Category: Assurance

Foto van onderen gemaakt van wolkenkrabbers inclusief wolken

Cloud services and ISAE 3402 | SOC 1

Cloud services and ISAE 3402 | SOC 1

The demand for ISAE 3402 has increased significantly within IT outsourcing and cloud services. The ISAE 3402 register includes an impressive list of SaaS and hosting providers that are ISAE 3402 certified. What is the reason for this increased demand in the IT sector, and more specifically, in the cloud services industry, including SaaS, IaaS, PaaS, and data center services? ISO 27001 is a crucial international certification standard for information security. So why has the demand for ISAE 3402 certification increased in the IT sector? A key reason is that more and more critical systems of organizations are being offered from the cloud. But why is ISAE 3402 so important, and why is ISO 27001 not sufficient? The answer begins in the financial sector.

Financial Institutions

Financial institutions are required by laws and regulations, such as the Pension Act or the Financial Supervision Act (Wft), to demonstrably manage risks related to outsourcing. The Dutch Central Bank and the Netherlands Authority for the Financial Markets (AFM) do not consider an ISO 27001 certification as an adequate guarantee. The Dutch Central Bank does recognize ISAE 3402 as a sufficient guarantee and even requires such a report in laws and regulations.

Auditors and Corporates

In addition to financial institutions, auditors play a crucial role. Organizations subject to statutory audits are increasingly using cloud services. As a result, auditors must include processes on cloud systems in their financial statement audits. For these audits, auditors often rely on ISAE 3402 assurance reports from specialized service auditors. Furthermore, the normative framework is essential.

Normative framework of ISAE 3402 and ISO 27001

Unlike ISO 27001, ISAE 3402 has a normative framework: the financial statements or, more specifically, all processes relevant to the internal organization of the user organization, with a particular focus on the financial statements. In other words, all processes that lead to financial processing in the financial statements. For many organizations, data from operational processes is stored in the cloud, or operational processes are outsourced to a SaaS provider or hosted by a hosting party. These operational processes almost always directly or indirectly impact the financial statements. As mentioned above, auditors will consider these processes important when performing financial statement audits.

An auditor cannot derive value from an ISO 27001 certification. In such a case, an ISAE 3402 certification is recognizable to an external auditor and is also (technically) useful for the user organization’s financial statement audit. Unlike ISO 27001, ISAE 3402 does not provide detailed standards for information security. In practice, the COBIT 5 framework is often used because this normative framework is sufficient to ensure information security for financial reporting purposes. For these reasons, an ISAE 3402 report often provides more added value for both user organizations and their auditors, as it includes not only the security components of ISO 27001 but also all processes that affect the financial statements.

Cloud Security

An important question for the future is how cloud security will be addressed. In many cases, it is unclear where information is stored in the cloud and whether the countries where this data is stored also comply with regulations such as the General Data Protection Regulation (GDPR). To what extent does a cloud service provider have processes in order, what security guidelines are used, and how are operational IT risks managed?

In the United States, the government requires all parties providing cloud services to the government to comply with the FedRAMP guidelines. Similar requirements have not yet been formulated for private parties, even under the American Sarbanes-Oxley (SOx404) requirements. Primarily, in the case of outsourcing by publicly traded organizations, the SSAE 18 requirements must be met. These are largely consistent with the ISAE 3402 requirements. In this case, too, the ISAE 3402 certification provides a solution. If SSAE 18 is met, SSAE 18 certification can be obtained with relatively limited effort.

Based on the above, it can be concluded that ISAE 3402 can be used for multiple purposes, both to demonstrate to a client that outsourced processes are well controlled and to provide useful information for the external auditor.

Read more about Securance and ISAE 3402.

How to choose the right SOC 2 principles?

How to choose the right SOC 2 principles?

A common question is who is responsible for determining and selecting the principles to be included in a SOC 2 examination. The answer to this question is not always what a service organization wants to hear. As with a SOC 1, management is always tasked with choosing the Trust Services Principles (TSPs). This often comes down to which principles fit your business, services, and clients. Unfortunately, there is no definitive list of rules that must be followed when selecting these principles. Below is a description of these TSPs:

  • Information Security: The system is protected against unauthorized access, use, or modification to meet the entity’s system requirements.
  • Availability: The system is available for operation and use as committed or agreed.
  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.

De scope

Before deciding on the principles, you must first determine the scope of the examination. This is done by identifying the various components that fall within the scope, including third parties offering the same services. This is an important step, as organizations often have a narrower view of their services and what should be included in a SOC 2 system. Moreover, organizations must carefully consider their infrastructure, software, personnel, procedures, and data when defining the outline of a SOC 2 examination. Each of these individual components is further described in SOC 2 literature.

Information Security

After establishing the scope, the next step is to determine which principles apply to the service organization’s system. Take, for example, the Security principle. This must be included in all SOC 2 examinations because it contains criteria related to all other principles. These common criteria include ensuring the security of a system, such as detecting and preventing unauthorized modification, destruction, or disclosure of information.

If a client wants reasonable assurance about the security of their data, they are likely most interested in the Security principle. This principle is so broad that it may suffice for the client to examine only this principle to gain a sense of security over their data.

Availability

The second most commonly chosen principle for a SOC 2 examination is Availability. Since most service organizations provide an outsourced service to their clients, the availability of this service is often contractually defined through Service Level Agreements (SLAs). Therefore, the Availability principle is a compelling one to include in a SOC 2 examination.

