Information Security Assurance

What is 'InfoSec' Assurance?

 

When you provide a product or services to enterprise customers; their data, systems, business operations and reputation may be at risk. Information Security Assurance, often referred to as “InfoSec”, demonstrates to those customers that you apply good practice security, risk management and internal controls that protects their interests.

Desk meeting white background

How does 'InfoSec' work?

InfoSec follows a defined set of requirements. That may be a customer-specific list or questionnaire, or it may follow one of the defined frameworks with prescribed criteria or controls like SOC 1, SOC 2 or ISO 27001. Following that set of requirements, InfoSec Assurance has four phases.

1. What is Info Assurance

1. Assessment: Map your current state to assess any control gaps;

2. Remediation: Implement control practices to close any gaps and achieve compliance;

3. Audit: Conduct an audit or review process to confirm effectiveness of the controls; and

4. Report: Issue a certification, report or other verified output to satisfy your stakeholders.

Why is InfoSec Assurance important?

At the most obvious level; if you don't apply good security practices, your customers are at risk by using your services. But in practice, the importance of InfoSec assurance goes beyond that.

 

  • Compliance: Enterprise businesses have their own compliance requirements like APRA's CPS234 and CPS231 that mandate the way they assess, verify and use outsourced services. InfoSec assurance satisfies these responsibilities, without requiring them to conduct onerous and expensive 'vendor audits'.

 

  • Service qualifier: You may have a great product, but for 'sponsors' or 'business owners' looking to procure your services, there's no guarantees it will pass their security and vendor risk teams approval process. InfoSec Assurance qualifies your maturity and enterprise-readiness in a tangible and broadly recognised way to give all stakeholders confidence.

 

  • Competitive differentiator: When comparing alternate service providers, the extent of your InfoSec Assurance is a differentiator. The functionality of your product is one consideration. In modern times where cybersecurity threats are rife and public expectations are high, your security, risk and control practices are another key consideration.

 

  • Operational benefits: An independent review of your control practices provides an insight into your operations. InfoSec auditors and consultants have broad and deep expertise from working across many clients, to provide you with valuable feedback and recommendations when they are taking a 'look under the hood'.

 

  • Broad use: Most InfoSec assurance solutions like SOC 1, SOC 2, and ISO 27001 are designed for broad end-user purposes. That means, instead of answering hundreds (or even thousands) of security questionnaires and performing separate audits, you can do it once and share the outputs with all your stakeholders.

 

Compare InfoSec Solutions

There's three main general purpose InfoSec standards for broad end-user purposes; SOC 1, SOC 2 and ISO 27001. Unless your customers have mandated one, we usually recommend SOC 2. We explain why in our SOC 2: Solving InfoSec in One Standard. See our full comparison below.

Compare standards