Last year we announced that the Event Store team passed the ISO 27001 audit and SOC 2 Type 1 assessment for our Cloud offering. These are reviewed annually by our external auditors, A-LIGN. So beginning December 2022 we commenced the annual audit.
We won’t make you suffer until the end of the post to know the result: We passed the audits successfully again!
The difference this year has been that for SOC 2 we went for a Type 2.
The difference between Type 1 and 2 is the amount of the evidence that is collected during the assessment. For a Type 1, the auditors focus on what you have at that moment (policies, procedures, current evidence, etc.). For a Type 2, they ask for supporting evidence gathered during the length of time the company has been following their established framework (it can be 3, 6 or 12 months) .
As we had been operating our Information Security Management System (ISMS) for over a year, we were ready for the SOC 2 Type 2 for a 12 month range.
During this year, we have progressed in reducing our risks as a result of the implemented policies and procedures, which allows us to face new objectives for this year.
As we keep working in our ISMS, we continue to improve supporting activities such as our internal audit.
Since the beginning, we decided to carry out our internal audits “internally”. As you are probably aware, ISO 27001 requires conducting both an internal audit and an external one.
Keeping it simple, the external audit is the one conducted by the certifying body, which is the one that must be independent and accredited for ISO 27001. This time, we used A-LIGN - a certifying body who could conduct both audits (ISO 27001 and SOC 2) simultaneously.
The internal audit can be carried out by a third-party consultancy, or by a suitable individual within the company who is independent and experienced in auditing.
For Event Store, both requirements were covered. As a certified ISO 27001 Lead Auditor, I have the experience to audit areas in which I am not directly involved. Our Head of People Ops, Helen Fullerton, audited the areas I am involved in.
Here’s what Helen had to say about the process:
“When Andrés first asked if I would audit the auditor my initial reaction was that it wasn’t my skill set! But give me something new to review and I love rolling my sleeves up and delving in. Auditing an experienced Auditor like Andrés was a bit daunting but I know the processes and the policies so the review was really interesting. I uncovered a few improvement required areas but what was good to see is that the team were all adhering to the ISMS and no non conformities were found. Andrés was very encouraging with his feedback on my findings and now I can say that I do have that skill set and am a junior auditor in the making!”
The renewal of our certification is thanks to the efforts of our team, who have been following the policies, attending training, proposing improvements, and challenging the system with new needs all year.
It's important when getting your certification to align your day-by-day activities to the ISMS, to manage the efforts required during the auditing process. This also means that when you assign a user the right permissions, enable their data backup, or when you disable their account during an offboarding, you’re not only securing the organization’s data, but also following the best practices and complying with the certification requirements.
There are additional requirements for your organization when getting certified that will take time, such as performing the already mentioned internal and external audit, enforcing annual training on cybersecurity, having internal meetings to review our cybersecurity posture, updating the risk assessment, etc.
Therefore, you may be asked by leaders in your organization if the certification is worth it. In this instance, it's worth considering what your KPIs would be.
Intangible KPIs might include the risk level, incident preparedness, etc. But it’s always better to provide a tangible response. For Event Store, an easy one is the number of hours that we spent previously answering cybersecurity due diligence from our customers.
Having ISO 27001 and SOC 2 has facilitated our adoption by multiple customers, as their need to carry out a cybersecurity assessment for our offering has decreased. Only a few customers have asked for cybersecurity due diligence this year.
This alone has saved time and more importantly, allowed us to offer additional value to our customers. We can therefore answer - “Yes, it was worth it!”.
We are now working on HIPAA, for those customers who want to use our event-based database for their health records. This is progressing well.
But our cybersecurity preparedness does not end there, because we are also ready for those customers who have other security needs such as complying with the European Banking Authority (EBA) requirements.
The world evolves every day, and cybersecurity is no exception. This year we will begin reviewing the recent changes to ISO 27001:2022 and how they will affect us. We have 3 years to adapt to the new ISO, but will try to implement it sooner.