Misconceptions around SSAE 16 / ISAE3402 / CSAE 3416

Post my previous post, I received a mail from one of my Friend around SSAE 16 / ISAE 3402 and I provided the reply to the friend and then thought, why not share the explanation with the wider Audiences for the good.  May be if somewhere I made a mistake, I would also get to learn -

Hi MT,

 

You are doing a good job...:-)

 

"The discussion was more centered around the need of Assurance Standards like SSAE 16 and ISAE 3402 and the interesting twist that was brought in was "If my organization is ISO 27001 Certified, do I still need to undergo SSAE 16 or ISAE 3402 Audits?"

It took me good enough time initially to make the person understand that the ISO 27001 standard and the controls framework revolves around the Information Security and not just IT Security."

 

Well, I've the same confusion... rather argument. Though ISO27001 is focused on Information Security, it doesn't stop you from adding additional controls, if required. As it is a standard, everything is in black and white..nothing more nothing less...just follow/comply to whatever is mentioned. If you need to add additional controls that you considered as very important, then add the controls and comply.

 

Wherein SSAE16 leads to confusion as they allow you to define your own controls based on GCC (general computer controls). If I select 10 controls, which I feel as important, for example, it is not necessary that you will agree to that, as you may have a different opinion and probably select few different controls that you feel as important. In other words, if 2 people are asked to define the controls for the same environment, the list of controls will definitely not match.

 

Whether it is ISO27001 or SSAE 16, the auditor will test the stated/defined controls and provide an opinion...of course in a different way i.e. either qualification or non-conformity, but the end result is the same.

 

So, the question is still the same, "If my organization is ISO 27001 Certified, why do I still need to undergo SSAE 16 or ISAE 3402 Audits?"

 

Can you help me understand please?

----------------------------------------------------------

My Reply - 

The point is the way the Audit is approached.  ISO 27001 is quite Generic Control Set that revolves around the set of Industry Standard Controls that may or may not be applicable to the set of given Industry Scenario.  The ISO 27001 is Organization wide control environment where you may select or omit the control from within the 133 controls that are defined in the Standard.  You may add a new control, but that needs to be covered under one of the predefined 11 control clauses (domains).  once done, you define the SOA to identify the controls as applicable/omitted from your Organizational environment.  Under such case the Audit is focused around the SOA and the reasoning for omitting a given control.

However, when you look at the specific set of operations for the given Client, the environment may differ from the overall organizational control set.  Certain controls may be applicable from the current set of ISO 27001 controls and certain controls that have been omitted from the Organizational perspective may be applicable in that scenario.  This certainly requires the organizations to go for SSAE 16 / ISAE 3402 (CSAE 3416 in Canadian Context) by defining specific set of controls.  

Let me give you an interesting perspective on the difference of Scope of ISO 27001 and SSAE 16 / ISAE 3402 / CSAE 3416 - 

1. ISO 27001 specifically focuses on the Controls around Information Security, it does not cover the other scope like Contract Management, Delivery Organization & SLAs, these controls may be defined in the SSAE 16 / ISAE 3402 / CSAE 3416.  ISO 27001 doesn't have the provision on these sets
2. ISO 27001 Certification revolves around the Set of 11 Control Clauses, where as in case of the SSAE 16 / ISAE 3402 /CSAE 3416, you would find that the Control Clauses can be customized to suit the environment, operations and services to be covered.
3. Interesting point is around the set of Controls and Operations that are covered in both the cases.  As I mentioned above ISO 27001 focuses on Information Security and the Controls and Operations around that. However if we look at the SSAE 16 / ISAE 3402 / CSAE 3416 they can cover other set of operations and controls like Accounting Principles, Financial Controls etc.
4. SSAE 16 / ISAE 3402 / CSAE 3416 SOC 1 controls and Audit Reports revolve around the Service Organization Controls that impact the Internal Controls on Financial Reporting (ICFRs) of the client. ISO 27001 does not focus on ICFRs.
5. SOC 2 Reporting focuses more around 5 Trust Principles and how each control is implemented, monitored, executed etc.  Even SOC 3 Controls focus on the same 5 trust principles, but the objective of reports is different
6. SOC 1 & SOC 2 Audit Reports are restrictive reports and the Intended Audience are limited set of people within the Service Provider and Client Organization. SOC 3 reports are not so confidential and can be shared publicly as desired.

I hope this clarifies you with the difference between the two Standards and Reporting Requirements

Misconceptions around SSAE 16 / ISAE3402

Pretty recently was indulged in a discussion around the need of Certification to the Need of Assurance.  It was a pretty interesting discussion that led me to evaluate the conceptions and misconceptions that prevail in the industry. I thought why not share it with the rest of the folks who would like to participate in the discussion here (though the discussion is over in the real life)

The discussion was more centered around the need of Assurance Standards like SSAE 16 and ISAE 3402 and the interesting twist that was brought in was "If my organization is ISO 27001 Certified, do I still need to undergo SSAE 16 or ISAE 3402 Audits?"

It took me good enough time initially to make the person understand that the ISO 27001 standard and the controls framework revolves around the Information Security and not just IT Security.  The certification process and the audit methodology involved has a different perspective from the perspective that SSAE 16 or ISAE 3402 Audits take.    

Another argument that was thrown in during the discussion was SSAE 16 and ISAE 3402 are aligned to the Financial Industry and the other industries do not have much benefit of adopting these standards. I had a tough time addressing this point as the set of people were not ready to understand the point for the misconception had a deep rooted belief behind it.  To explain them I had to then break the entire Audit and Reporting perspective of SSAE 16 and ISAE 3402 by the Audit Reports and the manner in which Audit is Approached.  The discussion went from points to tangents with the counter arguments, and there I had to actually dissect the SSAE 16 and ISAE 3402 Reporting requirements as based on the Impact to ICFRs and the Trust Principles. The explanation around Corporate Governance and impact to ICFRs and the relationship between SSAE 16 SOC 1 Type II and ISAE 3402 Type II report helped the audience to clarify the misconceptions they were carrying.

Another aspect that came in to my notice is the misconception around the Reporting requirements in ISAE 3402.  I was a bit startled that one of the person from a Senior Audit Position came with the SOC 2 Reporting requirements for ISAE 3402.  I clarified to them that there is no SOC 1, SOC 2 or SOC 3 reporting requirement in ISAE 3402, however ISAE 3000 provides with a provision to customize the ISAE 3402 reports to suit the Reporting Requirements and that the ISAE 3402 Report may be based on SOC 1, SOC 2 or SOC 3 as may be deemed reasonable.

The next point was to distinguish between the Certification and the Audit Report to provide "Reasonable Assurance".  Most of the participants in the discussion carried a misconception around SSAE 16 and ISAE 3402 about the "Certification". They thought that the Auditors issue or release a Certificate of Compliance.  However, they well noted when explained that the SSAE 16 as well as ISAE 3402 Audits do not result in any certification, rather they result in issuance of an Audit Report that "may be" called a Report on Compliance Status and where the Auditors provide with "Qualified" or "Unqualified" opinion on Service Organization's Controls as defined and implemented for the given "client" operations. 

This however is not the first time that I had been in such a situation, where I had to explain the requirement to undergo an Audit that is more of Attestation Audit than a Certification Audit. But I hope that as these two standards come more into practice, the situation would not look so grim to me.