SOC2 vs. ISO 27001 vs. COBIT

It truly is a interesting time to be in Information Technology. Especially on the information security front. Although hacks and breaches consume the media, audit and controls run the IT hallways. This article contains a random sampling of notes acquired on this topic as leaders unpack what to measure and what not to measure.

“SOC2 audit is required to do business with us.” – Prospective Client

SOC2:  https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/cpas.html

Not all auditors charge the same and, just like everything else, many times you get what you pay for. I’ve found quality and consulting come at a higher price, so selecting the right auditor is a key success point.

Found this article from Linford & Co, LLP CPA firm about SOC2 pricing:

Price estimates differ between firms as each will:

  • Estimate the effort / cost required to do the work
  • Have related overhead expenses allocated to the audit
  • Require a certain level of profit from the engagement

Typically, our SOC 1 audits start at $17,500 and our SOC 2 audits start at $19,500 for small, non-complex organizations. And, since everyone needs one, we include a readiness or gap assessment as part of every first time SOC audit. These are starting points and the price of a specific SOC audit may go up or down as we customize proposals to our clients’ specific needs.

“ISO 27001 certification is required to do business with us.” – Prospective Client

ISO 27001:  https://www.iso.org/isoiec-27001-information-security.html

Any idea how much an ISO 27001 certification costs?   Found this article from Pivot Point Security:

  • Precertification Phase I: $20,000 (e.g., Scope Definition, Risk Assessment, Risk Treatment Plan, Gap Assessment, Phase II Remediation Plan)
  • Precertification Phase II: $18,000 (e.g., Gap closure (collaboratively), registrar selection, ISMS Artifact development, Risk Management Committee, Incident Response, Internal ISMS Audit, On-site Certification Audit Support)
  • Certification Audit: $10,000
  • Total cost for ISO 27001 certificate: $48,000

Once you have your certificate you will require a “surveillance” audit in years 2 and 3 to maintain your certificate. You will also need to conduct an Internal ISMS Audit each year – which the “average” company usually outsources to a third party. So figure your year 2 and year 3 costs are likely to be as follows:

  • Surveillance Audit: $7,500
  • Internal ISMS Audit: $7,000

“COBIT as an emphasis for IT governance, control, and risk management” – Prospective Customer

COBIT:  http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx

\\ JMM

Spinning plates as hard as I can…

Routinely, it’s easy to get into deep water with tickets and projects.  Here is an email exchange between one of my team members, JC Foster, and I.


Jon Foster

Where does this fall on my priority list?

  • Tickets
  • AD Project
  • PBX Project
  • Office 365 Project
  • Visual Studio Project
  • Teams rollout

I am spinning plates as hard as I can here.


Jonathan Merrill

Thank you for asking.  My own list is overwhelming.  The organization is hustling.  Projects are piling up and plates are falling as only so much can be done to keep those spun.  Let me turn you onto a recent EntreLeadership podcast, #263 – Thriving in the Age of Overload.  Skip to the Daniel Tardy’s talk about, “The Tyranny of the Urgent”.

Questions Needing Answered When Looking At Your Workload

  1. Does it have to be done?  Can we eliminate it?
  2. If I can’t eliminate, can I automate it?  ß This is where I feel the most work needs to be done.
  3. If I can’t automate it, can I delegate it?  Let someone else do it.
  4. If I can’t delegate it, is it urgent?  Is it a fire?
  5. If it is urgent, how do we approach, getting the right people in the room?   Most often, someone’s fire is not a fire to the organization.

Our temptation is everything is on the list is a fire.  We need to prioritize on impact and urgency based on the most impact to the most people.

If you’ve listened to the pod cast, tasks (or WIP) should be limited 3.  So, looking at this list, here is my recommendation where your head should be at:

  1. Tickets – I agree.  Although take care against this taking up 100% of your day.  Handle Critical and Highs only.  Sometimes, that means contacting customers, negotiating and adjusting the criticality.
  2. Visual Studio Project – Most impact.  Most urgent.  Key to our business.
  3. Office 365 Project  – Most impact.  Most urgent.

This is an exercise everyone can do.  And should be aligned to what is on our team Kanban.

\\ JMM