Insight On Evolving Practices: Secure Controls Framework (SCF)
Hackers share information on attack methods with other hackers, so why shouldn’t the good guys share information on how to best protect an organization? That concept led a coalition of cybersecurity and privacy experts to take action and make a difference.
The result is the Secure Controls Framework (SCF). The SCF is focused on helping companies become and stay compliant with a vast array of cybersecurity and privacy requirements. The glue that ties Governance, Risk and Compliance (GRC) together is a uniform set of controls.
The goal of the SCF is to provide a free solution to businesses that addresses cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin. ZenGRC is in the process of adopting the SCF as a control set that customers will be able to use. Within ZenGRC, the SCF enables companies to utilize one control set to manage multiple requirements.
Using the SCF to operationalize cybersecurity and privacy requirements involves a simple process of distilling expectations by first identifying the statutory, regulatory and contractual obligations that are applicable to your organization.
Statutory Obligations – These are US state, federal and international laws
Regulatory Obligations – These are requirements from regulatory bodies or governmental agencies.
Contractual Obligations – These are requirements that are stipulated in contracts, vendor agreements, etc.
Industry-Recognized Leading Practices – These are requirements that are based on an organization’s specific industry.
Knowing these requirements allows an organization to filter the SCF to address only those controls that are applicable.
If you are interested in learning more, please contact us to request a demo or to speak with a GRC expert who can help answer any questions you may have on how the SCF would be applicable to your company.
To learn more about SCF, email your GRC Expert at engage@zengrc.com.
Blog
A HIPAA Technical Safeguards Risk Assessment Checklist
The HIPAA Technical Safeguards Requirement focuses on storing electronic Protected Health Information (ePHI). While the Security Rule focuses on security requirements, the technical safeguards requirements focus on the technology. Healthcare providers, covered entities, and business associates must undergo audits to prove regulatory compliance so that they can assure new customers of their security posture. Beginning the road to HIPAA compliance requires assessing security risk and mitigation controls.
A HIPAA Technical Safeguards Risk Assessment Checklist
What is HIPAA?
HIPAA was enacted in 1996 to protect information as people moved from one job to another. The US Department of Health and Human Services (HHS) additionally passed the Privacy Rule in 2003, defining Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”
In 2005, the HIPAA Security Rule focused on electronically stored PHI (ePHI). This update created three types of compliance safeguards. “Administrative safeguards” refers to policies and procedures that show compliance. Physical safeguards include controlling access to data storage areas. Technical safeguards incorporate communications transmitting PHI electronically over open networks.
Who is a healthcare provider?
According to HIPAA, healthcare providers include doctors of medicine or osteopathy who are authorized to practice medicine or surgery (as appropriate) by the State in which they practice or any other person determined by the Secretary to be capable of providing health care services.
If a person or organization engages in practicing medicine or helping treat sick people, HIPAA applies to them.
What is a covered entity?
HIPAA defines covered entities as health plans, healthcare clearinghouses, and healthcare providers who transmit any health information electronically.
What is a business associate?
This term broadened HIPAA’s reach. The law defines a business associate as any person or entity that involves use of or disclosure of protected health information on behalf of or while providing a service to a covered entity.
This broad definition incorporates everyone from third-party administrators assisting in the healthcare claims processing area or certified public accountants whose advisory services involve accessing protected health information. Functionally, if a person or company may at any time see any information that identifies a patient, the healthcare provider or covered entity should make sure the business associate is HIPAA compliant.
What Can I Do To Get Compliant?
Risk assessments are the first step to HIPAA compliance. The risk assessment helps determine the locations of greatest vulnerability. The Office of the National Coordinator for Health Information Technology created the Security Risk Assessment Tool to help organizations identify their most significant risks by establishing 156 questions.
Within those 156 questions, the Security Assessment Tool breaks them up into three categories: administrative safeguards, technical safeguards, and physical safeguards.
What are technical safeguards?
The HIPAA Security Rule requires that covered entities and business associates protect ePHI by creating controls to create a secure IT environment. Leaving ePHI unsecured creates both a legal liability under HIPAA but also places confidentiality, integrity, and availability of patient information at risk.
Risk Assessment
- Create an inventory of all information systems within your environment including hardware, software, applications, and electronic devices.
- Review roles and responsibilities for information risk.
