“If you spend more time on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.” Richard Clarke, Whitehouse Cyber Security Advisor
#6. Integration. When all InfoSec processes work as intended from end to end.
#5. Measuring Performance. When all InfoSec processes are monitored and measured to make sure they acheive their goals.
#4. Optomized Resources. All InfoSec knowledge and infrastructure are being effectively used as designed.
#3. Delivered Value. When security investments support business goals.
#2. Managing Risk. Consciously deciding to act.
#1. Strategic Alignment. When InfoSec and business strategy align, creates three achievements:
- The enterprise defines what good strategy looks like.
- Security matches the company’s DNA, instead of trying to rewrite it.
- The amount of money spent on InfoSec reflects how important security is to the organization.
It truly is a interesting time to be in Information Technology. Especially on the information security front. Although hacks and breaches consume the media, audit and controls run the IT hallways. This article contains a random sampling of notes acquired on this topic as leaders unpack what to measure and what not to measure.
“SOC2 audit is required to do business with us.” – Prospective Client
Not all auditors charge the same and, just like everything else, many times you get what you pay for. I’ve found quality and consulting come at a higher price, so selecting the right auditor is a key success point.
Found this article from Linford & Co, LLP CPA firm about SOC2 pricing:
Price estimates differ between firms as each will:
- Estimate the effort / cost required to do the work
- Have related overhead expenses allocated to the audit
- Require a certain level of profit from the engagement
Typically, our SOC 1 audits start at $17,500 and our SOC 2 audits start at $19,500 for small, non-complex organizations. And, since everyone needs one, we include a readiness or gap assessment as part of every first time SOC audit. These are starting points and the price of a specific SOC audit may go up or down as we customize proposals to our clients’ specific needs.
“ISO 27001 certification is required to do business with us.” – Prospective Client
ISO 27001: https://www.iso.org/isoiec-27001-information-security.html
Any idea how much an ISO 27001 certification costs? Found this article from Pivot Point Security:
- Precertification Phase I: $20,000 (e.g., Scope Definition, Risk Assessment, Risk Treatment Plan, Gap Assessment, Phase II Remediation Plan)
- Precertification Phase II: $18,000 (e.g., Gap closure (collaboratively), registrar selection, ISMS Artifact development, Risk Management Committee, Incident Response, Internal ISMS Audit, On-site Certification Audit Support)
- Certification Audit: $10,000
- Total cost for ISO 27001 certificate: $48,000
Once you have your certificate you will require a “surveillance” audit in years 2 and 3 to maintain your certificate. You will also need to conduct an Internal ISMS Audit each year – which the “average” company usually outsources to a third party. So figure your year 2 and year 3 costs are likely to be as follows:
- Surveillance Audit: $7,500
- Internal ISMS Audit: $7,000
“COBIT as an emphasis for IT governance, control, and risk management” – Prospective Customer