Many SOC already hold several certifications. Most commonly, this includes ISO27K, and SOC2 type 2. While such certifications definitely hold value, they do not provide assurance regarding the quality and accuracy of SOC services specifically. Instead, they address more general topics. SOCs that have passed the SOC-CMM certification can provide specific SOC assurance to a certain extent.
Just like maturity levels, not all SOCs need to operate at the same certification level. Several SOCs have reached out expressing their interest in certification, and looking for concrete guidance on what certification level is most appropriate period.
Here is a bit of guidance:
- Align certification levels with your SOCs ambition. The SOCs ambition is one of the drivers for selecting the right certification level. If you are already performing assessments and optimising maturity using SOC-CMM, the maturity ambitions can be used as a basis for certification ambitions.
- Use the organisations risk profile in certification level decision-making. SOCs operating in critical infrastructure for example, will likely need a higher level of certification. This is often the expectation from senior management. If you are running an MSSPSOC, determining the risk levels for your clients would be the way forward.
Note: Budgets and resources may also play a role, as higher certification levels require a bigger set of controls to evaluate, with higher certification cost because of this.
Are there any other requirements, concerns, or considerations that are helpful in determining the SOC’s appropriate certification level?