- Determine risk associated with remote access
- Review business associate roles and risks to ePHI.
- Identify information system components and electronic devices with data capabilities.
- Review key audit events, such as activities that create, store, and transmit ePHI, to create risk-based categorizations for audit timings.
- Assess and measure intentional or malicious disclosure risk arising out of information transmission or reception.
- Review authentication requirements to ensure scalability, practicality, and security when balancing ease of ePHI access and protected information systems that adequately mitigate risk.
- Assess and measure unintentional or malicious information access or modification when being prepared to transmit or when being received.
Technical Safeguards Plan and Policy
- Establish technical policies and procedures for electronic information systems maintaining ePHI focusing on authorized access.
- Share with workforce members access control policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
- Share with workforce members procedures that enable implementation of access control policy and associated access controls.
User Authorization/Segregation of Duties
- Review user activities for creation, storage, and processing of ePHI within information systems.
- Separate workforce member duties and service provider duties to define ePHI access authorizations to support segregation of duties.
- Use the principle of least privilege/minimum necessary access for ePHI.
- Enforce role-based access control (RBAC) policies based on workforce member and service provider duties and needs.
Identification and Authorization
- Share with workforce members identification and authorization policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
- Create unique identification for each workforce member within a group account to establish accountability.
- Assign a unique name and/or number to track and identify user activity.
- Establish and implement registration process including supervisory authorization for new identifiers.
- Prohibit reuse of information system account identifiers.
- Identify information system components and electronic devices with auto log-off capabilities.
- Implement electronic procedures that limit activity time and terminate session automatically.
- Enforce session locks for inactivity or user request.
- Establish rules for continuing session lock until user reestablishes access with appropriate identification and authentication procedures.
- Incorporate authentication measures such as passwords, tokens, biometrics, or some combination of these to create multifactor authentication.
- Establish short-term emergency accounts allowing emergency access.
- Create automatic removal or deactivation of emergency accounts once business operations return to normal.
Contingency Plan and Policy
- Establish and implement procedures for obtaining ePHI during an emergency.
- Cleary define emergency and circumstances triggering contingency plan including natural and environmental threats as well as human threats such as unauthorized employee or service provider access.
- Identify individual responsible for activating emergency access method.
- Ensure RBAC policy defines workforce and service provider roles and access based on defined user roles.
- Implement RBAC policies and employ audited and automated access control mechanism overrides for emergency situations.
- Establish an alternate storage site with necessary agreements to permit storage and retrieval of exact copies of ePHI.
- Ensure alternate storage site provides information security safeguards comparable to your own.
- Identify roles and responsibilities for ePHI access and critical information systems needed during an emergency within contingency plan.
- Incorporate into contingency plan essential activities and associated requirements including roles, responsibilities, and process to restore systems, including emergency access termination and reinstitution of normal access controls. Share with workforce members the contingency planning policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
- Establish predetermined time period and implement restoration capability of information systems to match this period.
Systems and Communications Protection
- Implement encryption and decryption mechanism for ePHI.
- Implement cryptographic mechanisms to prevent unauthorized ePHI disclosures.
- Implement cryptographic mechanisms to detect information changes during transmission unless physical security controls protect information.
- Share with workforce members a systems and communications policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
Information Integrity
- Implement policies and procedures to protect ePHI from improper alteration or destruction.
- Implement technical security measures to protect ePHI transmitted over an electronic communication network.
- Implement security measures to ensure ePHI transmitted electronically is not improperly modified without detection prior to regulatory disposal time.
- Incorporate “Identification and Authorization” and “Systems and Communications” protections as part of guarding against threats and vulnerabilities to information integrity.
- Establish and implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed improperly.
- Use integrity verification tools to detect unauthorized changes.
- Implement procedures to verify the identity of a person or entity seeking ePHI access.
- Provide management notification of any discrepancies during integrity validation.
- Share with workforce members an information integrity policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
Internal and External Audit Requirements
- Identify and periodically review and update key audit events such as activities that create, store, and transmit ePHI.
- Identify and periodically review and update key audit even events that are significant to securing information systems and their environments to support ongoing audit needs.
- Determine audit scope and frequency based on risk categorization of key audit events.
- Share with workforce members an audit and accountability policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
- Implement hardware, software, and/or procedural mechanisms that record and examine information system activities if those systems contain or use ePHI.
