Author: Amanda M. Witt
Many attorneys representing a client who procures technology from a service provider know to request a security audit, but there is still confusion even among sophisticated technology attorneys about which security audit to request and how to interpret the report once it is received. This article will describe the types of security audits and third party security certifications that are most frequently requested by customers or offered by vendors. The following types of audit reports and certifications will be examined below:
- SSAE 16 / SOC 1 (formerly SAS 70), Type 1 and 2
- SOC 2, Type 1 and 2
- ISO 27001
- ISO/IEC 27018
While the first Statement on Auditing Procedure was issued in 1949, the popularity of asking a technology vendor for its SAS 70 report can likely be tied to the Sarbanes-Oxley Act of 2002 (“SOX”). Because of the accounting fraud of Enron and the assistance provided by its auditing firm in concealing such fraud, SOX requires the management of publicly traded companies to annually certify that the company’s internal controls in financial reporting were effective. As part of this annual certification, organizations also examine the controls of their service providers that provide hosting services, transaction processing or other material services in order to evaluate the design and test the operating effectiveness of such third parties’ controls. Initially, management of an organization could either conduct these investigations itself or have an auditing firm conduct a SAS 70, Type 2 auditors report. Over time, the SAS 70 became a tool for organizations to verify the adequacy of a service provider’s “security” even though the purpose of the SAS 70 report was not designed to serve this purpose. What many fail to understand as well was that each service provider establishes its own controls, so every SAS 70 is highly customized for each service provider.
When the American Institute of CPAs (“AICPA”) became aware of the unintended uses of the SAS 70, it updated the SAS 70 when it created the SSAE 16/ SOC 1 and it also created the SOC 2 report. A SOC 2 report is more narrowly tailored to the services provided by technology vendors. Essentially, the SSAE 16/ SOC 1 should be used when the services provided by a vendor could impact an organization’s financial reporting (e.g., the service provider’s services include financial-related transactions / processing services) and a SOC 2 should be used when attempting to verify a vendor’s controls relevant to security, availability, processing integrity, confidentiality and/or privacy.
The most commonly requested (and offered) report is the AICPA’s Statement on Standards for Attestation Engagements (SSAE) 16 – Reporting on Controls at a Service Organization, which is more commonly referred to as a SOC 1. SSAE 16, which was issued in 2010 and effective on June 15, 2011, replaced the SAS 70 report. A SSAE / SOC 1 report (and a SOC 2 report) can either be a Type 1 or Type 2 report. A Type 1 report means that the auditor is only providing an opinion as to the design and implementation of the controls on a certain date. A Type 2 report, in contrast, means that the auditor is providing an opinion on the design, implementation, and operating effectiveness of the controls (i.e., by testing the controls) over an entire audit period. Obviously, a customer would be better served by requesting a Type 2 report, but vendors (especially large cloud providers) frequently offer only a Type 1 report. Furthermore, note that a SOC 1 report may deal only with the service provider’s controls that are relevant to the customer’s financial reporting, so it is likely much narrower in scope than what the customer wants.
If trying to verify the security practices of a cloud or hosting services vendor, for example, an organization is better served by requesting a SOC 2, Type 2 report. The SOC 2 report was intended for services or applications that did not relate to financial reporting and examines the service provider’s controls relevant to security, availability, processing integrity, confidentiality and/or privacy. Depending on what services are being provided by a vendor, it is important to identify which controls should be examined (e.g., for a data hosting or cloud provider, security, availability, processing integrity and confidentiality may be the most important). If a customer does not designate which controls are to be tested, the vendor will make the determination. A customer may receive some pushback from the vendor on providing a SOC 2 report because it is more costly than a SOC 1, but it is a more relevant report for a technology-related service provider.
Understanding how to interpret a SOC 1 or SOC 2 report could be an article (or two) in itself, but practitioners should consider asking an auditor who performs these types of audits to demystify them and highlight the nuances that could be overlooked by someone who does not review these reports regularly. In fact, it would likely be a welcome request to such an auditor who typically puts a significant time into preparing these reports, but knows that most attorneys and organizations put these reports in a drawer once received and merely track the requirement that such report has been delivered.
