Misconceptions around SSAE 16 / ISAE3402 / CSAE 3416

Post my previous post, I received a mail from one of my Friend around SSAE 16 / ISAE 3402 and I provided the reply to the friend and then thought, why not share the explanation with the wider Audiences for the good.  May be if somewhere I made a mistake, I would also get to learn -

Hi MT,

 

You are doing a good job...:-)

 

"The discussion was more centered around the need of Assurance Standards like SSAE 16 and ISAE 3402 and the interesting twist that was brought in was "If my organization is ISO 27001 Certified, do I still need to undergo SSAE 16 or ISAE 3402 Audits?"

It took me good enough time initially to make the person understand that the ISO 27001 standard and the controls framework revolves around the Information Security and not just IT Security."

 

Well, I've the same confusion... rather argument. Though ISO27001 is focused on Information Security, it doesn't stop you from adding additional controls, if required. As it is a standard, everything is in black and white..nothing more nothing less...just follow/comply to whatever is mentioned. If you need to add additional controls that you considered as very important, then add the controls and comply.

 

Wherein SSAE16 leads to confusion as they allow you to define your own controls based on GCC (general computer controls). If I select 10 controls, which I feel as important, for example, it is not necessary that you will agree to that, as you may have a different opinion and probably select few different controls that you feel as important. In other words, if 2 people are asked to define the controls for the same environment, the list of controls will definitely not match.

 

Whether it is ISO27001 or SSAE 16, the auditor will test the stated/defined controls and provide an opinion...of course in a different way i.e. either qualification or non-conformity, but the end result is the same.

 

So, the question is still the same, "If my organization is ISO 27001 Certified, why do I still need to undergo SSAE 16 or ISAE 3402 Audits?"

 

Can you help me understand please?

----------------------------------------------------------

My Reply - 

The point is the way the Audit is approached.  ISO 27001 is quite Generic Control Set that revolves around the set of Industry Standard Controls that may or may not be applicable to the set of given Industry Scenario.  The ISO 27001 is Organization wide control environment where you may select or omit the control from within the 133 controls that are defined in the Standard.  You may add a new control, but that needs to be covered under one of the predefined 11 control clauses (domains).  once done, you define the SOA to identify the controls as applicable/omitted from your Organizational environment.  Under such case the Audit is focused around the SOA and the reasoning for omitting a given control.

However, when you look at the specific set of operations for the given Client, the environment may differ from the overall organizational control set.  Certain controls may be applicable from the current set of ISO 27001 controls and certain controls that have been omitted from the Organizational perspective may be applicable in that scenario.  This certainly requires the organizations to go for SSAE 16 / ISAE 3402 (CSAE 3416 in Canadian Context) by defining specific set of controls.  

Let me give you an interesting perspective on the difference of Scope of ISO 27001 and SSAE 16 / ISAE 3402 / CSAE 3416 - 

1. ISO 27001 specifically focuses on the Controls around Information Security, it does not cover the other scope like Contract Management, Delivery Organization & SLAs, these controls may be defined in the SSAE 16 / ISAE 3402 / CSAE 3416.  ISO 27001 doesn't have the provision on these sets
2. ISO 27001 Certification revolves around the Set of 11 Control Clauses, where as in case of the SSAE 16 / ISAE 3402 /CSAE 3416, you would find that the Control Clauses can be customized to suit the environment, operations and services to be covered.
3. Interesting point is around the set of Controls and Operations that are covered in both the cases.  As I mentioned above ISO 27001 focuses on Information Security and the Controls and Operations around that. However if we look at the SSAE 16 / ISAE 3402 / CSAE 3416 they can cover other set of operations and controls like Accounting Principles, Financial Controls etc.
4. SSAE 16 / ISAE 3402 / CSAE 3416 SOC 1 controls and Audit Reports revolve around the Service Organization Controls that impact the Internal Controls on Financial Reporting (ICFRs) of the client. ISO 27001 does not focus on ICFRs.
5. SOC 2 Reporting focuses more around 5 Trust Principles and how each control is implemented, monitored, executed etc.  Even SOC 3 Controls focus on the same 5 trust principles, but the objective of reports is different
6. SOC 1 & SOC 2 Audit Reports are restrictive reports and the Intended Audience are limited set of people within the Service Provider and Client Organization. SOC 3 reports are not so confidential and can be shared publicly as desired.

I hope this clarifies you with the difference between the two Standards and Reporting Requirements