Category: Assurance

Consequences of ISAE 3402

Consequences of ISAE 3402

To obtain an ISAE 3402 certification, you need to have a description of your internal control, also known as a Service Organization Control Report (SOC).

This report is certified by an external accountant. The accountant doesn’t actually certify but provides an assurance report in accordance with the ISAE 3402 standard for your SOC. Specific requirements exist for the content of such a SOC or ISAE 3402 report. At Risklane, we describe your report according to these requirements. We can then connect you with an external accountant who will certify your ISAE 3402.

Many organizations focus on their core activities, outsourcing non-core activities to other organizations. Due to regulatory requirements and decreasing trust between market parties, the demand for assurance about outsourcing has increased. An ISAE 3402 provides assurance about all processes that ultimately affect the financial statements of the using organization.

Many organizations supervised by the Dutch Central Bank must demonstrate that outsourced processes are effectively controlled. An ISAE 3402 report can be helpful in this regard and is now mandatory for more organizations such as healthcare insurers and the AFM. International companies supervised by the SEC and required to comply with SOx 404 must also meet all ISAE 3402 or SSAE16 requirements for the processes they outsource. In these cases, the demand for ISAE 3402 is certainly justified.

What is GDPR/AVG?

What is GDPR/AVG?

EUROPEAN PRIVACY REGULATION

The European Commission has decided that the current legislation no longer aligns with the continuous changes resulting from digitization. This new privacy regulation comes in the form of a European regulation applicable to all organizations in the European Union; the General Data Protection Regulation (GDPR). The GDPR applies directly in all EU member states without the need for transposition into national law.

NEW PRIVACY CONCEPTS GDPR (AVG)

introduces new concepts, such as the right of access and the right to be forgotten. Additionally, GDPR is based on a set of privacy principles. This entails various obligations for organizations. These obligations can range from establishing a register of personal data processing activities to conducting risk assessments (DPIA) and appointing a Data Protection Officer (DPO).

IMPACTS OF GDPR

The impacts of the General Data Protection Regulation are limited for most organizations to maintaining a register of processing activities and implementing privacy-focused information security measures. Risklane offers various solutions to determine which measures are mandatory within your organization. The key potential obligations include:

  • Security measures
  • Register of processing activities
  • Data Protection Impact Assessment (DPIA)
  • Data Protection Officer (DPO)

Value of ISAE 3000 | SOC 2 Assurance

Value of ISAE 3000 | SOC 2 Assurance

Who can expect value from ISAE 3000 | SOC 2 Assurance?

ISAE 3000 | SOC 2 is specifically designed for service providers storing customer data in the cloud. This means ISAE 3000 | SOC 2 assurance can add value to almost any SaaS company, as well as any organization using the cloud to store customer information.

ISAE 3000 | SOC 2 requires service providers to establish and follow strict information security policies and procedures, including security, availability, processing, integrity, and confidentiality of customer data. ISAE 3000 | SOC 2 ensures that a service provider’s information security measures align with current cloud regulations. As businesses increasingly use the cloud to store customer data, ISAE 3000 | SOC 2 compliance becomes a necessity for a wide range of organizations providing cloud services. The ISAE 3000 | SOC 2 report can provide transparency and assurance to various stakeholders.

The ISAE 3000 | SOC 2 report is unique

The ISAE 3000 | SOC 2 requirements provide a service provider with a degree of flexibility in deciding how to meet the Trust Services criteria. Therefore, ISAE 3000 | SOC 2 reports are unique to each individual organization. In essence, the service provider looks at the ISAE 3000 | SOC 2 requirements, decides which are relevant to their organization, and then defines their own controls to meet those requirements. The service provider can define additional controls if necessary and ignore others if they are not relevant to their core activities. The ISAE 3000 | SOC 2 audit is the auditor’s judgment on how the service provider’s control measures meet the requirements.

ISAE 3000 | SOC 2 and ISO 27001

ISAE 3000 | SOC 2 and ISO 27001

ISAE 3402 | SOC 2

ISAE 3000 | SOC 2 is the international standard for security and other non-financial information. ISAE 3402 is applied when there is outsourcing involving financial information processed by the service organization. If this is not the case, then SOC 2 can be used, for example, when only the General IT Controls (GITC’s) are included in the scope of the SOC report. The SOC 2 standard does not include provisions for internal control; for example, the COSO framework. These components are therefore not mandatory in a SOC 2 report. In the United States, the standards for SOC 2 reports are the Trust Services Criteria and SSAE 18, which include specific requirements for GITCs at service organizations. If a SOC 2 report is prepared according to the Trust Service Criteria, then these components are mandatory.

ISO 27001

Information security is important for every company. The ISO 27001 standard is an international framework for information security. ISO 27001 can be used to establish information security. Risklane has over 10 years of experience in setting up risk management structures, information security, and process improvement. Information security must always have added value, making the organization more manageable, and ISO 27001 provides opportunities for new customers.

Which one is more suitable for you?

Both standards are intended to provide assurance to your customers. There are three key considerations for what will best suit your customers:

  • Has your customer(s) specifically requested or mandated one of the two standards?
  • Where are your customers located?
  • In which sectors are your customers active?

Customers prefer the standard they are more familiar with. European customers tend to prefer ISO 27001, while SOC 2 is preferred in the US. The financial services sector prefers SOC 2, aligning with their focus on operational effectiveness and stemming from the accounting practice applicable to their business and legal requirements more broadly.

It is best to discuss the approach with existing customers and/or any potential customers. This way, you won’t be caught off guard and can make an informed choice.