Skip to content

Compliance frameworks and standards

Center for Internet Security (CIS) benchmarks

The Center for Internet Security is a non-profit entity whose mission is to “identify, develop, validate, promote, and sustain best-practice solutions for cyberdefense.” It draws on the expertise of cybersecurity and IT professionals from government, business, and academia around the world. To develop standards and best practices, including CIS benchmarks, controls, and hardened images, they follow a consensus decision-making model.

CIS benchmarks are configuration baselines and best practices for securely configuring a system. Each of the guidance recommendations refers to one or more CIS controls developed to help organizations improve their cyberdefense capabilities. CIS controls map to many established standards and regulatory frameworks, including the NIST Cybersecurity Framework (CSF) and NIST SP 800-53, the ISO 27000 series of standards, PCI DSS, HIPAA, and others.

Each benchmark undergoes two phases of consensus review. The first occurs during initial development when experts convene to discuss, create, and test working drafts until they reach consensus on the benchmark. During the second phase, after the benchmark has been published, the consensus team reviews the feedback from the internet community for incorporation into the benchmark.

CIS benchmarks provide two levels of security settings:

  • Level 1 recommends essential basic security requirements that can be configured on any system and should cause little or no interruption of service or reduced functionality.

  • Level 2 recommends security settings for environments requiring greater security that could result in some reduced functionality.

CIS Hardened Images are securely-configured virtual-machine images based on CIS Benchmarks hardened to either a Level 1 or Level 2 CIS benchmark profile. Hardening is a process that helps protect against unauthorized access, denial of service, and other cyberthreats by limiting potential weaknesses that make systems vulnerable to cyberattacks.

Cloud Security Alliance (CSA) STAR attestation

The Cloud Security Alliance (CSA) maintains the Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry where cloud service providers (CSPs) can publish their CSA-related assessments. STAR consists of three levels of assurance aligned with control objectives in the CSA Cloud Controls Matrix (CCM). (The CCM covers fundamental security principles across 16 domains to help cloud customers assess the overall security risk of a cloud service.)

  • Level 1: STAR Self-Assessment
  • Level 2: STAR Attestation, STAR Certification, and C-STAR Assessment (based on audits by third parties)
  • Level 3: STAR Continuous Monitoring (under development by CSA)

STAR Attestation involves a rigorous independent audit of a cloud provider’s security posture based on a SOC 2 Type 2 audit with CCM criteria. The independent auditor who evaluates a cloud provider’s offerings for STAR Attestation must be a certified public accountant (CPA) and is required to have the CSA Certificate in Cloud Security Knowledge (CCSK).

A SOC 2 Type 2 audit is based on American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria, including security, availability, confidentiality, and processing integrity, and the criteria in the CCM. STAR Attestation provides an auditor’s findings on the design suitability and operating effectiveness of SOC 2 controls. The objective is to meet both the AICPA criteria mentioned above and requirements set forth in the CCM.

Service Organization Controls (SOC) framework

Increasingly, businesses outsource basic functions such as data storage and access to applications to cloud service providers (CSPs) and other service organizations. In response, the American Institute of Certified Public Accountants (AICPA) has developed the Service Organization Controls (SOC) framework, a standard for controls that safeguard the confidentiality and privacy of information stored and processed in the cloud. This aligns with the International Standard on Assurance Engagements (ISAE), the reporting standard for international service organizations.

Service audits based on the SOC framework fall into two categories — SOC 1 and SOC 2.

SOC 1

A SOC 1 audit, intended for CPA firms that audit financial statements, evaluates the effectiveness of a CSP’s internal controls that affect the financial reports of a customer using the provider’s cloud services. The Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) are the standards under which the audit is performed, and is the basis of the SOC 1 report.

SOC 2

A SOC 2 audit gauges the effectiveness of a CSP’s system based on the AICPA Trust Service Principles and Criteria. An Attest Engagement under Attestation Standards (AT) Section 101 is the basis of SOC 2 and SOC 3 reports.

At the conclusion of a SOC 1 or SOC 2 audit, the service auditor renders an opinion in a SOC 1 Type 2 or SOC 2 Type 2 report, which describes the CSP’s system and assesses the fairness of the CSP’s description of its controls. It also evaluates whether the CSP’s controls are designed appropriately, were in operation on a specified date, and were operating effectively over a specified time period.

Auditors can also create a SOC 3 report — an abbreviated version of the SOC 2 Type 2 audit report — for users who want assurance about the CSP’s controls but do not need a full SOC 2 report. A SOC 3 report can be conferred only if the CSP has an unqualified audit opinion for SOC 2.

ISO/IEC 27001:2013 information security management standards

The International Organization for Standardization (ISO) is an independent non-governmental organization and the world’s largest developer of voluntary international standards. The International Electrotechnical Commission (IEC) is the world’s leading organization for the preparation and publication of international standards for electrical, electronic, and related technologies.

Published under the joint ISO/IEC subcommittee, the ISO/IEC 27000 family of standards outlines hundreds of controls and control mechanisms to help organizations of all types and sizes keep information assets secure. These global standards provide a framework for policies and procedures that include all legal, physical, and technical controls involved in an organization’s information risk management processes.

ISO/IEC 27001 is a security standard that formally specifies an Information Security Management System (ISMS) that is intended to bring information security under explicit management control. As a formal specification, it mandates requirements that define how to implement, monitor, maintain, and continually improve the ISMS. It also prescribes a set of best practices that include documentation requirements, divisions of responsibility, availability, access control, security, auditing, and corrective and preventive measures. Certification to ISO/IEC 27001 helps organizations comply with numerous regulatory and legal requirements that relate to the security of information.

Payment Card Industry (PCI) Data Security Standard (DSS)

The Payment Card Industry (PCI) Data Security Standard (DSS) is a global information-security standard designed to prevent fraud through increased control of credit-card data. Organizations of all sizes must follow PCI DSS standards if they accept payment cards from the five major credit card brands, Visa, MasterCard, American Express, Discover, and the Japan Credit Bureau (JCB). Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data.