Are you a tech company that is considering a cyber security certification? Or, are you a company concerned that your vendors may be an access point for hackers?


If so, cyber security certification probably feels more like a murky alphabet soup. Every industry is different and there is no one size fits all answer. Certification maintenance also does not necessarily mean that the company is secure or even following all of its own policies. Here is the breakdown of what businesses need to know as they start the comparison – before investing time and money:


1. SSAE 16


SSAE is “The Statement on Standards for Attestation Engagements.” No. 16 (SSAE 16) is the most widely referenced audit standard. There are many types of SSAE 16 audit reports including:


  • SOC1. This is a report about security controls at a service organization that may be relevant to internal control over financial reporting.
  • SOC2. Report based on the existing SynTrust and WebTrust principles. Function of this report is to evaluate an organization’s information systems for security, availability, processing, integrity, confidentiality or privacy.
  • SOC3. Also based on the SynTrust and WebTrust principles. The difference is that this report is intended for marketing purposes and not a detailed testing.
  • Each SOC report above also comes with an option to obtain a “Type 1” and “Type 2″ Report. A Type 1 Report is less comprehensive but provides a determination of whether the security controls are designed appropriately. A Type 2 Report is often more robust and frequently required by organizations before contracting with an organization.


For more information see:




This certification is required for all entities that handle, process, transmit, or store credit card or bank card data. Which means that pretty much every business needs to comply with this standard. Basically, this framework is for developing a credit card data payment system process–including prevention, detection and reaction to security incidents. There are a host of resources from self-assessment to training available at:


3. ISO 27001 or 17799/27002


ISO is the International Organization for Standardization which establishes best practices for repeatable procedures across industries or needs. Each standard has a unique numerical name which reflects that is a unique process. The breakdown on the relevant cyber security standards from ISO:


  • 27001. The family of standards to keep information secure. This includes financial information, intellectual property, employee details, or information from third parties. Organizations can comply with this standard without obtaining certification from ISO. Learn more at:
  • 17799/27002. This standard establishes guidance and principles for initiating, implementing, maintaining, and improving information security management in an organization. The scope includes: financial information, physical security, information security incident management and much more. Learn more at:




NIST is the National Institute of Standards and Technology. It was directed by Executive Order 13636 to work with stakeholders to develop a voluntary framework for Improving Critical Infrastructure CyberSecurity. This framework is routinely used as a benchmark for many organizations and includes:


  • Framework Core: Includes cybersecurity activities, desired outcomes, and common applicable references.
  • Framework Implementation Tiers. Tiers describe the degree that an organization’s cybersecurity risk management programs exhibit the Framework. Tiers run from Partial (Tier 1) to Adaptive (Tier 4).
  • Framework Profile. This is the alignment of the organization practices, standards, and guidelines to the Framework Core in a particular situation.


Learn more at: NIST Framework