- Configure information systems and components so they automatically capture and generate audit records.
- Ensure these records contain information establishing event type that occurred, when it occurred, where it occurred, its source, and the outcome.
- Collect identity information for individuals and subjects of the even.
- Periodically review or analyze information system audit records for indications of inappropriate or unusual activity.
- Provide audit reduction and report generation capability that supports on-demand audit review, analysis, and reporting requirements that does not alter original content or time ordering of records.
- Conduct backups of user-level, system-level, and security-related documentation for ePHI.
- Test continuity and emergency operations to ensure activation of emergency access.
- Test RBAC policies to ensure the assigned individual has appropriate emergency mode access and permissions to ensure continuity.
- Allocate audit storage capability based on audit types and audit processing requirements and configure systems to periodically transfer audit records to an alternate system or media for effective storage utilization.
For information on how ZenGRC can help your organization get compliant more quickly, schedule a demo.
A HIPAA Security Rule Risk Assessment Checklist For 2018
The HIPAA Security Rule focuses on storing electronic Protected Health Information (ePHI). Healthcare providers, covered entities, and business associates must undergo audits to prove regulatory compliance so that they can assure new customers of their security posture. Beginning the road to HIPAA compliance requires assessing security risk and mitigation controls.
A HIPAA Risk Assessment Checklist
What is HIPAA?
HIPAA was enacted in 1996 to protect information as people moved from one job to another. The US Department of Health and Human Services (HHS) additionally passed the Privacy Rule in 2003, defining Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”
In 2005, the HIPAA Security Rule focused on electronically stored PHI (ePHI). This update created three types of compliance safeguards. “Administrative safeguards” refers to policies and procedures that show compliance. Physical safeguards include controlling access to data storage areas. Technical safeguards incorporate communications transmitting PHI electronically over open networks.
Who is a Healthcare Provider?
According to HIPAA, healthcare providers include doctors of medicine or osteopathy who are authorized to practice medicine or surgery (as appropriate) by the State in which they practice or any other person determined by the Secretary to be capable of providing health care services.
If a person or organization engages in practicing medicine or helping treat sick people, HIPAA applies to them.
What is a Covered Entity?
HIPAA defines covered entities as health plans, healthcare clearinghouses, and healthcare providers who transmit any health information electronically.
What is a Business Associate?
This term broadened HIPAA’s reach. The law defines a business associate as any person or entity that involves use of or disclosure of protected health information on behalf of or while providing a service to a covered entity.
This broad definition incorporates everyone from third-party administrators assisting in the healthcare claims processing area or certified public accountants whose advisory services involve accessing protected health information. Functionally, if a person or company may at any time see any information that identifies a patient, the healthcare provider or covered entity should make sure the business associate is HIPAA compliant.
What Can I Do to Get Compliant?
Risk assessments are the first step to HIPAA compliance. The risk assessment helps determine the locations of greatest vulnerability. The Office of the National Coordinator for Health Information Technology created the Security Risk Assessment Tool to help organizations identify their most significant risks by establishing 156 questions.
Within those 156 questions, the Security Assessment Tool breaks them up into three categories: administrative safeguards, technical safeguards, and physical safeguards.
What is the Administrative Safeguards Requirement?
The administrative safeguards requirement focuses on developing, documenting, and implementing policies and procedures to assess and manage ePHI risk.
As an initial review, organizations should consider the following questions to developing appropriate safeguards:
Risk Assessment
- Create an inventory of all information systems, electronic devices, and mobile media
- Identify threats, vulnerabilities in technology, processes, workforce, and vendors to determine the likelihood of a data breach and estimate potential harm.
Develop and implement a risk assessment policy that identifies essential activities addressing purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance, and facilitation procedures that outlines procedures and risk assessment controls. - Share documented risk assessment policy with workforce members responsible for mitigating threats and vulnerabilities.
- Review unauthorized or inappropriate access to ePHI that can compromise data confidentiality, integrity, and availability as well as potential unauthorized disclosure, loss, or theft.
Security Plan and Policy
- Create a security plan that includes a continuity plan, emergency access plan, disaster recovery plan, and vendor management plan.
- Develop, document, and share with workforce members a security planning policy and training that addresses purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance, and procedures that outlines procedures to implement security and controls associated with it.
