What suits my organization better?

SOC 1 or SOC 2?

The SSAE18 standard (AICPA) from the United States includes two types of reports; a Service Organization Control Report 1 (SOC 1) and a Service Organization Control Report 2 (SOC 2). This terminology is increasingly being used internationally. An ISAE 3402 report is within this terminology a SOC 1 report, an ISAE 3000 report is a SOC 2 report.

An ISAE 3402 report is a report on how the service provider manages risks over the processes that are outsourced. Outsourcing, and more specifically financial processes, are the framework for this report. An alternative to this report is the SOC 2 report where outsourcing is not the primary framework, but rather information security. The criteria for information security and privacy are included in the Trust Service Criteria. Criteria related to security, privacy, availability, and confidentiality. Additionally, there is a SOC 3 report.

Do I need an SOC 1?

A Service Organization Control 1 is an audit of internal controls focused on securing client data. SOC 1 audits are conducted according to Statement on Standards for Attestation Engagements No. 16 (SSAE 16). A SOC 1 includes control objectives used for internal control over financial reporting. The financial statements are thus the framework for this report. This means that all processes are designed to ensure that all data in the financial statements is accurate and complete.

In other words; if you process or host data related to a financial process, then SOC 1 is applicable.

Do I need an SOC 2?

If you process or host data that do not affect your clients’ financial statements, then SOC 2 is applicable. In this case, your clients are mainly interested in whether you handle information security and privacy correctly.

In an SOC 2 report, similar to an SOC 1 report, internal control measures are included.

Which type of report is best for me now: SOC 1 or SOC 2?

An important difference is that privacy is not mandatory in an SOC 1 and in an SOC 2 based on the Trust Service Criteria, it is. If you have clients falling into both categories, there is a reasonable chance that you will be asked to provide both. You can determine whether you need an SOC 1 or SOC 2 report to fulfill the needs of a wide variety of clients. Risklane offers a unique Online Audit Tool (ControlReports) that supports you in integrating the SOC 1 and SOC 2 audits, resulting in two separate reports. At no extra cost.

If you want more information about the impact of SOC 1 (ISAE 3402), SOC 2 (ISAE3000) for your organization, please contact Securance (+31) 030 2800888.

Security of IT service

while working from home

Currently, more people are working from home than ever before, bringing numerous risks for organizational security. Global data breaches are on the rise, potentially causing significant consequences for businesses. By maintaining security control, organizations can not only retain customer trust but also mitigate financial losses.

ISAE 3000 is the standard for assurance on non-financial information. In practice, there is often a demand for an SOC 2 report. This SOC 2 report exclusively includes General IT Controls that comply with the Trust Service Criteria of the AICPA. These Trust Service Criteria are best practices from the United States for security, privacy, confidentiality, availability, and integrity.

What are the best ways to keep remote work as secure as possible?

1. Password management.

The widely recommended tip is to use strong passwords. Ensure that your employees create multiple different passwords. Frequently changing passwords can also enhance security. Also, ensure that private and work user accounts are separated. As logging in with a private account at home is often easier, it can jeopardize security.

2. Screen locking during breaks.

It sounds like a logical step, but screen locking is often overlooked. Unexpected events can occur when the screen is not locked. This is a matter of habit. The following combinations should be used:

• Windows: Win + L
• Mac: Cmd + Ctrl + Q

3. Keep private and work separate.

As mentioned earlier, keep private and work separate. Different passwords, private and work-related, should not be stored on the same drive. Also, an employee should never use their work email for external websites.

4. Secure WIFI connection.

A secure WIFI connection sounds simple, but mistakes are often made. People often make the mistake of logging into a public WIFI service instead of using a phone hotspot in public. Always instruct employees that if they work in public, they must always use their own hotspot instead of an unsecured WIFI service.

5. VPN.

It’s best to work on a VPN connection when working from home. A VPN connection reduces the risk of hackers and data breaches. Additionally, it’s important to follow browser warnings; if a site doesn’t feel right, it probably isn’t.

6. Security programs.

There are various security updates available for computers, often automatically installed when booting up or shutting down the computer. Also, organizations should provide mandatory antivirus programs.

Risklane offers services in governance, risk, and compliance. Since 2014, Risklane has been a market leader and the most progressive organization regarding ISAE 3402 implementation and certification. Apart from ISAE 3402 services, we offer services in ISAE 3000, GDPR/AVG, ISO 27001, ISO 9001, and COSO ERM.

What are the requirements

for a SOC 1 report?

For certification, your organization needs a report describing its risk management and internal control. This report is also known as a Service Organization Control Report (SOC), terminology that originates from the United States (AICPA). If a SOC report concerns outsourced activities, it is referred to as a SOC 1 (US) or ISAE 3402 report. If the report pertains to certification according to a specific standard (e.g., Trust Service Principles), it is called a SOC 2 or ISAE 3000 report. An ISAE 3000 report can also be prepared for compliance with the General Data Protection Regulation (GDPR).

The requirements are listed in the standard, which can be downloaded from the IFAC website.

Broadly, the standard consists of the following parts.

To be ‘certified’ under ISAE 3402, an organization must have a Service Organization Control Report (SOC). A SOC is form-free, meaning the standard does not prescribe specific content. However, various ‘practices’ have emerged. There are also requirements for reports from entities such as De Nederlandsche Bank, sector institutes, or the service organizations themselves. A SOC report is usually divided into two parts: a general part with a description of the organization, the risk management and internal control system, and a ‘control matrix.’ The control matrix includes the control objectives and a description of the control measures that ensure these objectives. The ultimate framework for the ISAE 3402 report is the financial statement. All processes that significantly affect financial processes must be included. Generally, these are all operational, financial processes, and the General IT Controls.

ISAE 3402 Type I or Type II?

There are two types of reports: a Type I and a Type II report. A Type I report provides a snapshot of the control organization at a single point in time. During the audit, the accountant assesses the control measures only on their design and existence. This means the accountant reviews the entire report (SOC) and goes through the processes once. In a Type II report, in addition to design and existence, the effective operation of control measures is also tested by the accountant. Due to the impact of ISAE 3402 on an organization, it is usually chosen to start with a Type I report and implement a Type II in the subsequent period.

PROCESS APPROACH ISO 9001

The ISO/IEC 9001 standard is the international standard for quality management. It focuses on meeting customer requirements and enhancing customer satisfaction. Specific aspects within the ISO 9001 standard are outlined as requirements.

The impact of these ISO 9001 standard components on an organization is visually depicted in the accompanying figure. There are eight defined components forming the Quality Management System (QMS). The QMS serves as the foundation for ISO 9001 implementation to ensure services meet customer requirements and customers are satisfied.

The Plan-Do-Check-Act cycle is highlighted in red. It’s central to ISO 9001 implementation: planning from customer requirements, measuring execution, and evaluating to improve overall operational quality.

Implementing an effective quality management system is key to sustainable organizational development and can enhance overall performance. ISO 9001 utilizes a process approach and risk-based thinking.

PROCESS APPROACH ISO 9001

The process approach, detailed in the Plan-Do-Check-Act cycle (PDCA), ensures quality management is an integral part of operations, focusing on continual process improvement. It employs risk-based thinking to anticipate events preventing processes from achieving desired outcomes.

BENEFITS OF ISO 9001

• High customer satisfaction
• Quality assurance
• Standardized procedures
• Motivated and engaged employees