The Importance of SOC1 for Datacenters
Any datacenter that host systems relevant to financial reporting for itself or clients is responsible for adequate control over those systems, which entail physical and environmental security. ISAE 3402 is internationally one of the most widely known standards to provide assurance to data centers and their clients. Since the implementation of the ISAE 3402 standard is generally demanded by clients there is simply no avoiding of.
SOC 1 /ISAE 3402 specifically applied to datacenters. There is no way around it, if a datacenter provides services that host systems relevant to their clients’ financial reporting there are security responsibilities tied to those systems. In that case the ISAE 3402 standard is applicable to datacenter services. In its implementation ISAE 3402 does not contain a special exclusion for the datacenter industry, or any other industry for that matter. However, if any service provided by a datacenter is relevant to the clients’ financial reporting, it is best to apply ISAE 3402 to assure proper handling of (sensitive) data. Examples of service organizations that perform functions relevant to clients’ internal control over financial reporting are IPSs, Web hosting providers, and ASPs.
ISAE 3402 and General IT Controls
As mentioned before there is no special exclusion of any type of industry concerning ISAE 3402. Therefore, the standard also applies to general IT controls. The guidelines for the ISAE 3402 states that IT services like “general computer control objectives” are more than likely to include interaction with areas that contain sensitive information. Objectives can be information security, change management, and computer operations topics, therefore making more of a case for the applicability of ISAE 3402. A practical example of ISAE 3402 examination is that a data center’s services are the supplier of IT general controls, whereas general IT controls are simply the supporting cast in other ISAE 3402 examinations.
There are two methods for scoping these examinations for the service organization. When a data center has the general computer control objectives as its responsibility, it is up to the service organization to decide whether they are going to include or exclude the data center’s services within the scope of the examination. By deciding on one of the two methods, the proper way of handling the data centers’ hosting relevant system is established.
In favor of implementing ISAE 3402 for datacenters, if a service organization decides to exclude a datacenter’s service from their ISAE 3402 examination, why can’t the datacenter be the subject of its own ISAE 3402 examination? Datacenters are not excluded from their own sensitive data. If ISAE 3402 can be applied to a datacenter as a third party/subservice to an organization, it should also apply to the centers own data.
SOC 2 as an alternative to ISAE 3402 (SOC 1) for datacenters?
No, it is not an alternative because ISAE 3402 (SOC 1) and SOC 2 each have their own specific purpose. ISAE 3402 (SOC 1) is an internal control audit related to the financial process of an organization and SOC 2 (ISAE 3000) is a control audit related to (non-financial) processes in compliance with one or more of the Trust Service Criteria; security, availability, processing integrity, confidentiality, and privacy.
Generally, clients demand ongoing ISAE 3402 examinations from their datacenter providers and with the years more and more datacenters have implemented the annual examinations as part of their business dealings. The implementation of ISAE 3402 is an important and valuable assurance standard for datacenter providers themselves and for their clients. When the general consensus is safety above all, including the ISAE 3402 standard is the ultimate dedication to provide assurance.