Inherited vs. Non-Inherited Independent Certifications
Is your organization in a situation where a customer or regulator is requiring an independent information security certification? Some of the required certifications that are becoming mainstream include CMMC 2.0, HITRUST, PCI, SOC 2, and ISO 27001:2013.
If you’ve been through one of these certifications, you know that it is a very rigorous process and independent auditors will spend weeks if not months reviewing your policies, procedures, and controls to determine if you comply with the respective requirements. You may also scrutinize your downstream partners who are exposed to the sensitive information that you’re contractually obligated to protect to ensure that they meet the requirements set forth in these standards. Additionally, you may require these partners to obtain and maintain a certification of their own.
One mistake that organizations commonly make is assuming that if their business partner, which could be a data center, Software as a Service (SaaS) provider, or Cloud Service Provider (CSP) is certified in one of the standards, that the certification held by the partner is “inherited” by the customer and it directly translates to compliance within their environment. While this would be great if it were true, unfortunately it is not. In situations where downstream partners are responsible for protecting information, the responsibility and risk is shared, and each organization must obtain and maintain their own independent certifications.
The rationale for each organization’s certification can be easily justified by logical access controls. If your primary business applications are stored in the cloud with a SaaS provider, the SaaS provider delivers a series of technical and physical controls, such as a secure data center, media encryption, appropriate development standards, and transmission security. However, that SaaS provider, does not control how individual access to the application is requested, approved and ultimately established.
It’s important to understand the customer or regulator’s requirements before taking steps to obtain an independent certification or engage in a business relationship with a vendor that has a certification. It is best to understand your customer or regulator’s requirements and be open about your position on the requirement.