- Determine appropriate sanctions for individuals who do not comply with information security policies and determine documentation of execution for these sanctions.
- Create audit procedures and system monitoring procedures to ensure no inappropriate access to information.
- Periodically review documentation and update if it is affected by operational or environmental changes.
- Establish a senior-level executive security official to develop and implement policies and procedures to protect against business associate and covered entity risk and authorizes access to information systems
- Ensure the individual responsible for security has adequate education and experience to review system capabilities, vulnerabilities, and mitigation practices to support management security purchases.
User Authorization/Segregation of Duties
- Segregate workforce member duties and service provider roles in a way that defines access to ePHI
- Establish and share with workforce members an access control policy that defines the purpose, scope, roles, responsibilities, management commitment, coordination expectations, and compliance requirements.
- Employ least privilege/minimum necessary access principles to ePHI.
- Create and enforce role-based access control (RBAC) policies that provide access based on job description and responsibilities.
- Develop processes that restrict access to digital or non-digital media containing ePHI and enforce them.
- Establish authorization and supervision of locations of ePHI and workforce members who can access ePHI.
- Develop procedures allow the IT department to create, enable, modify, disable, and remove accounts based on users’ group and role membership as well as account privileges for each account.
- Establish and maintain a list of authorized organizations or personnel that identifies their access level to facilities, information systems, and ePHI.
- Establish and enforce processes that monitor security roles and responsibilities of third-party providers with access to facilities, information systems, and ePHI.
- Implement procedures that define appropriate role-based access to ePHI.
- Assign risk designations and screening criteria for each position defined within role-based authorization document.
- Establish policies and procedures for screening individuals before granting access authorizations.
- Establish and implement policies and procedures that terminate access when workforce member access needs change.
- Develop policies and procedures to retrieve all security-related organizational information system related property upon workforce member role change.
- Periodically review current and on-going logical and physical access authorizations.
- Modify access based on workforce member role changes and operational needs.
Security Awareness Policy
- Develop, document, and share with workforce members a security awareness policy and training that addresses purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance, and procedures to ensure workforce members understand security awareness.
- Review and update security awareness training and policy to ensure that it aligns with current systems and threats.
- Ensure workforce members engage in updated training when role-based authorizations change or in response to system changes.
- Ensure security awareness training simulates cyber-attack, unauthorized access, or opening malicious email attachments that teach workforce members about spear phishing attacks.
- Retain training records for all workforce members and business associates.
- Establish procedures and oversight for patching systems, installing software, enforcing software installation policies, and compliance monitoring.
- Monitor information systems to detect attacks, indicators of potential attacks, and unauthorized local/network/remote connections.
- Monitor information system facility physical access to detect and respond to physical security incidents, periodically review physical access log, and coordinate review/investigation result with the incident response team.
- Share information about security alerts, advisories, and directives with workforce members.
- Establish procedures for guarding against, detecting, and reporting malicious software.
- Employ automated mechanisms and tools that help track security incidents to collect and analyze information.
- Establish authorization policies and procedures that outline password requirements, including length, changes, the suggested frequency of changes, privacy requirements, and importance of safeguarding passwords.
Incident Response Plan
- Establish incident response training that aligns with workforce member roles and responsibilities.
- Establish mechanisms to identify and respond to suspected or known security incidents, including mitigation steps and documentation requirements.
- Establish and share incident response policy with workforce members that outline the purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance, and facilitation procedures for security incidents.
- Provide incident response training to information system users consistent with incident response policy.
- Test incident response capability and document effectiveness of results.
- Implement preparation detection, analysis, containment, eradication, and recovery responses as part of incident response policy.
- Establish incident handling activities with contingency planning activities that incorporate lessons learned from ongoing incident handling activities into incident response procedures.
Contingency Plan
- Develop and implement a contingency planning policy that identifies essential activities addressing purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance, and facilitation procedures that identify critical information systems and ability to access ePHI.
- Ensure contingency plan incorporates a variety of emergencies such as fire, vanadalism, system failure, or natural disaster.
- Establish procedures that identify essential activities, roles, and systems required for full information system restoration, including but not limited to establishing emergency access and restoring standard access controls.
- Review and update contingency policy regularly.
- Establish and implement procedures to create, maintain, and retrieve exact copies of ePHI including an alternative storage site whose security safeguards align with established procedures.
