Does my non-US business need a SOC 1, 2, 3 or SAS70 report? ISAE 3042 and ISO 27001 perform similar functions
“Our US based client has asked for our SOC 2 audit report! I haven’t heard of one! What is it? What do I do?”
Service Organisation Controls (SOC) are a US-centric accounting standard, designed to make an assessment of the controls an organisation has for its information (SOC 1), services impacting availability, integrity and confidentiality (SOC 2) and trust services (SOC 3).
SOC was introduced by the American Institute of Certified Public Accountants (AICPA), and each report must be issued by a certified AICPA.
In a nutshell, SOC is a US audit report, used by US businesses, issued by a US-certified auditor. If your organisation is outside of the USA, this report might be irrelevant to your local business context and may be difficult to come by due to the report being issued by an AICPA. Difficult, but not impossible. You may have to refer your query to a large international auditing firm.
If your US-based client is asking for a SOC 2 or SOC 3 report, you might want to inform your client that the report is US-centric and possibly not relevant to or available in your country (do your homework here – I do not know each country’s specifics). The organisation may just be following their usual business procedure and have not dealt with a foreign service provider before.
If an alternative is required, ISAE 3042 is an international equivalent and provides assurance that there are effective operational controls in place at a service organisation. This is perfect for any organisation looking for assurance over their cloud vendor or for any cloud vendor wanting to control endless customer requests for external audit assurance. Like the SOC reports, these reports are conducted by qualified auditing firms so may not always be conducted by Information Security professionals. ISAE 3402 Type 1 reports are point-in-time and are focused on establishing the organisation has an effective control baseline, while ISAE 3402 Type 2 reports show that there is a continued, operational process that is effective and maturing over a period of time. More information on ISAE 3402 is available here.
If you prefer your certifications more grounded in Information Security traditions, then a non-US choice is the ISO 27000 Information Security series of Information Security standards. If your client will accept it, conduct an ISO 27001 audit to achieve an ISO 27001 certification. An ISO 27001 certification means your organisation had an acceptably robust information security management system at that point in time and accordingly the certifications expire. Such a management system is useful from an organisational management perspective, plus there’s commercial bragging rights that go with a successful certification. However be aware that achieving ISO 27001 certification is a significant undertaking.
If your client is asking for a SAS 70 audit report, SOC 1 replaced SAS 70 in 2011. What they really want is SOC 1, or an ISAE 3402 audit internationally.