BMIT Ltd recently received SOC 2 Type 1 attestation. Dione Vella, Chief Digital and Compliance Officer explains why this is an important achievement for the company. He was talking to David Kelleher.
What does achieving SOC 2 Type 1 attestation mean for BMIT?
The SOC 2 (Service Organisation Control 2) or ISAE 3000 report is a widely recognised attestation that organisations work towards to show they securely manage and protect their infrastructures. The Type 1 designation specifically attests that BMIT has implemented the necessary controls to meet the highly stringent criteria of the SOC 2 framework. The company has undergone rigorous third-party scrutiny to validate the implementation of controls to mitigate the risks associated with information security and availability risks.
How does SOC 2 Type 1 compliance benefit clients and partners?
In addition to our existing ISO27001 and PCI DSS, it provides further assurance to our clients and partners that we take the security of their infrastructure seriously. This attestation builds trust and strengthens our relationships with stakeholders.
Moreover and also very important to mention, having such attestation in place means that, BMIT is already geared up to help customers planning to expand their business to other markets where regulatory requirements demand for such assurance
What specific steps did the company take to achieve SOC 2 Type 1 attestation?
It is a comprehensive process. Building on top of our existing ISMS, we conducted a thorough assessment of our information security policies and practices, identified further areas for improvement, and implemented identified controls. The attestation process then included an independent audit by a qualified third-party assessor to validate that the controls were implemented correctly and in line with the criteria required by SOC 2.
How does SOC 2 fit into BMIT’s broader cybersecurity strategy?
As already mentioned, SOC 2 is one of several compliance programmes that make up our overall cybersecurity and data management strategy. It serves as a baseline for our commitment to security and data protection. Going forward, we will continue to enhance and evolve our security measures to meet the changing landscape of cybersecurity threats, ensuring that our clients and partners can trust us with their sensitive information.
BMIT already has the ISO 27001 certification. Why SOC2?
SOC 2 Type 1 attestation and ISO 27001 certification are both frameworks related to information security, but they differ in scope and focus. SOC 2 Type 1 attestation assesses the design and implementation of security controls at a specific point in time, providing assurance that BMIT’s systems meet predefined criteria.
On the other hand, ISO 27001 is a broader international standard that outlines a comprehensive Information Security Management System (ISMS). Achieving ISO 27001 certification involves implementing a systematic approach to managing sensitive information, emphasising risk management, continual improvement, and a holistic security framework.
While SOC 2 Type 1 offers a snapshot of controls, ISO 27001 requires a more ongoing, strategic commitment to information security, making it suitable for organisations seeking a comprehensive and internationally recognized approach to safeguarding their information assets.
From our experience, many customers look at both ISO and SOC2 as important standards that every service provider they work with must have. For some entities, particularly those working in the US region, SOC2 carries more weight. It is not a question of which is better but whether either one fulfils the customer’s criteria.
I strongly believe that both give us a competitive edge and truly strengthen our position in the market.
There’s never a dull moment. Over the past couple of years, the European Union has put harmonisation as a key priority among the 27 member states. NIS 2, for example, comes into force in 2024, followed by DORA in 2025. While there is still work to be done, ISO and SOC2 form the basis of a lot of what may be required of us as a service provider.
What is important, however, irrespective of what standard or regulation we are looking at, is that we maintain a continuous improvement approach. This involves regular assessments and updates to our security measures and controls, adopting best practices, and investing as needed in tools and resources.