Usage of ISAE and SOC standards in information security assurance

In today’s business environment, organizations who provide business critical services often face questions about their information security. Understandably, the companies who use these services are concerned about security of their data or availability of the service. Clauses and annexes of service contracts often state the baseline for security topics but sometimes it is not enough.

There are various ways how organizations can demonstrate their security to their clients. The most simple way is to provide a formal statement to the client or complete a questionnaire at regular intervals. Or client may perform an audit to the security of the service provider if agreed in the service contract. ISO27001 is internationally recognized standard which can be used to get organization’s information security management system certified.

There is also another way to provide assurance on organization’s information security with the credibility of international standards – using ISAE or SOC standards.

In ISAE or SOC engagement an assessment is performed by an external auditor (e.g. KPMG). Based on this assessment the auditor provides a formal, structured assurance report which can be shared to organization’s clients and other interested parties within certain requirements.

ISAE 3000

ISAE 3000-standard (International Standard on Assurance Engagements) is used to provide assurance over non-financial information. The standard can cover various subject matters ranging from sustainability or governance topics to information security. The criteria for the work is selected based on the subject matter. When talking about information security some typical control area examples are technical security, availability, continuity and confidentiality.

ISAE 3000 recognizes two types of report:

·    Type 1 report provides assurance on design and implementation of controls on a certain date

·    Type 2 report provides assurance on design, implementation and continuous effectiveness of controls during certain time period, usually one year

For information security the most common criteria used is TSC (2017 Trust Services Criteria) set forth by AICPA (American Institute of Certified Public Accountants). Most important factor in selecting this criteria is that it is highly compliant with SOC 2 requirements which are commonly used in US. It also aligns well to most common other security frameworks (e.g. COSO).

Parties usually interested in ISAE 3000 reports are organization’s existing and potential customers and business partners. Also regulatory bodies may be interested in ISAE 3000 reports in some cases.

ISAE 3402

If your organization provides services related to accounting or financial information then ISAE 3402 might be more suitable standard. It is meant for assessment of internal controls over financial reporting. Control areas covered in ISAE 3402 engagements are usually related to financial controls  such as payroll but can be extended to cover information security in a limited manner as well.

Like ISAE 3000 there are also similar two types of reports recognized in ISAE 3402, type 1 covering a certain date and type 2 covering a period of time.

Parties interested in ISAE 3402 reports are usually organization’s customers and their financial auditors.

SOC 1, SOC 2, SOC 3

SOC standard (Service Organization Controls) is an US equivalent of ISAE with some minor differences. In SOC assurance engagements the overall setting of the engagement is the same – external auditor performs an assessment and provides a report. The key difference in the standard is that the engagement requires significant involvement of US affiliated CPA. For European organizations this usually means significantly higher costs.

If the criteria for ISAE 3000 or 3402 engagement is selected correctly the report is very close equivalent to SOC reports and can usually substitute a SOC report. KPMG has done dozens of ISAE reports to Finnish and Estonian customers and many have utilized the report successfully with their US based customers.

SOC 1 standard is a close equivalent of ISAE 3402 focusing of internal controls over financial information. SOC 2 focuses on non-financial information like ISAE 3000. SOC 3 is a limited representation of the former two meaning a condensed summary report of an assurance engagement for wider distribution.

Execution of an assurance engagement

Before starting an assurance engagement it is important to consider the organization’s maturity level in the subject matter. In information security field the organization should consider it’s processes and systems and consider whether there are any shortcomings. If there is uncertainty the engagement can be started with a gap analysis phase to discover the key development areas before the actual assessment takes place from three to six months after.

The assurance engagement starts with thorough planning. The scope and limitations for the engagement are set, key personnel identified and deadlines set. Planning usually takes a week or two.

After planning activities the assessment fieldwork can start. Fieldwork includes several interviews and documentation reviews related to the subject matter. The fieldwork usually takes from two to eight weeks making it the most time consuming part of the engagement. It also requires a lot of involvement from the organizations employees.

When the fieldwork is finished the results of the works are translated in the form of an assurance report. The reporting takes two to four weeks including several quality assurance related activities. Reporting requires some involvement of the management of the organization but generally the workload is significantly smaller than during the fieldwork.

Advantages and limitations of ISAE

The key deliverable of an ISAE assurance engagement is the assurance report. The report covers a date or time period in the past which has been assessed by the external auditor. It is important to understand that the report does not give any estimation or insight to the future state of the subject matter. It also isn’t rock solid proof that there have been no incidents or misstatements – security just doesn’t work that way. The key word as stated in every report is either reasonable or limited assurance.

However when done carefully and by a reputable external auditor an ISAE report will provide a widely recognized and standardized way of showing organization’s customers and business partners that it is committed in the subject matter.

ISAE assurance is also well aligned with ISO27001 certification. KPMG is in a unique position being an audit firm but also an accredited ISO27001 certification body. We are able to help you obtain both accomplishments simultaneously meaning less work and decreased costs. Click here to read more.