Category: Cyber Security

Value of ISAE 3000 | SOC 2 Assurance

Value of ISAE 3000 | SOC 2 Assurance

Who can expect value from ISAE 3000 | SOC 2 Assurance?

ISAE 3000 | SOC 2 is specifically designed for service providers storing customer data in the cloud. This means ISAE 3000 | SOC 2 assurance can add value to almost any SaaS company, as well as any organization using the cloud to store customer information.

ISAE 3000 | SOC 2 requires service providers to establish and follow strict information security policies and procedures, including security, availability, processing, integrity, and confidentiality of customer data. ISAE 3000 | SOC 2 ensures that a service provider’s information security measures align with current cloud regulations. As businesses increasingly use the cloud to store customer data, ISAE 3000 | SOC 2 compliance becomes a necessity for a wide range of organizations providing cloud services. The ISAE 3000 | SOC 2 report can provide transparency and assurance to various stakeholders.

The ISAE 3000 | SOC 2 report is unique

The ISAE 3000 | SOC 2 requirements provide a service provider with a degree of flexibility in deciding how to meet the Trust Services criteria. Therefore, ISAE 3000 | SOC 2 reports are unique to each individual organization. In essence, the service provider looks at the ISAE 3000 | SOC 2 requirements, decides which are relevant to their organization, and then defines their own controls to meet those requirements. The service provider can define additional controls if necessary and ignore others if they are not relevant to their core activities. The ISAE 3000 | SOC 2 audit is the auditor’s judgment on how the service provider’s control measures meet the requirements.

ISAE 3000 | SOC 2 and ISO 27001

ISAE 3000 | SOC 2 and ISO 27001

ISAE 3402 | SOC 2

ISAE 3000 | SOC 2 is the international standard for security and other non-financial information. ISAE 3402 is applied when there is outsourcing involving financial information processed by the service organization. If this is not the case, then SOC 2 can be used, for example, when only the General IT Controls (GITC’s) are included in the scope of the SOC report. The SOC 2 standard does not include provisions for internal control; for example, the COSO framework. These components are therefore not mandatory in a SOC 2 report. In the United States, the standards for SOC 2 reports are the Trust Services Criteria and SSAE 18, which include specific requirements for GITCs at service organizations. If a SOC 2 report is prepared according to the Trust Service Criteria, then these components are mandatory.

ISO 27001

Information security is important for every company. The ISO 27001 standard is an international framework for information security. ISO 27001 can be used to establish information security. Risklane has over 10 years of experience in setting up risk management structures, information security, and process improvement. Information security must always have added value, making the organization more manageable, and ISO 27001 provides opportunities for new customers.

Which one is more suitable for you?

Both standards are intended to provide assurance to your customers. There are three key considerations for what will best suit your customers:

  • Has your customer(s) specifically requested or mandated one of the two standards?
  • Where are your customers located?
  • In which sectors are your customers active?

Customers prefer the standard they are more familiar with. European customers tend to prefer ISO 27001, while SOC 2 is preferred in the US. The financial services sector prefers SOC 2, aligning with their focus on operational effectiveness and stemming from the accounting practice applicable to their business and legal requirements more broadly.

It is best to discuss the approach with existing customers and/or any potential customers. This way, you won’t be caught off guard and can make an informed choice.

COSO 2013 framework

COSO 2013 framework

On December 15, 2014, the transition period for adopting the COSO 2013 framework ended. What are the opportunities and risks that arise from this transition? The COSO Internal Control Integrated Framework (ICIF) 2013 is a comprehensive update of the COSO ICIF 1992 model.

IT General Control

IT General Control

More organizations are outsourcing IT or other processes. This outsourcing brings efficiency but also risks. Is information security well managed? How is privacy handled? The ISAE 3402 standard is the standard for reliable outsourcing and provides answers. This standard ensures that aspects such as risk management, information security, privacy, anti-fraud measures, and continuity are controlled. An ISAE 3402 | SOC 1 report describes how risks are managed. A service auditor then verifies if this is indeed happening. What steps do you need to take to obtain such a report?

Firstly, you need to describe the organization’s risk management and internal control measures in a report. These internal control measures are also called controls. The report is called a Service Organization Control Report (SOC); a term from the United States. If the SOC report concerns outsourcing of (financial) processes, then this report is called an SOC 1 or ISAE 3402 report. If the report concerns processes that do not affect the financial statements (and are based on, for example, the Trust Service Principles), then the report is called an SOC 2 or an ISAE 3000 report. This may seem complicated, but you could say that as soon as your organization provides services that ‘touch’ your customer’s financial statements, then an SOC 1 applies, and if there are no implications for the financial statements, then an SOC 2 applies.

IT general control

No financial information is processed by the service organization. However, if the network fails, this could affect the financial statements because the ERP system runs on the network. Therefore, IT General Controls (ITGCs) are important; the IT General Controls (ITGC) are the control measures that an organization has implemented to ensure that the IT systems are reliable and integral. These IT General Controls are described in the SOC 1 (ISAE 3402) report of the managed server provider. In addition, a description of the organization and a description of risk management are included so that the customer can view these controls from the right perspective.