Category: Advisory

Home / Advisory
May82018

What is GDPR/AVG?

What is GDPR/AVG?

EUROPEAN PRIVACY REGULATION

The European Commission has decided that the current legislation no longer aligns with the continuous changes resulting from digitization. This new privacy regulation comes in the form of a European regulation applicable to all organizations in the European Union; the General Data Protection Regulation (GDPR). The GDPR applies directly in all EU member states without the need for transposition into national law.

NEW PRIVACY CONCEPTS GDPR (AVG)

introduces new concepts, such as the right of access and the right to be forgotten. Additionally, GDPR is based on a set of privacy principles. This entails various obligations for organizations. These obligations can range from establishing a register of personal data processing activities to conducting risk assessments (DPIA) and appointing a Data Protection Officer (DPO).

IMPACTS OF GDPR

The impacts of the General Data Protection Regulation are limited for most organizations to maintaining a register of processing activities and implementing privacy-focused information security measures. Risklane offers various solutions to determine which measures are mandatory within your organization. The key potential obligations include:

  • Security measures
  • Register of processing activities
  • Data Protection Impact Assessment (DPIA)
  • Data Protection Officer (DPO)
May82018

Value of ISAE 3000 | SOC 2 Assurance

Value of ISAE 3000 | SOC 2 Assurance

Who can expect value from ISAE 3000 | SOC 2 Assurance?

ISAE 3000 | SOC 2 is specifically designed for service providers storing customer data in the cloud. This means ISAE 3000 | SOC 2 assurance can add value to almost any SaaS company, as well as any organization using the cloud to store customer information.

ISAE 3000 | SOC 2 requires service providers to establish and follow strict information security policies and procedures, including security, availability, processing, integrity, and confidentiality of customer data. ISAE 3000 | SOC 2 ensures that a service provider’s information security measures align with current cloud regulations. As businesses increasingly use the cloud to store customer data, ISAE 3000 | SOC 2 compliance becomes a necessity for a wide range of organizations providing cloud services. The ISAE 3000 | SOC 2 report can provide transparency and assurance to various stakeholders.

The ISAE 3000 | SOC 2 report is unique

The ISAE 3000 | SOC 2 requirements provide a service provider with a degree of flexibility in deciding how to meet the Trust Services criteria. Therefore, ISAE 3000 | SOC 2 reports are unique to each individual organization. In essence, the service provider looks at the ISAE 3000 | SOC 2 requirements, decides which are relevant to their organization, and then defines their own controls to meet those requirements. The service provider can define additional controls if necessary and ignore others if they are not relevant to their core activities. The ISAE 3000 | SOC 2 audit is the auditor’s judgment on how the service provider’s control measures meet the requirements.

May62018

ISAE 3000 | SOC 2 and ISO 27001

ISAE 3000 | SOC 2 and ISO 27001

ISAE 3402 | SOC 2

ISAE 3000 | SOC 2 is the international standard for security and other non-financial information. ISAE 3402 is applied when there is outsourcing involving financial information processed by the service organization. If this is not the case, then SOC 2 can be used, for example, when only the General IT Controls (GITC’s) are included in the scope of the SOC report. The SOC 2 standard does not include provisions for internal control; for example, the COSO framework. These components are therefore not mandatory in a SOC 2 report. In the United States, the standards for SOC 2 reports are the Trust Services Criteria and SSAE 18, which include specific requirements for GITCs at service organizations. If a SOC 2 report is prepared according to the Trust Service Criteria, then these components are mandatory.

ISO 27001

Information security is important for every company. The ISO 27001 standard is an international framework for information security. ISO 27001 can be used to establish information security. Risklane has over 10 years of experience in setting up risk management structures, information security, and process improvement. Information security must always have added value, making the organization more manageable, and ISO 27001 provides opportunities for new customers.

Which one is more suitable for you?

Both standards are intended to provide assurance to your customers. There are three key considerations for what will best suit your customers:

  • Has your customer(s) specifically requested or mandated one of the two standards?
  • Where are your customers located?
  • In which sectors are your customers active?

Customers prefer the standard they are more familiar with. European customers tend to prefer ISO 27001, while SOC 2 is preferred in the US. The financial services sector prefers SOC 2, aligning with their focus on operational effectiveness and stemming from the accounting practice applicable to their business and legal requirements more broadly.

It is best to discuss the approach with existing customers and/or any potential customers. This way, you won’t be caught off guard and can make an informed choice.

Apr82018

COSO 2013 framework

COSO 2013 framework

On December 15, 2014, the transition period for adopting the COSO 2013 framework ended. What are the opportunities and risks that arise from this transition? The COSO Internal Control Integrated Framework (ICIF) 2013 is a comprehensive update of the COSO ICIF 1992 model.