Strike Graph security compliance blog

Video | SOC 2 vs. ISO 27001: Security standards for EdTech companies

Written by Strike Graph Team | Nov 21, 2023 8:00:00 AM

Online educational technology has wonderfully diversified learning experiences for students. It has also, however, raised questions about how to protect the student data that must be collected for these technologies to function.

Join Strike Graph CEO Justin Beal and Director of Sales Engineering Sam Oberholtzer in the video below as they discuss which cybersecurity frameworks are best suited to EdTech companies and the FERPA obligations of the schools they work with. Or, read on to get the highlights below.

Click to read full transcript

 

Justin Beal: We have a fair number of education technology customers, and some that started with us when we founded the company more than two years ago. I think what's interesting that I have learned is that some of the security standards that we do commonly see across business are actually starting to be the security standards being asked for by buyers in education spaces. So I know of at least two or three statewide contracts where the state government chief information security officer has provided an edict for all buyers of technology in the state government for SOC 2 or ISO 27001 certification before purchasing. That's becoming more commonplace.

Sam Oberholzer: I agree. Even when I'm just thinking about our EdTech customers that they've been showing us and sharing with us, their security questionnaires, and they are seriously a straight up rip from your baseline security program, SOC 2 program, that includes a list of all questions around what's their security controls. So that's the most applicable to those companies that are critical vendors to these schools that would have to abide by FERPA.

Justin Beals: So I have started to think of SOC2 as a standard and ISO 27001 as general security standards, broadly applicable to businesses, a wide swath of them. I think that's why we've seen CISOs say, "Here's a general auditable or certifiable security practice that we are just starting to expect." You think that's why we've seen EdTech buyers start to ask for those?

Sam Oberholzer: Yeah, absolutely, and because they're really, if we're just putting the EdTech companies in one bucket, and if they're really just looking to sell to schools, it's actually quite interesting, the relationship, because if there are no laws or if there's no push to prove security, then it's almost like I can see that starting to happen because we're seeing that happen to every industry. So being a little bit more proactive and being able to prove it, you can just think of SOC2 or ISO just as your, well ISO International, so it's way more strict, but SOC2 as you're foundational, because it's going to be translated to everything, every privacy law, every single other security standard you want to go for. I think that's what's just so important and why we're seeing more EdTech be interested in what they actually have in place.

Justin Beals: Yeah. I think that if I were advising an EdTech company today, I would ask them one question, "Are you US-centric?" Because there's a lot of EdTech organizations that are like, "Hey, we're built to sell to US curriculums." They may even say, "We're just focusing on half a dozen states," in their initial rollout. Then, SOC 2 is a great standard. I think if you were going more broadly, Europe, Asia-Pac, I would probably focus on ISO 27001. Then both of those, in a really nice way, SOC 2 and ISO 27001 have some carve-outs for a privacy certification as well, right?

Sam Oberholzer: Absolutely.

Justin Beals: Yeah. I know in SOC2, it's like there's a minimum required security portion of the standard, but then there's availability, processing integrity ...

Sam Oberholzer: Confidentiality.

Justin Beals: Confidentiality, thank you, and then privacy, right?

Sam Oberholzer: Yep.

Justin Beals: Yes. Good. So if I were an EdTech company, maybe I'm not getting privacy right away, but I'm definitely thinking I'm going to get SOC 2 and then hot on the heels, probably privacy, right?

Sam Oberholzer: Yeah, absolutely. Because privacy is a little bit more strange because you're not just thinking about potentially your customers as an organization, you're potentially thinking about their reach. So it is extending more of that thought process beyond just dealing with your direct customers. So that's why anytime any organization has the potential of collecting PII for the requirement of their services, or even if they just don't know, then they should think about the pathway to proving privacy.

Justin Beals: Yeah, absolutely. Then on the ISO side, ISO 27001 and brand new and on the Strike Graph product, ISO 27701, just to make it difficult, is a privacy-specific standard that has an assessment methodology, so you can be certified against it. That covers GDPR quite well, I think, as well, right?

Sam Oberholzer: 100% of an overlap of GDPR. For those of you that don't know GDPR, it is a global privacy law, but mainly within Europe, but you're going to start seeing that's the highest, strictest privacy standard in the world. So if you are GDPR compliant, then you're going to be good everywhere else. Everything else, it's already covered, which is nice.

Justin Beals: We've seen other markets deal with this, like a tidal wave, right?

Sam Oberholzer: Absolutely.

Justin Beals: One day, it's okay, you're getting contracts. You don't have to prove it. The next day, everyone is asking for it and being ahead of the curve means that you box out the competition in a sales motion. There is nothing better in your RFP response for school adoption than saying, "We're SOC2 certified." That ensures some control over privacy, especially when your competitors haven't done it yet. So I think for those organizations that want to grow quickly, I think there's an opportunity here to lean in ahead of the movement of the marketplace instead of feeling like you have to respond to it.

 

Is FERPA a cybersecurity framework? 

The short answer is no. If you’re in the education world, you’ve probably heard of the Federal Educational Rights to Privacy Act, or FERPA. Passed in 1974, FERPA regulates how schools and federally funded educational institutions — and the third-party vendors they share data with — must protect students’ personally identifiable information (PII). The problem is FERPA came into being well before cybersecurity was on the radar and doesn’t offer specific guidance for our modern technologies. Because of this, many schools are struggling to determine how to ensure that the EdTech vendors they work with are FERPA compliant.

Which security certifications work best for EdTech companies?

Currently, many EdTech companies are being asked for specific security certifications to prove that their cybersecurity satisfies the FERPA requirements that schools must meet. Two security frameworks, in particular, that are already tried and tested in a broad variety of industries are starting to gain traction in the EdTech world — SOC 2 and ISO 27001

In fact, some state governments are already requiring SOC 2 compliance or ISO 27001 certification for any technology purchases made on behalf of the state — which includes the Department of Education. In other cases, EdTech companies are being given security questionnaires by schools that are almost identical to a SOC 2 assessment.

Both of these frameworks translate perfectly for EdTech companies needing to prove FERPA compliance to the schools they contract with. And, because they are already accepted across many industries — they are a strong foundation for additional security certifications that may become necessary as an EdTech company grows.

SOC 2 vs. ISO 27001? Which is right for my EdTech company?

Depending on the current reach of your organization and its immediate goals, one of these frameworks may make more sense than the other. 

SOC 2 — United States

SOC 2 is right for EdTech companies based primarily in the United States and organizations planning to do business only in certain US regions (by aligning with specific state standards, for example). SOC 2 is an excellent, baseline security framework widely recognized throughout different US industries. It’s a great starting point for organizations who are just setting their security stance because it helps pave the way for additional certifications. 

ISO 27001 — EU, Asia, or international 

ISO 27001 is the way to go for companies that are planning to do business in Europe or Asia or expand internationally in the near future because it is recognized on a more international scale. This is also a beneficial starting point for companies who know they will need to address privacy regulations in the EU since ISO 27701 can be used to show GDPR compliance. 

Stay a step ahead of the competition

If the schools your EdTech company partners with aren’t asking for these certifications yet, they likely will be soon. Starting the compliance process now means you’ll be in a position to sign contracts when your competition is scrambling to understand which security certifications they need. And in the meantime, your SOC 2 compliant status or ISO 27001 certification will ease the FERPA anxieties of potential partners, allowing you to confidently build relationships and revenue.