Instead of or in addition to performing a SOC 1 and SOC 2 audit annually, some service providers may prefer to obtain the certification of an independent third party that such service provider’s security adequately protects its customers’ digital assets. The most common of these types of certifications is the ISO 27000 family of standards, which are designed to assist organizations in securing information assets. The ISO standards are developed by the International Organization for Standardization (“ISO”), but ISO does not perform such certifications or issue certificates. A service provider would instead engage a consulting firm or auditor to perform the certification process and the process could take from five months to 24 months. In the technology or outsourcing industry, a service provider that has an ISO certification is more likely to be ISO 27001-certified, which designates an Information Security Management System (“ISMS”) and provides control objectives and guidance. Serving as a broad framework, the ISMS allows the service provider to identify, analyze and address its information security risks. Recognizing the ever-evolving nature of security risks, the ISMS is dynamic and is based on the “Plan-Do-Check-Act” principle, which means that it is designed to be updated regularly in order to address evolving security threats, vulnerabilities and business consequences. The ISO 27000 family includes two standards: the ISO 27001 standard, entitled “Information technology – Security techniques – Information security management systems – Requirements”, and the ISO 27002 standard, which is entitled “Information technology – Security techniques – Code of practice for information security controls”. The ISO 27001 standard “lists requirements for the establishment and operation of an ISMS and covers high level operational and staffing issues.” The ISO 27002 standard “gives guidance on practices on selection, implementation and management of controls in ISMS [and] … is designed to be used as a reference for selecting controls within the process of operating an ISMS based on the ISO/IEC 27001.”
Tied with the rise in popularity of cloud-based services and the looming change in European privacy laws that will make such laws more likely to apply to American companies, ISO and the International Electrotechnical Commission (“IEC”) jointly issued the ISO/IEC 27018 standard in July 2014. The full title of the new standard is “Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” and it is designed to provide guidance that is specific to cloud service providers who process personally identifiable information (“PII”). The new standard builds on the ISO 27001 and 27002 standards, which primarily apply to confidentiality, integrity and availability controls, and “focuses on information privacy risks from the perspective of [a] PII processor.” The goal of the new standard is to “address the specific risks of public cloud computing and help build confidence in public cloud computing providers while also providing guidance on what cloud providers need to implement in terms of contractual and regulatory obligations.”
The new ISO/IEC 27018 standard closely tracks current European privacy laws and having such a certification could help provide comfort to suspicious Europeans following the Snowden disclosures, which made most US-owned cloud service providers suspect. In fact, Microsoft’s Azure cloud platform has been certified to be compliant with ISO/IEC 27018 in order to give Microsoft a competitive advantage over its primary competitor, Google.
The most important alternative set of standards to ISO is the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework issued in 2014 in response to the President’s Executive Order 13636, pertaining to the critical infrastructure, in 2013, Although the NIST Cybersecurity Framework must be followed by organizations providing services that impact critical infrastructure, the framework is scalable so as to be suitable for organizations securing lower-risk data and systems.
As concerns about the security practices of service providers continue to grow with the occurrence of each high profile security breach, the reliance on security audits and security certifications will continue to steadily increase. There is significant “security questionnaire fatigue” in the technology industry currently as customers bombard their service providers with extensive, time-consuming security questionnaires. The likely solution to the inefficiencies of current practices is some sort of standardization for measuring a service provider’s security controls. While ISO/IEC 27018 and the Cloud Security Alliance’s STAR may have the potential to fill this need for cloud-based services, a broader standard for all technology-related service providers is not yet available.
 Final Rule: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, 17 CFR Parts 210, 228, 229, 240, 249, 270 and 274 (August 14, 2003).
 See “ISO/IEC 27001 – Information security management”, available at: http://www.iso.org/iso/home/standards/management-standards/iso27001.htm (last accessed on August 16, 2015).
 See “How Long Does it Take to Get ISO 27001 Certified?”, available at http://www.pivotpointsecurity.com/risky-business/get-iso-27001-certified (last accessed on August 16, 2015).
 See “ISO/IEC 27001:2013: Information technology – Security techniques – Information security management systems — Requirements”, available at http://www.iso27001security.com/html/27001.html (last accessed on August 16, 2015).
 “The New Cloud Computing ISO/IEC 27018 Standard Through the Lens of the EU Legislation on Data Protection,” Paul de Hert, Vagelis Papakonstantinou and Irene Kamara, Brussels Privacy Hub, Vol. 1 No. 2 at 13 (November 2014).
 Id. at 14.