- Conduct backups of information system documentation at the user-level, system-level, and security-related level.
- Employ audited and automated overrides of role-based access control policies for emergency situations.
- Test continuity and emergency operations.
Third-Party Monitoring
- Implement policies and procedures that establish, document, review, and modify a third-party’s access to workstations, transactions, or programs and processes.
- Ensure that covered-entities have obtained appropriate assurances that business associates safeguard information.
- Document third-party and fourth party assurances through written contracts or other arrangements.
- Review contracts to ensure they contain requirements discussing legal issues regarding ePHI disclosure safeguards used when not listed in the original agreement,and reporting requirements for security incidents.
- Develop processes to create and maintain a list of authorized maintenance organizations or personnel and that access to facilities, information systems, and ePHI matches roles.
- Establish third-party monitoring process that reviews security roles and responsibilities.
Information Retention Policy
- Retain information as required by federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
- Ensure retention includes full life-cycle, including but not limited to disposal of information systems.
- Document record retention lasts 6 years from creation date or when it was last in effect.
- Provide an audit reduction and report generation capability that allows on-demand audit review, analysis, and reporting without changing information or ordering of records.
- Ensure role-based authorization to records retained.
For information on how ZenGRC can help your organization get compliant more quickly, schedule a demo.
What is ISO Certification, Who Needs it & Why
ISO certification can be used to provide potential customers with independent validation of an organization’s conformity. Security experts recognize that compliance is not synonymous with security. However, the increased criticality of technology in forming business partnerships combined with increased customer focus on data breaches mean organizations must find ways to assuage customer fears. Thus, compliance offers new clients ways to use an organization’s controls as a measure for future customer satisfaction.
Understanding ISO 9001
What is ISO?
In 1946, twenty-five countries sent delegates to the Institute of Civil Engineers in London who decided to establish a new organization called the International Standards Organization that would create and unify industrial standards.
What are the Different Types of ISO Certification?
ISO standards impact a variety of industries. While they do not incorporate the penalties established in regulatory requirements, meeting them offers IT companies opportunities to align themselves to many regulations. For those looking to create IT programs, three primary ISO standards help organize compliance. In IT, ISO 27001, ISO 31000, and ISO 9001.
What is ISO 27001 Standard?
The ISO 27001 standard established industry requirements for an information security management system (ISMS). Although the 27000 family incorporates more than a dozen different standards, organizations attempting ISO certification start creating management systems.
ISO 27001 primarily focuses on preserving the confidentiality, integrity, and availability of information as part of the risk management process. As such, it intends to offer confidence to upstream and downstream customers. Certification requires two stages of review. In the first stage, auditors collect documentation and determine whether an organization’s ISMS is ready for the next stage of review.
To pass the initial audit stage, however, organizations must compile documentation including their ISMS scope, information security policy, risk assessment and risk treatment methodology, statement of applicability, risk treatment plan, risk assessment report, detailed definitions of information security roles and responsibilities, inventory of assets, acceptable use policy, access control policy, operating procedures, secure system engineering principles, supplier security policy, incident management procedure, business continuity procedure, and compliance requirements.
What is ISO 31000 Standard?
ISO 31000 establishes guidelines for engaging in enterprise risk management (ERM). The risk management process approach requires that executive management and the Board of Directors review both the potential and likelihood of threats so that they can establish controls to mitigate the risks.
Auditors assessing ERM adequacy for certification require documentation that management engaged in either a process elements approach, principles of risk management approach, or maturity model approach to risk. The Institute of Internal Auditors (IIA) notes that while its assessment guidance aligns to 31000, other frameworks may also match the ISO requirements.
What is ISO 9001 Standard?
ISO 9001 supports those trying to be ISO 31000 and 27001 certified by specifying the requirements for a quality management system (QMS). Quality management systems document the processes, procedures, and responsibilities over quality and control objectives. While ISO 9001 applies to any industry requiring quality controls for continual improvement, it offers a unique perspective for dev ops and compliance.
These management standards focus on a workflow incorporating design, build, deploy, control, measure, review, and improve. Anyone in dev ops will recognize this regarding agile. ISO 9001 audits incorporate three types of review: product, process, and system. The lengthy list of documentation required includes both mandatory and non-mandatory information.
