Alan McCafferty · uOttawa PDI News ·
There’s a common misconception about all the cybersecurity standards that exist to protect networks and data. With so many different standards, from ISO, NIST, SOC 2 Type 2, and ITSG-33, many tech-savvy people and industry professionals working as developers, programmers, and even cybersecurity experts don’t understand the differences between them. More concerning is that many people simply don’t understand how all the standards can be used to create an effective Information Security Management system that is compliant with an accepted cybersecurity framework.
Ask many industry professionals and they’ll tell you the different standards exist on a scale: there are rigorous standards available — some are less rigorous, and some are just better than others. But that couldn’t be further from the truth. And this misunderstanding has led to confusion, inefficiency, and ineffective cybersecurity architectures.
Standards Are Different, Not Better or Worse
The reality is that every standard out there is essentially providing an equivalent road map or framework to the same level of protection. All are based on best practices, and, crucially, they can be all aligned.
To better understand the difference between the standards, think of them as bicycles that have been engineered for different users and applications. You may ride a 10-speed bicycle to get from A to B, while your friend might prefer a 21-speed bike. But in both cases, all else being equal, the bicycles will both perform the job of being a bike equally well. You’ll both be able to go at comparable speeds using comparable amounts of energy, and each bike should last as long and be as durable as the other.
Cybersecurity standards that exist today are like bicycles: they’ve been created in different contexts to serve different purposes. Much like the bicycles, where different models with different speeds were created to serve different users with different needs, the standards were created in different contexts to serve specific industry verticals or address specific concerns.
For example, ISO is the gold standard for cybersecurity and an international standard, accepted around the world. SOC 2 Type 2 was specifically developed by the accounting industry and is tailored to meet the information security and cyber controls of their clients.
Choose Your Standard Based on Context
Understanding the purpose of each standard has practical implications. Rather than choosing the longest or most convoluted standard for your organization because you think it will provide a better information security framework, you should consider which standard will best meet your business needs based on its applicability to your industry.
For example, if your organization does a lot of business overseas or with a very dispersed geography, ISO is probably the best standard for you, irrespective of the industry vertical you are in. This is simply because it’s an international standard, so all your clients around the world will likely accept it. It’s the most independent standard and most widely accepted.
Alternatively, SOC 2 Type 2 may be a better choice based on the integration with your accounting firm. Your relationship with the accounting firm and their knowledge of your products and services may include additional insights that are not readily identifiable to an external consultant.
On the other hand, if your largest client base is in the USA, perhaps the NIST standard would be best for you.
The bottom line is that privacy is privacy; access control is access control; information security is information security. Choosing the right standard for your context and needs can save you a lot of time, effort, and cost as you build an effective and efficient cybersecurity framework for your organization.