the audit is called a service auditor’s report, and it is conducted to evaluate the trustworthiness of an organization’s controls related to security, availability, processing integrity, confidentiality, and privacy. The service auditor’s report is based on an independent audit conducted by a qualified certified public accountant (CPA) firm. The auditor will review the organization’s controls and test them to verify that they are operating effectively. The auditor will then prepare a report that summarizes their findings and provides an opinion on the effectiveness of the organization’s controls. Both the ISO 27001 certification audit and SOC 2 service auditor’s report are considered final reports and are intended to provide assurance to customers and other stakeholders that the organization’s controls meet the respective standards and are operating effectively.

Incident Response Criteria

Both standards focus the ability of organizations to conduct incident reporting and response. These high-level criteria outline what are relevant to both ISO 27001 and SOC 2 when it comes to incident response:

1. An incident response plan that outlines the steps to be taken in the event of a security incident or breach.
2. A process for identifying, assessing, and prioritizing security incidents based on their potential impact and severity.
3. Procedures for responding to and containing security incidents to minimize their impact and prevent further damage.
4. A system for tracking and documenting all security incidents and their resolution.
5. Training and awareness programs for employees to help them identify and report security incidents.
6. Regular testing and review of the incident response plan to ensure that it is effective and up to date.
7. Regular communication with stakeholders, including customers and partners, about security incidents and their resolution.
8. A process for reviewing and improving the incident response plan based on lessons learned from past incidents.

These frameworks and auditors measuring organizations against them tend to adapt slowly to new technologies and new procedures. For example, for incident response, until recently, many organizations being audited have been able to get away with a simple spreadsheet or generic templated plan to meet these criteria. With the continued growth of incidents, auditors are beginning to recognize that approach doesn’t fulfill the SOC 2 and ISO 27001 incident response criteria and are holding companies to a higher standard.

Planning Incident Response

Ultimately, auditors are beginning to look for organizations that are proactively getting resilient and ready for attacks. We can boil the above criteria into four steps that teams can take to proactively develop a reliable and useful approach for accelerating incident response compliance:

1. Identify potential incidents: The first step in incident response planning is to identify the types of incidents that are most likely to occur. This might include cyber attacks, disclosed data, or lost laptops. Incidents won’t always be detected, so teams need a process for anyone inside and outside their organization to report them.
2. Assess the impact: Next, organizations should assess the potential impact of each identified incident. This includes evaluating the potential financial and operational impact, as well as the potential impact on customers and stakeholders. Identifying relevant laws should be a key part of more than ever now, with over 180 across 120 countries that may be relevant during even a small incident.
3. Develop a tailored response plan: Based on the identified incident and their potential impact, organizations should develop a detailed response plan specific to that incident and their organization. This should include specific steps to take in the event of an incident, in the right order taking into account relevant deadlines, as well as guidelines for communication and collaboration with law enforcement and key stakeholders.
4. Test and refine the plan: Once the incident response plan is in place, it’s important to exercise and update it regularly. This might include conducting drills or simulations to ensure that the plan is effective and that all relevant parties know their roles and responsibilities.

These can’t truly be accomplished without proactive focus, capturing the key stakeholders including customers, partners, and regulators and their requirements, and building a set of tailored action plans for each type of incident that the organization is likely to face. Technology is a critical component here, and more businesses are leveraging automation to take care of these steps to meet the auditors’ higher bar more quickly and easily.

By following these steps and truly adhering to the requirements SOC 2 and ISO 27001 frameworks, organizations can create a robust and proactive plan for incident response that helps them effectively handle disruptive events of all sizes and minimize their impact moving forward.