The list of mandatory documents includes document control procedures, records procedures, internal audit procedures, control of non-conformance procedures, corrective action procedures, and preventative action procedures. While that does not feel overwhelming at first, each of those categories lists additional documents needed to prove the process works in action.
What is the Need for ISO Certification?
ISO conformity differs from certification. Conformity means that the organization has decided to indicate its compliance to an ISO standard. Any company can choose to incorporate ISO compliance as part of its business processes. Examples of ISO conformity include creating a QMS or conducting internal audits.
ISO certification provides upstream and downstream customers with verification needed to offer confidence about quality, control, and information management. Certification shows conformity to the ISO standards. Additionally, certification proves to outsiders that the organization meets either the QMS, risk assessment, or ISMS requirements that a body of experts has established.
With the large number of standards ISO writes, it also requires that any certification notice be specific as to which ISO standard an organization is certified. Instead of presenting to clients as “ISO Certified,” for example, companies should note “ISO: 9001:2015 Certified” or “ISO 9001:2015 Certification.”
Moreover, as with many audit procedures, ISO certification enables an organization to use the third party assessor’s independent opinion as proof of compliance. This independence removes the subjectivity often assumed in self-assessments and self-answered questionnaires.
What is ISO Accredited?
ISO creates standards but does not engage in certifications or issues certificates. Their Committee on Conformity Assessment (CASCO) establishes standards related to the certification process thus used by certification bodies. In other words, CASCO determines the standards by which third-party assessors must abide to determine that a company meets ISO certification standards.
ISO Accreditation Differs from ISO Certification
To be ISO certified, independent third parties must review the organization’s policies, processes, and documentation. ISO refers to these third parties as “certification bodies.” When choosing one, a company should review whether the certification body applies the CASCO standard relevant and determine whether the body is accredited.
Organizations do not need to assume non-accredited bodies lack capability. However, accreditation implies independent competency confirmation. To put it simply, accredited bodies have undergone independent reviews to prove that they meet CASCO standards so that they can establish the organizations they review meet ISO standards.
How Automating GRC Can Ease the Burden of ISO Certification
Once ZenGRC experts onboard an organization, that company has access to content that helps map controls across multiple standards.
When managing your compliance with shared drives or spreadsheets, seeing the overlaps and gaps in corporate compliance can leave managers cross-eyed. ZenGRC’s SaaS compliance platform allows you to use an ISO audit software tool to map your controls and then perform a gap analysis so that you can view the remaining work and manage your timeline better.
Finally, our platform provides a single-source-of-truth giving you one-click access to the documents the audit checklist requires for a successful audit.
For more information on how ZenGRC can help ease the ISO certification burden, contact us today to schedule a demo.
COSO ERM vs ISO 31000
With the ISO 31000 and the COSO ERM Framework updates, organizations attempting to integrate multiple enterprise risk management strategies to meet compliance requirements feel overwhelmed. However, despite different definitions and processes for establishing risk tolerance, ISO 31000 and the COSO ERM Framework provide interrelated value helping organizations better manage risk.
Comparing the ISO 31000 and the COSO ERM
What is COSO?
In 1985, five professional associations founded COSO to sponsor the National Commission on Fraudulent Financial Reporting. The American Accounting Organization (AAA), American Insitute of Certified Public Accountants (AICPA), Financial Executives International (FEI), Institute of Internal Auditors (IIA), and Institute of Management Accountants (IMA) organized to develop frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.
What is ISO?
In 1946, twenty-five countries sent delegates to the Institute of Civil Engineers in London who decided to establish a new organization that would create and unify industrial standards.
What is the COSO Framework?
The COSO Framework, most recently updated in 2016, provides an applied risk management approach to internal controls. Applicable to both financial reporting and internal reporting, the COSO framework focuses on five interrelated strategic points.
“Governance and Culture” relate enterprise risk management (ERM) oversight to daily activities. “Strategy and Objective Setting” argues that risk tolerance sets goals but that those must be objectively measured. “The Performance” segment requires prioritization of risks and effectiveness reporting. “The Review and Revision” portion involves continuous monitoring and internal audit to revise controls as necessary. Finally, the “Information, Communication, and Reporting” proviso requires communication across internal and external stakeholders.
What is the ISO 31000 standard?
