ISAE 3000 | SOC2
Organizations that provide services that have no effect on their customers' financial statements can have these activities "certified" according to ISAE 3000. The general IT controls or (GITCs) are described by the organization and provided with an assurance statement by an external auditor. Such an audit is then carried out in accordance with ISAE 3000. The standard framework for this audit can in such a case be the Trust Service Principles or a more generic standard framework, such as COBiT. If your customers are also located in the United States, it is recommended to have a SOC2 report drawn up in accordance with the Trust Service Principles.
SOC2 is part of the AICPA Service Organization Control Reporting platform. The AICPA distinguishes between three types of reports; SOC1 (an ISAE 3402 report), a SOC2 a report in accordance with AT 101 (trust service principles). The five mandatory parts of the Trust Service Principles are:
- Security. Systems are protected, both logical protection and physical protection against unauthorized access.
- Availabilty. The system is available for use as agreed
- Processing integrity. Process processing is complete, correct and authorized.
- Confidentiality. Information identified as "confidential" is secured as agreed.
- Privacy. Personal information is collected, used, stored and made available in accordance with the agreements in the privacy agreement and with the privacy principles.
ISAE 3000 requires that understandable security procedures and policies are described and followed. Policy forms the basis for a strong internal control environment. Conclude can support your organization in the development of this policy from its group company SASconsult.