Category: Advisory

Home / Advisory
Aug152021

SOC 2 or ISO 27001: Which is better suited for my organization?

SOC 2 or ISO 27001: Which is better suited for my organization?

If your organization provides business-to-business IT or financial services, it’s likely that your clients will request SOC 2 or ISO 27001 certification or attestation. This process can demand significant resources and time from your organization. This article explains the similarities and differences between these two certifications. A SOC 2 report and an ISO 27001 certificate can be compared to close relatives, and there are opportunities for efficiency, as achieving one certification can significantly reduce the time required to obtain the other.

1. Scope

Both SOC 2 and ISO 27001 are similarly designed to provide clients with confidence that their data is protected. The clients have commonalities, as both frameworks address critical aspects of information security, such as confidentiality, integrity, and availability. Both are widely recognized certifications that demonstrate to clients your company’s commitment to security.

A key difference is that the SOC 2 certification primarily focuses on demonstrating the effective implementation of security measures that protect client data. ISO 27001, on the other hand, solely requires an organization to have an Information Security Management System (ISMS), a prescribed set of security measures.

2. Market applicability

A significant similarity is that both certifications are well-known information security standards widely accepted as proof that an organization has appropriate security measures in place. Particularly in the United States, these certifications are accepted by organizations of all sizes, from small businesses to large corporations. Both are fully accepted across most industries and position an organization as a reliable vendor with robust information security practices.

3. External party

Both certifications are assessed by third parties, either ISO 27001 auditors or (registered) accountants. The key difference is that a firm recognized by the Netherlands Institute of Chartered Accountants (NBA) issues a SOC 2 report, while an accredited ISO 27001 auditor certifies ISO 27001 compliance. Risklane employs both recognized accountants and accredited ISO 27001 auditors who can advise on the audit process.

4. Costs

Both certifications have comparable operational costs, which include the internal costs for the team implementing the control measures and gathering the evidence required to demonstrate compliance with SOC 2 or ISO 27001.

The pricing for the two types of certifications can vary significantly. Generally, the costs of a SOC 2 certification are higher than those of an ISO 27001 certification. This is primarily due to the extensive documentation requirements for auditors conducting a SOC 2 audit.

5. Timeframe

The project approach for both certifications is similar and consists of roughly corresponding phases. Since SOC 2 and ISO 27001 share many of the same control measures, the implementation phases also have a comparable timeframe. However, a SOC 2 audit may require more internal and external (auditor) time due to the aforementioned documentation requirements.

After the audit period, both SOC 2 and ISO 27001 certifications must be periodically renewed to remain valid for user organizations. ISO 27001 typically involves a three-year cycle, with an audit in the first year and annual renewals thereafter.

About Securance

Our mission propels us to go above and beyond in fostering the growth and success of our customers. We are dedicated to expanding possibilities, enabling excellence, fostering growth, attracting new customers, and enhancing internal processes. Achieving this mission involves pioneering risk management innovations, optimizing efficiency through automation, cultivating a diverse global team, and making positive contributions to the communities we serve. Additionally, we are steadfast in our commitment to serving as a gateway for companies to become more sustainable and transparent, thus providing a distinct and valuable contribution to society. Our unwavering pursuit of the highest quality ensures that we have succeeded when all customer objectives are met, and our clients are 100% satisfied.

Get Started
Aug102021

What is ISAE 3402 | SOC 1?

What is ISAE 3402 | SOC 1?

ISAE 3402 is the standard for outsourcing. To become certified, an organization must have a Service Organization Control (SOC) Report. A SOC report is a report that includes a description of the risk management system. This report is then annually reviewed by a service auditor. An organization that provides services is referred to as a service organization. Through an ISAE 3402 report, a service organization provides accountability to another organization (a user organization) regarding the processes performed in the Service Level Agreement (SLA) and the control over these processes. The standard succeeded the SAS 70 standard and was introduced in 2011.

ISAE 3402 and Outsourcing

Organizations are increasingly outsourcing, particularly in the IT domain. Organizations that outsource want insight into information security, fraud prevention, and risk management in general. This is especially important as more crucial business processes are being outsourced, making it essential to understand who has access to information and whether there are sufficient segregations of duties to prevent fraud. An ISAE 3402 report provides this insight.