Processing Integrity

If the service organization processes transactions for its clients, a third interesting principle is Processing Integrity. This principle contributes to the assurance that data is processed completely, validly, accurately, and in an authorized manner. In addition to the Security principle, the Availability principle, and Processing Integrity, two other principles can be included in a SOC 2 examination.

Confidentiality and Privacy

The final two principles are Confidentiality and Privacy. These are often discussed in the same context, although the principles are distinct. Moreover, many organizations consider these two principles to be of great importance for the SOC 2 examination. The principles are similar in that they both relate to the information ‘in’ the system. The difference is that the Privacy principle only applies to personal information. However, the term ‘confidential information’ can have different meanings for different companies. If the service organization handles confidential information and specific agreements have been made about securing this data, then the Confidentiality principle is relevant.

Within the context of a SOC 2 examination, Privacy relates to the protection of personal information. If a service organization has responsibility for managing the ‘lifecycle’ of personal information (also known as PII, Personally Identifiable Information), then this principle is interesting to include in the examination. The lifecycle refers to the collection, use, disclosure, storage, and destruction of personal information.

Overall, choosing the right principles is an important process. It begins with being well-informed about which principles are best applied in a given situation. This requires a good understanding of the organization. Subsequently, the knowledge and experience of an experienced SOC 2 firm is invaluable. A reputable company will guide an organization in selecting the appropriate principles for the SOC 2 examination.

ISAE 3402 vs. ISAE 3000 vs. ISO 27001

ISAE 3402 vs. ISAE 3000 vs. ISO 27001

There is often confusion surrounding ISAE 3402, ISAE 3000, and ISO 27001. Many clients ask which standard is best and what the benefits are. This varies per organization, and this article explains the standards and describes their advantages.

ISAE 3402

The ISAE 3402 standard refers to the reporting standards for initial controls for financial reporting purposes. This means that this standard assesses the effectiveness of the systems to support the security and integrity of the underlying data.ISAE 3402 is suitable for services with business process objectives that go beyond just the core focus on technology and security.

Benefits:

  • Internationally recognized
  • Improved risk management
  • Fewer audits by accountants
  • Portrays a ‘in control’ image to clients
  • Supports professionalization

ISAE 3000

The ISAE 3000 standard is the framework for managing and reporting on new technological risks and associated control practices. This relates to the security of an organization, confidentiality of the organization, processing integrity, and customer privacy.The ISAE 3000 standard attempts to combine the best of both worlds. It is a combination of the increased assurance of operational effectiveness from the ISAE standards and the refined focus on cybersecurity, as exemplified by the ISO 27001 standard.

Benefits:

  • Internationally recognized
  • Robust standard for information security
  • Recognized by accountants
  • Supports organizational professionalization

ISO 27001

The design and implementation of an Information Security Management System (ISMS) are established in the ISO 27001 standard. ISO 27001 can be used to implement information security. The latest ISO 27001 standard was published in 2017. This standard is based on the HLS structure. (See the article on the HLS structure here)

ISO 27001 is globally recognized and supported as one of the best standards for information security. It is the actual ‘best practice’ approach to managing information security within an organization.

Implementation of ISO 9001

Implementation of ISO 9001

The ISO/IEC 9001 standard is the international standard for quality management. The ISO 9001 standard focuses on two key aspects: meeting customer requirements and increasing customer satisfaction. To achieve this, the ISO 9001 standard outlines specific aspects that are elaborated into requirements.

Phase 1

An ISO 9001 implementation begins in the first phase with determining the scope. This scope encompasses the quality management system aimed at meeting customer requirements and improving customer satisfaction.

Deliverable: ISO 9001 scope

Phase 2

In the second phase, the organization must establish a general quality management policy. The general section describes, at a minimum, the characteristics of the organization, the characteristics of the organization’s services and/or products, the inputs and expected outputs, as well as the necessary resources for processes – responsibilities and authorities.

Regarding the policy, the following is included:

  1. A description of the risk framework. Different risk frameworks can be chosen, such as COSO 2013 or ISO 31000. The risk framework should be described from the perspective of quality control.
  2. How the organization deals with any laws, regulations, requirements, and guidelines that the organization itself imposes on quality.
  3. The policy must demonstrably align with the current risk management framework that has been implemented (alignment with COSO 2013). It should also include how the organization approaches the implementation and control of the quality management system and the methods and controls needed to ensure that procedures are carried out effectively.
  4. Which processes have been determined for the evaluation and improvement of the quality management system.
  5. The organization’s management or directors must approve the policy.

Deliverable: Policy document

Phase 3

In Phase three, a risk analysis is performed in the area of quality management. Based on the risks identified in Phase three, processes and procedures are described. Subsequently, the procedures and processes are implemented within the organization, and finally, the quality management manual is prepared and made available to all employees of the organization.

Deliverable: Risk analysis & quality management manual

Phase 4

After the manual has been described, a pre-audit or walkthrough is conducted in the fourth phase, during which all control measures and ISO 9001 procedures are tested, and potential problem areas are identified for the final audit.

Phase 5

In the fifth phase, improvements to control measures and the quality management system are implemented based on the pre-audit findings, and solutions are realized for the identified problem areas.

Phase 6

In the sixth and final phase, the ISO 9001 audit is conducted by a certifying body, and the ISO 9001 certificate is obtained.