All types of outsourcing of IT services, whether it’s to a local service provider or a global hyperscale cloud provider, have this in common: You can outsource a business process, but you cannot outsource the ownership of your business’s risk.
That is why most companies that outsource must find ways to ensure their service providers are performing according to the rules, the standards and the laws that your business requires.
Traditionally, the way this works is that the companies include “right-to-audit” clauses in their contracts with the service providers. And then, typically once a year, this right is exercised, by having IT auditors visiting the service provider to have a closer look at their set-up, the services they provide, the sites, infrastructure, operational processes, system support and people.
In today’s hybrid, complex and distributed IT world, on-site audits are only able to focus on a very limited set of controls, or they will be extremely time-consuming and expensive. As the contracting party, you normally must cover expenses for IT auditors, your own staff that spends time on preparing, attending and interpreting findings, as well as paying your service provider for the time they spend.
Most of the time, due to time and cost restrains, such audits only scratch the surface at the service provider.
So, what should you do to satisfy your own or your auditor’s need to get assurance that the services are provided in accordance with your security requirements, and with a quality of service that reduces your risk?
Let us introduce Third Party Attestation Reporting (SOC reports)
What is it?
Service Organization Controls (SOC) reports are prepared and issued by an independent auditing company and include descriptions of the service organizations internal security controls, as well as the auditor’s assessment on the suitability and effectiveness of the controls. The full and unedited reports are distributed to the service organizations customers, and their auditors.
Report types and intended use
There are several types of reporting standards:
- ISAE3402 / SOC1. This primarily includes internal controls relevant for financial reporting, with the purpose of the compliance with laws and regulations. The intended users of these reports are the customer’s management and their auditors
- SOC2. This will report on internal controls related to general Information Security, Availability and Confidentiality. For each of these domains the control objectives are predefined by the standard. Intended users are customer’s management, Information Security Managers and regulators.
- SOC3. This is less detailed reports, usually an executive summary of a SOC2 report. As these reports discloses less details, these reports also typically are made generally available, for instance through the service provider’s website.
SOC1 and SOC2 both come in Type I and Type II.
Type I will be point-in-time based, as they only focus on how the security controls have been defined and implemented by the service organization, at the time of the audit.
Type II reports however, will assess and validate both the suitability of the controls (that the controls are defined and implemented in a way that meet the control objectives), and the effectiveness (that the controls are consistently used by the service organization). To prove the latter, the auditor performs randomized sampling and collect evidence from the entire reporting period, typically one calendar year.
What makes this different from ISO certifications?
There is a great deal of overlap between the Information Security Management standard ISO27001 and SOC attestation reports. The ISO-standard however, allow companies to define their own scope, and their own benchmarks (security policies and goals). So, for anyone to accept a Service Provider’s ISO27001 certification as evidence that the provider fulfills your security requirements, you at least need to understand the scope and the security policies the certification is based on and check that it matches your needs.
ISO audit reports are generally not available to other than the audited party. Customers may be provided the actual certificate, perhaps a copy of the security policies, and a document explaining the scope of the audited management system, but organizations are usually not allowed to distribute the full audit report.
For an ISAE3402 or SOC2 report however, you can get full insight into all parts of the very comprehensive reports. The reports among other things include both the organizations management statements and descriptions of their security controls, as well as the independent auditors test procedures, test results and findings.
Note that SOC reports not is a certification as such, but rather compliance reports produced by an independent auditor.
The main benefits
Getting the appropriate SOC report from your service provider will give you the following benefit
- Save cost on performing your own audits. Such audits will no longer be required, or will at least need to have a much-decreased scope
- Get the full picture. As the reports will be based on samples from the full (12 months) reporting period, these reports will cover a lot more than you will be able to assess in customer specific audits
- Leverage these reports in your own audit and reporting. As these reports are based on internationally recognized standards, your auditors can easily make use of them directly
- Get insight into your service providers security controls. The reports include the service provider’s description of the control environment, processes and the individual controls
- Get a verification on the control effectiveness. This will enable you to assess if the service provider’s regular control effectiveness is satisfactory, and where you should focus your improvement efforts.
Even the service provider will benefit from this, as the number of audits will be reduced, and the actual auditing more coordinated and efficient. This eventually should result in lower compliance cost, which should benefit all parties.
The next time you are reviewing the security compliance of your service provider, or the next time you select an outsourcing partner, check if you can get access to their SOC reports. That will make you get better control, at a lower cost. That is what we all want, right?
Esten Hoel is our SVP Security and Compliance and is part of the Basefarm management team. He has a long history in the IT industry but has also worked within the mobile communication and for the Winter Olympics in Lillehammer in 1994. He is passionate about transforming security to support the people and organizations and he believes that policies, technology and processes are here to help, not to stop organizations, and to enable innovation. His motto is “systematic work, always works”.
Esten Hoel, SVP Security and Compliance, Basefarm