Report content

In addition to the general overview, the report must include processes that could potentially affect the financial statements (financial processes). This also includes IT processes, known as General IT Controls. Furthermore, an ISAE 3402 report can provide assurance that outsourced processes are being performed according to the agreed-upon SLA. The SOC report consists of a general section based on the COSO 2013 standard and a control matrix. Read more about the report content and the two types of reports: ISAE 3402 Type I and Type II.

Outsourcing example

A pension fund outsources asset management to an asset manager. Pension funds must comply with the Pension Act (PW). The Pension Act requires the pension fund to demonstrate that the outsourced processes are controlled.In this case, the pension fund is the user organization, and the asset manager is the service organization. The agreements between the pension fund and the asset manager are documented in the asset management agreement and possibly an SLA. Therefore, the pension fund requests an ISAE 3402 report from the service organization. With this report, the pension fund demonstrates that the outsourced processes are “in control” and that it complies with the Pension Act for this outsourcing arrangement.In such a situation, the pension fund (the ‘user organization’) wants insight into:

  • Whether investments are processed accurately and completely for the financial statements
  • Whether asset management is conducted in accordance with laws and regulations
  • Whether there are sufficient safeguards against fraud
  • Whether security is adequately implemented at the asset manager
  • Whether specific compliance requirements included in the Pension Act are met

The pension fund will require the asset manager to include the above topics within the scope of the ISAE 3402 report. The pension fund’s auditor will consult the asset manager’s ISAE 3402 report as part of the pension fund’s annual financial statement audit. The auditor does not need to separately test procedures at the asset manager, as this has already been reported on by the service auditor.

Added value

The primary added value for a user organization is that, based on the Service Organization Control report, it can determine whether information security or fraud prevention measures are adequate. This is also important information for the user organization’s auditor. The user organization’s auditor can assess whether the measures at the service organization are sufficiently designed within the framework of the user organization’s financial statement audit. Additionally, a (recognized) other auditor has determined whether these measures exist (Type I) and have been operating effectively (Type II). The auditor then does not need to perform separate controls at the service organization.

Aug92021

ISAE 3402: Type I or Type II?

ISAE 3402: Type I or Type II?

There are two types of ISAE 3402 reports: Type I and Type II. Both report types are similar in content. The difference lies in the nature of the audit performed. In a Type I audit, the auditor determines whether the risk management framework and control measures cover the normative framework (design) and exist at a specific point in time. To establish this, the auditor ‘walks through’ the processes, known as line controls. In a Type II audit, the auditor assesses whether the control measures have been operating effectively over a minimum period of six months.

Increased Assurance

With a Type II report, a user organization gains greater assurance that the service delivery is controlled as agreed upon. The period covered by an ISAE Type II audit is a minimum of six months, unless there is a special situation, such as the acquisition of a new organizational unit or the introduction of a new IT system.

Mandatory Components

An ISAE 3402 report is relatively ‘free-form’. The standard requires, among other things, that risk management is implemented, that the IT infrastructure is controlled, and that the risk management system is effectively monitored. However, an ISAE 3402 report must include the following mandatory components: (1) a description of the internal control framework, (2) a confirmation from the service organization, and (3) a service auditor’s assurance report. While these components are mandatory, the standard does not prescribe how they should be presented in the report. Additionally, ISAE 3402 does not subdivide into sections, unlike the SAS 70 standard (ref. standard 3402.9 sub j). Despite the lack of prescribed components, a best practice has emerged in the Netherlands.

Best Practices

The best practice includes several components: a general description, a description of the control framework, and a control matrix. The general section provides a description of the organization. The description of the control framework typically outlines the complete risk framework according to COSO. The COSO framework was updated to COSO 2013 in 2013 and to COSO 2017 ERM in 2017. A key difference from the original COSO framework is that the latest versions include principles.

Control Matrix

In the control matrix, objectives are linked to risks, and the measures that mitigate these risks (controls) are included. All controls relevant to the user organization are incorporated.

Assurance Report

An auditor assesses whether all expected controls are included during the audit. After this review, the auditor provides an assurance statement in the report according to standard 3402*. Such an assurance statement is sometimes referred to as an ISAE 3402 certification, although it is not a certificate but rather an assurance report according to standard 3402.

