Information Shield ™ Cyber Certification – FAQ

A cost effective, streamlined program for demonstrating cyber security readiness to customers, regulators and business partners.

What is the Information Shield™ Cyber Certification?

Information Shield Cyber Certification
Information Shield Cyber Certification

The Information Shield ™ Cyber Certification is a program to dramatically simplify the validation of your cyber security program while producing more robust and consistent results.   Clients are validated against the Cyber Certification Core Baseline, a rationalized set of common information security and data privacy controls that apply to any business.  The Cyber Certification is supported by an Advisory Board of leading cyber security experts.  

 Unlike an SSAE 18 SOC II, which requires a Certified Public Accounting (CPA) firm to validate your program, the Information Shield Cyber Certification relies on a network of Certified Information Security Auditors that have years of experience validating information security programs.

What does it mean to be “Certified”?

An organization is “Certified” when it receives a Statement of Attestation from a certified Information Security System Auditor (CISA).   A successful Certification is validation that the essential information security controls of the Common Control Library (CCL) Certification Baseline have been effectively documented, implemented and tested.    Sampling will require 30 days of validation that the controls are functioning and effective.

How is it different than an SSAE 18 SOC II Report?

First, Information Shield ™ Cyber Certification is based on a core, consistent and vetted set of essential information security controls, not a control set defined and negotiated by management as done in the SOC II Type 3.    This means that the organization can be assured that it is covering essential controls designed to reduce cyber risk.  

Second, unlike an SSAE 18 SOC II, which requires a Certified Public Accounting (CPA) firm to validate your program, the Information Shield Certification relies on a network of Certified Information Security Auditors that have years of experience validating information security programs.   This dramatically reduces cost and time in the validation process.

What are the advantages over SOC II or ISO 27001 Certification?

More Robust – The Information Shield ™ Cyber Certification is based on a core, consistent and vetted set of essential information security controls, not a control set defined and negotiated by management.   This means that the organization can be assured that it is covering essential controls designed to reduce cyber risk. 

More Modular – The Cyber Certification is broken down into modular parts.   Cyber CORE ™ is the essential set of controls for any business type.  Adding +SAAS  included controls specifically for online software, while adding +PRIVACY adds controls for data privacy. 

Better Fit – Many modern businesses find the SOC II or ISO 27001 overkill for their existing business type.  The Cyber Certification is better fit for smaller, even virtual businesses.

Scalable – It also means that Information Shield Cyber Certification reports can easily be compared against multiple organizations. 

More affordable – Using a consistent set of controls and evidence, along with a group of trained auditors reduces the time and effort required for validation.   Thousands of smaller organizations do not have the budget to support the $25K + annual costs.

A Certified organization can demonstrate the following:

Data Accountability – The organization has successfully itemized, categorized and protected data, applying key controls for the gathering, storage, transmission and disposal of information.   PII and other sensitive data is clearly identified and protected.

Management Accountability – The organization has demonstrated management commitment by creating a formal information security program that is documented with written information security policies and supported by a formal information security organization.   Management has enough visibility to formally attest to the effectiveness of the program.

Risk Accountability – The organization has demonstrated that it is aware of the cyber threats that are likely to impact its business, and has taken the steps to reduce both the likelihood and impact of potential cyber risks.  A cyber control framework has been approved, implemented and validated.

System Accountability – The organization has successfully itemized, categorized and protected technical information systems, applying key controls for the design, approval, management and disposal of information systems and applications.   Controls for the identification and treatment of vulnerabilities are in place and functioning.

Operational Accountability – The organization has demonstrated that is has the proper controls in place for the ongoing operation of information systems.  This includes key information security operating procedures such as change control, data backup, and system maintenance.   Controls for the physical protection of data and system assets have been implemented and validated.

Personnel Accountability – The organization has demonstrated that cyber risks from personnel activities are properly managed.   Controls are implemented to ensure that employees and contractors are properly screened, trained, managed and separated from the organization.   All personnel have attested to written security policies and are training on common cyber threats.

Third Party Accountability – The organization has demonstrated that it understands the structure of its supply chain and the associated cyber risks.   Controls are implemented that properly screen, manage and terminate third-parties with access to sensitive data.

Response Accountability – The organization has demonstrated that it has prepared for a cyber event that may lead to a significant business disruption.   Controls have been implemented to identify and respond to cyber security events and incidents.   Recovery plans have been documented and tested to enable the organization to respond to business disruptions within defined time periods.

Get Started - Contact Us