Decide on a Technical Benchmark Framework for Compliance
Benchmark Considerations
-
SOC2 Type II
-
HIPAA
-
HITRUST
-
PCI/DSS
-
CIS
-
NIST
-
ISO27001
-
AWS Well-Architected
SOC2 Considerations
SOC2 defines a set of high-level expectations, but it’s up to the responsible party (e.g. Customer) to assert what controls are in place for each pillar.
-
Logical and physical access controls
-
System operations
-
Change management
-
Risk mitigation
Using a combination of one or more of the compliance standards such as CIS, HITRUST, NIST, ISO27001, etc is the typical approach. Organizationally, this is a decision that has both technical and procedural impacts.
The Technical Benchmark Framework should satisfy the vast majority of requirements for both HIPAA and SOC2, which means most likely selecting more than one.
Questions
- Has the team already started mapping out any of SOC2 controls that would influence technical controls or configurations?