* Standard 3402 is the Dutch translation of the international ISAE 3402 standard.

Read more about Securance and ISAE 3402.

Get started with ISAE 3402

ISAE 3402 reports are read not only by your clients but also by their auditors. A report that does not adhere to best practices or is described less professionally is likely to be perceived as less professional by your client or their auditor. With Securance’s experience in ISAE 3402 since 2004, we are well-equipped to produce professional reports. We can also advise you on how to improve your measures to better control risks.

Get Started
Foto van onderen gemaakt van wolkenkrabbers inclusief wolken
Aug62021

Cloud services and ISAE 3402 | SOC 1

Cloud services and ISAE 3402 | SOC 1

The demand for ISAE 3402 has increased significantly within IT outsourcing and cloud services. The ISAE 3402 register includes an impressive list of SaaS and hosting providers that are ISAE 3402 certified. What is the reason for this increased demand in the IT sector, and more specifically, in the cloud services industry, including SaaS, IaaS, PaaS, and data center services? ISO 27001 is a crucial international certification standard for information security. So why has the demand for ISAE 3402 certification increased in the IT sector? A key reason is that more and more critical systems of organizations are being offered from the cloud. But why is ISAE 3402 so important, and why is ISO 27001 not sufficient? The answer begins in the financial sector.

Financial Institutions

Financial institutions are required by laws and regulations, such as the Pension Act or the Financial Supervision Act (Wft), to demonstrably manage risks related to outsourcing. The Dutch Central Bank and the Netherlands Authority for the Financial Markets (AFM) do not consider an ISO 27001 certification as an adequate guarantee. The Dutch Central Bank does recognize ISAE 3402 as a sufficient guarantee and even requires such a report in laws and regulations.

Auditors and Corporates

In addition to financial institutions, auditors play a crucial role. Organizations subject to statutory audits are increasingly using cloud services. As a result, auditors must include processes on cloud systems in their financial statement audits. For these audits, auditors often rely on ISAE 3402 assurance reports from specialized service auditors. Furthermore, the normative framework is essential.

Normative framework of ISAE 3402 and ISO 27001

Unlike ISO 27001, ISAE 3402 has a normative framework: the financial statements or, more specifically, all processes relevant to the internal organization of the user organization, with a particular focus on the financial statements. In other words, all processes that lead to financial processing in the financial statements. For many organizations, data from operational processes is stored in the cloud, or operational processes are outsourced to a SaaS provider or hosted by a hosting party. These operational processes almost always directly or indirectly impact the financial statements. As mentioned above, auditors will consider these processes important when performing financial statement audits.

An auditor cannot derive value from an ISO 27001 certification. In such a case, an ISAE 3402 certification is recognizable to an external auditor and is also (technically) useful for the user organization’s financial statement audit. Unlike ISO 27001, ISAE 3402 does not provide detailed standards for information security. In practice, the COBIT 5 framework is often used because this normative framework is sufficient to ensure information security for financial reporting purposes. For these reasons, an ISAE 3402 report often provides more added value for both user organizations and their auditors, as it includes not only the security components of ISO 27001 but also all processes that affect the financial statements.

Cloud Security

An important question for the future is how cloud security will be addressed. In many cases, it is unclear where information is stored in the cloud and whether the countries where this data is stored also comply with regulations such as the General Data Protection Regulation (GDPR). To what extent does a cloud service provider have processes in order, what security guidelines are used, and how are operational IT risks managed?

In the United States, the government requires all parties providing cloud services to the government to comply with the FedRAMP guidelines. Similar requirements have not yet been formulated for private parties, even under the American Sarbanes-Oxley (SOx404) requirements. Primarily, in the case of outsourcing by publicly traded organizations, the SSAE 18 requirements must be met. These are largely consistent with the ISAE 3402 requirements. In this case, too, the ISAE 3402 certification provides a solution. If SSAE 18 is met, SSAE 18 certification can be obtained with relatively limited effort.

Based on the above, it can be concluded that ISAE 3402 can be used for multiple purposes, both to demonstrate to a client that outsourced processes are well controlled and to provide useful information for the external auditor.

Read more about Securance and ISAE 3402.