I find it interesting that most people look at security frameworks as an either/or proposition. Should I use SOC2 or ISO-27001 or FedRAMP? I think the better question is how can I use multiple different security frameworks to my advantage?
Recently during an Information Security Management System (ISMS) Internal Audit for one of our ISO-27001 certified customers one of those opportunities to leverage an additional “framework” (in this case Shared Assessment) presented itself. What we found during the audit was that their vendor risk management practices were not as “robust” as they likely should be considering the risk associated with several of their vendors. Under ISO-27002 there are several controls that focus on Vendor Risk Management; 6.2 address identification and communication of risks associated with externals parties and 10.2 addresses ongoing monitoring of the risk/relationship. While they had the basics in place what they really lacked was a formal/robust program – which was increasingly becoming a problem due to hyper growth and an increasing reliance on “the cloud”.
We suggested that leveraging the Shared Assessment Program might be simpler and more effective than developing their own:
- The Program easily scales to vendors with different risk profiles (e.g., SIG-Lite, SIG, AUP).
- The Program is based around the ISO standards which they are already using.
- Should they need third party support (e.g., to conduct a third party audit on their behalf) there are dozens of firms familiar with the Program.
- The tools to conduct and score the audits and manage the program across vendors already exist.
One other positive of the Program for ISO-27001 certified companies is the new Shared Assessment Vendor Risk Management Maturity Model (VRMMM). It can be used to assess (score) the current maturity of your vendor risk management program. This is a great way to achieve the security metrics and continuous principles of an ISO-27001 ISMS.
So rather than ISO-27001 OR Shared Assessment we ended up with ISO-27001 AND Shared Assessment. To me it’s a 1 + 1 = 3 situation.
John Verry, Security Sherpa for Pivot Point Security, has led hundreds of high-profile security assessments across a diverse cross-section of noteworthy systems in the government, legal, telecommunications, critical infrastructure, finance and transportation sectors over the last dozen years. Verry takes his role as “Sherpa” (guide) quite seriously, believing that security is a path not a destination; he is committed to helping entities of all sizes and shapes achieve their security goals. As a certified ISO 27001 Lead Auditor, John is a proponent of the ISO framework to help companies establish, maintain and continuously improve a robust Information Security Management System (ISMS).