Cloud services and ISAE 3402 | SOC 1
The demand for ISAE 3402 has increased significantly within IT outsourcing and cloud services. The ISAE 3402 register includes an impressive list of SaaS and hosting providers that are ISAE 3402 certified. What is the reason for this increased demand in the IT sector, and more specifically, in the cloud services industry, including SaaS, IaaS, PaaS, and data center services? ISO 27001 is a crucial international certification standard for information security. So why has the demand for ISAE 3402 certification increased in the IT sector? A key reason is that more and more critical systems of organizations are being offered from the cloud. But why is ISAE 3402 so important, and why is ISO 27001 not sufficient? The answer begins in the financial sector.
Financial Institutions
Financial institutions are required by laws and regulations, such as the Pension Act or the Financial Supervision Act (Wft), to demonstrably manage risks related to outsourcing. The Dutch Central Bank and the Netherlands Authority for the Financial Markets (AFM) do not consider an ISO 27001 certification as an adequate guarantee. The Dutch Central Bank does recognize ISAE 3402 as a sufficient guarantee and even requires such a report in laws and regulations.
Auditors and Corporates
In addition to financial institutions, auditors play a crucial role. Organizations subject to statutory audits are increasingly using cloud services. As a result, auditors must include processes on cloud systems in their financial statement audits. For these audits, auditors often rely on ISAE 3402 assurance reports from specialized service auditors. Furthermore, the normative framework is essential.
Normative framework of ISAE 3402 and ISO 27001
Unlike ISO 27001, ISAE 3402 has a normative framework: the financial statements or, more specifically, all processes relevant to the internal organization of the user organization, with a particular focus on the financial statements. In other words, all processes that lead to financial processing in the financial statements. For many organizations, data from operational processes is stored in the cloud, or operational processes are outsourced to a SaaS provider or hosted by a hosting party. These operational processes almost always directly or indirectly impact the financial statements. As mentioned above, auditors will consider these processes important when performing financial statement audits.
An auditor cannot derive value from an ISO 27001 certification. In such a case, an ISAE 3402 certification is recognizable to an external auditor and is also (technically) useful for the user organization’s financial statement audit. Unlike ISO 27001, ISAE 3402 does not provide detailed standards for information security. In practice, the COBIT 5 framework is often used because this normative framework is sufficient to ensure information security for financial reporting purposes. For these reasons, an ISAE 3402 report often provides more added value for both user organizations and their auditors, as it includes not only the security components of ISO 27001 but also all processes that affect the financial statements.
Cloud Security
An important question for the future is how cloud security will be addressed. In many cases, it is unclear where information is stored in the cloud and whether the countries where this data is stored also comply with regulations such as the General Data Protection Regulation (GDPR). To what extent does a cloud service provider have processes in order, what security guidelines are used, and how are operational IT risks managed?
In the United States, the government requires all parties providing cloud services to the government to comply with the FedRAMP guidelines. Similar requirements have not yet been formulated for private parties, even under the American Sarbanes-Oxley (SOx404) requirements. Primarily, in the case of outsourcing by publicly traded organizations, the SSAE 18 requirements must be met. These are largely consistent with the ISAE 3402 requirements. In this case, too, the ISAE 3402 certification provides a solution. If SSAE 18 is met, SSAE 18 certification can be obtained with relatively limited effort.
Based on the above, it can be concluded that ISAE 3402 can be used for multiple purposes, both to demonstrate to a client that outsourced processes are well controlled and to provide useful information for the external auditor.
Read more about Securance and ISAE 3402.