Category: Cyber Security

What are the requirements for a SOC 1 report?

What are the requirements

for a SOC 1 report?

For certification, your organization needs a report describing its risk management and internal control. This report is also known as a Service Organization Control Report (SOC), terminology that originates from the United States (AICPA). If a SOC report concerns outsourced activities, it is referred to as a SOC 1 (US) or ISAE 3402 report. If the report pertains to certification according to a specific standard (e.g., Trust Service Principles), it is called a SOC 2 or ISAE 3000 report. An ISAE 3000 report can also be prepared for compliance with the General Data Protection Regulation (GDPR).

The requirements are listed in the standard, which can be downloaded from the IFAC website.

Broadly, the standard consists of the following parts.

To be ‘certified’ under ISAE 3402, an organization must have a Service Organization Control Report (SOC). A SOC is form-free, meaning the standard does not prescribe specific content. However, various ‘practices’ have emerged. There are also requirements for reports from entities such as De Nederlandsche Bank, sector institutes, or the service organizations themselves. A SOC report is usually divided into two parts: a general part with a description of the organization, the risk management and internal control system, and a ‘control matrix.’ The control matrix includes the control objectives and a description of the control measures that ensure these objectives. The ultimate framework for the ISAE 3402 report is the financial statement. All processes that significantly affect financial processes must be included. Generally, these are all operational, financial processes, and the General IT Controls.

ISAE 3402 Type I or Type II?

There are two types of reports: a Type I and a Type II report. A Type I report provides a snapshot of the control organization at a single point in time. During the audit, the accountant assesses the control measures only on their design and existence. This means the accountant reviews the entire report (SOC) and goes through the processes once. In a Type II report, in addition to design and existence, the effective operation of control measures is also tested by the accountant. Due to the impact of ISAE 3402 on an organization, it is usually chosen to start with a Type I report and implement a Type II in the subsequent period.

24

Process Approach ISO 9001

PROCESS APPROACH ISO 9001

The ISO/IEC 9001 standard is the international standard for quality management. It focuses on meeting customer requirements and enhancing customer satisfaction. Specific aspects within the ISO 9001 standard are outlined as requirements.

The impact of these ISO 9001 standard components on an organization is visually depicted in the accompanying figure. There are eight defined components forming the Quality Management System (QMS). The QMS serves as the foundation for ISO 9001 implementation to ensure services meet customer requirements and customers are satisfied.

The Plan-Do-Check-Act cycle is highlighted in red. It’s central to ISO 9001 implementation: planning from customer requirements, measuring execution, and evaluating to improve overall operational quality.

Implementing an effective quality management system is key to sustainable organizational development and can enhance overall performance. ISO 9001 utilizes a process approach and risk-based thinking.

PROCESS APPROACH ISO 9001

The process approach, detailed in the Plan-Do-Check-Act cycle (PDCA), ensures quality management is an integral part of operations, focusing on continual process improvement. It employs risk-based thinking to anticipate events preventing processes from achieving desired outcomes.

BENEFITS OF ISO 9001

  • High customer satisfaction
  • Quality assurance
  • Standardized procedures
  • Motivated and engaged employees

Consequences of ISAE 3402

Consequences of ISAE 3402

To obtain an ISAE 3402 certification, you need to have a description of your internal control, also known as a Service Organization Control Report (SOC).

This report is certified by an external accountant. The accountant doesn’t actually certify but provides an assurance report in accordance with the ISAE 3402 standard for your SOC. Specific requirements exist for the content of such a SOC or ISAE 3402 report. At Risklane, we describe your report according to these requirements. We can then connect you with an external accountant who will certify your ISAE 3402.

Many organizations focus on their core activities, outsourcing non-core activities to other organizations. Due to regulatory requirements and decreasing trust between market parties, the demand for assurance about outsourcing has increased. An ISAE 3402 provides assurance about all processes that ultimately affect the financial statements of the using organization.

Many organizations supervised by the Dutch Central Bank must demonstrate that outsourced processes are effectively controlled. An ISAE 3402 report can be helpful in this regard and is now mandatory for more organizations such as healthcare insurers and the AFM. International companies supervised by the SEC and required to comply with SOx 404 must also meet all ISAE 3402 or SSAE16 requirements for the processes they outsource. In these cases, the demand for ISAE 3402 is certainly justified.

What is GDPR/AVG?

What is GDPR/AVG?

EUROPEAN PRIVACY REGULATION

The European Commission has decided that the current legislation no longer aligns with the continuous changes resulting from digitization. This new privacy regulation comes in the form of a European regulation applicable to all organizations in the European Union; the General Data Protection Regulation (GDPR). The GDPR applies directly in all EU member states without the need for transposition into national law.

NEW PRIVACY CONCEPTS GDPR (AVG)

introduces new concepts, such as the right of access and the right to be forgotten. Additionally, GDPR is based on a set of privacy principles. This entails various obligations for organizations. These obligations can range from establishing a register of personal data processing activities to conducting risk assessments (DPIA) and appointing a Data Protection Officer (DPO).

IMPACTS OF GDPR

The impacts of the General Data Protection Regulation are limited for most organizations to maintaining a register of processing activities and implementing privacy-focused information security measures. Risklane offers various solutions to determine which measures are mandatory within your organization. The key potential obligations include:

  • Security measures
  • Register of processing activities
  • Data Protection Impact Assessment (DPIA)
  • Data Protection Officer (DPO)