In 2018, ISO re-released the 31000 standard, streamlining the definitions. The newly redefined risk framework focuses on eleven integrated and iterative principles.
31000 starts from the premise that risk management establishes and sustains value. Next, organizations need to integrate ERM as part of all organizational processes. Once they have done that, they need to include risk in decision making. This inclusion arises out of the importance of addressing uncertainty. However, effective ERM requires a systematic, structured, and timely process. Moreover, effective risk management relies on incorporating the best information available. Thus, organizations need to tailor their ERM to their specific risks. To tailor the risk, they need to integrate human and cultural factors to ensure they address stakeholder needs. In doing so, organizations offer transparent and inclusive risk management. Ongoing effective risk management means companies need to respond to change by being dynamic and iterative in their process. Finally, this ERM process aids organizations to improve their risk and compliance continuously.
Why do IT professionals need to look to ISO 31000?
ISO 31000 provides generic risk principles for industries. While not specific to information technology, ISO 31000 provides ERM guidelines that match ISO’s desired outcomes.
IT professionals use 27001 to focus their Information Security Management Systems (ISMS). As part of that, 27001 references ISO 9000 which pulls in the risk principles from ISO 31000. As part of establishing an ISMS, organizations need a centrally managed framework to protect information that incorporates policies, procedures, technical and physical controls. However, before creating those controls, organizations must engage in risk assessments that review potential threats and likelihood of those risks. This risk assessment relies on the updated standards
What are the similarities between ISO 31000 and COSO ERM Framework?
COSO and ISO 31000 both focus on assessing risk, treating risk, monitoring risk, and continually monitoring risks.
The essential alignment between these two risk frameworks is their insistence on reviewing risk and revising as new threats evolve. In the information security space, malicious attackers adapt to find new exploits and vulnerabilities within systems.
The 2018 ISO 31000 revision focuses explicitly on highlighting management’s leadership and governance. COSO only responds to those controls related to fiduciary duty. Primarily designed to enable Sarbanes-Oxley (SOX) 404 requirements, COSO limits itself to a specific area of an organization’s IT environment. Thus, the ISO 31000 provides broader directives that help companies fit COSO’s principles of risk management into overarching corporate governance.
What are the differences between ISO 31000 and COSO ERM Framework?
COSO focuses directly on financial reporting. While this seems a small deviation from the more massive risk model of ISO 31000, it establishes a different focus.
ISO 31000 begins the risk process by defining the purpose and scope of risk management activities. The design process notes the value of scope and purpose in establishing risk criteria and decision making. However, ISO 31000, while focusing on leadership commitment, considers management’s business concerns after determining risk tolerance.
COSO, on the other hand, starts the risk process by reviewing the organization’s business strategies and aligning risks to those objectives. With this in mind, COSO provides a more meaningful approach to defining the risk tolerance. Beginning with the organization’s business objectives allows the c-suite to understand the risk mitigation strategies better.
How COSO ERM Framework and ISO 31000 help the Board of Directors oversee risk
Corporate governance requires the Board of Directors to oversee the risks inherent in business activities meaningfully. Both COSO and ISO 31000 stress the management’s value to the decision making process. This means executive management must understand both the risks how they overlap with organizational business goals.
In this manner, then COSO and ISO 31000 overlap with ISO 31000 providing insights into risk management strategies. Where COSO incorporates “governance and culture” as a principle, ISO 31000 focuses on integration to drive leadership commitment to overarching decision making. In this manner, the two working together almost provides a chicken-or-egg scenario. To define risk under COSO, organizations must understand their business objectives. To make decisions under ISO 31000, organizations must integrate risk.
Although more time-consuming, the dialogues that help define and integrate risk into business objectives create stronger organizations.
How can automating compliance help an organization?
To be agile decision makers, information security teams need equally agile ISO audit software to help them collect the necessary data about their control environments to meet the requirements of internal auditors certified by the American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Institute of Internal Auditors, or Institute of Management Accountants .
ZenGRC’s automated platform addresses these future issues. The ease of documentation aggregation and reporting offers c-suite insight into a company’s trends. The rising cost of compliance comes not just in dollars but also in working hours. The ZenGRC platform cuts down on time spent managing compliance by helping stakeholders track changes and tasks.
To see how ZenGRC can help organize ISO and COSO compliance, contact us for a demo today.