Regulatory
Compliance Audits

Regulatory
compliance audits

Book a meeting

What do compliance audits mean for your Business Continuity Programme?

Third-party payroll providers are an important member of your extended enterprise and bring benefits to the company:  cost efficiencies, subject matter expertise, access to geographies, resource, customers and, ultimately, revenue growth. However, the risks associated with third-party operations are disproportionately loaded on to the primary ‘parent’ company in the relationship chain. In the eyes of several cross-jurisdictional laws, and public opinion, this ‘parent’ entity is expected to carry accountability for the actions and conduct of not only themselves but also their business partners.

AICPA SOC2
Bribery Act of 2010
CAIQ
CGEIT
CMMC
CRISC
CTSCA
EBA
GDPR
HSAW
ISO 22301
ISO 27001
ISO 27002
ISO 27018
ISO 27031
ISO 9001
Modern Slavery Act of 2015
NERC CIP
NIST SP 800-53r4
NIST SP 800-161
NIST CSF v1.1
NY CCR 500
NY Shield Act
OCC Bulletin
P3 Audit TPPPDS Validation
PIPL
PCI DESS
SSAE 16
Book a meeting

AICPA SOC2

Service Organization Control (SOC) 2 is a standard that is designed to provide assurance that an organization's systems are set up to cover the security, availability, processing integrity, confidentiality, and privacy of customer data.

These five core subject areas are commonly known as Trust Service Principles. The purpose of a SOC 2 (also referred to as a Type 2 report) is for an organisation to detail the operational effectiveness of their systems based on the five principles. To achieve compliance against a SOC 2 assessment, organisations must develop a clear documentation framework, built around security policies, security procedures and supporting documentation.

The five principles are further defined to account for criteria common to all five of the trust service categories (common criteria) and additional specific criteria for the availability, processing integrity, confidentiality and privacy categories. Clear objectives of each principle are set out within the Trust Services Criteria and provide an organisation with clear expectations to look for when validating or verifying security controls.

Bribery Act of 2010

The Bribery Act of 2010 is a United Kingdom (UK) law that defines and enforces the crime of bribery to ensure companies can compete on a level playing field. Section 7 of the law introduced a new offense: the failure of an organisation to prevent bribery on its behalf.

The UK government provides guidance to help organisations meet the requirements in the Act. Companies that use third parties should be aware of these provisions and assess their vendors, supply chain partners and other third parties accordingly.

CAIQ

The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. The CAIQ was developed to create commonly accepted industry standards to document the security controls in infrastructure-as-a-service, platform-as-a-service and software-as-a service applications.

The CAIQ contains a series of yes or no control-assertion questions that can be customized to fit an individual cloud customer's needs. The CAIQ is intended to be used in conjunction with the CSA Guidance and the CSA Cloud Controls Matrix (CCM). The CAIQ is part of the CSA governance, risk management and compliance stack.

The questionnaire is designed to support organizations when they interact with cloud providers during the cloud providers' assessment process by giving organizations specific questions to ask about the providers operations and processes.

Cloud providers can use the CAIQ to outline their security capabilities and security posture to customers, publicly or privately, in a standardized way using the terms and descriptions considered to be best practices by the CSA.

Completing the CAIQ questionnaire usually takes a few hours and is considered only a first-level screening process; more intensive provider review processes are advised. 

Benefits of the CAIQ

The CAIQ was designed to help with one of the leading concerns that companies have when moving to the cloud: the lack of transparency into what technologies and tactics cloud providers implement, relative to data protection and risk management, and how they implement them. Organizations should use the CAIQ as a first-level filter, After they pass that test, businesses should audit vendors to provide more specific demonstrations on controls that matter most to them.

Next steps after the CAIQ

The CSA STAR program consists of three levels of assurance (self-assessment, third party certification and continuous auditing) based on:

  • the CAIQ;
  • the CSA Cloud Controls Matrix (CCM); and
  • the CSA Code of Conduct for GDPR

    Download 

 

 

 

CGEIT

Certified in the Governance of Enterprise IT (CGEIT) is a vendor-neutral certification for experienced tech professionals. The CGEIT credential is designed to provide certification for those who direct, manage or otherwise support the governance of IT in large organizations and their extended third-party service provider capability . ISACA (Information Systems Audit and Control Association) developed and runs CGEIT, which is accredited by the American National Standards Institute (ANSI).

Information technology governance in organizations continues to grow in importance due to an ever-increasing reliance on IT to deliver services, along with the rising need to comply with complex laws and regulations concerning financial accountability, data security and protection, and privacy. As a result, the need arises for governance credentials, such as Certified in the Governance of Enterprise IT (CGEIT), as well as others such as ITIL Expert, Certified in IT Governance, Risk Management, and Compliance (CRISC)  from ISACA and PMI Risk Management Professional from the Project Management Institute.

CGEIT Qualifications: Education and Experience

To receive the certification, candidates must pass a four-hour exam, which includes 150 questions and covers five areas: Framework for the Governance of Enterprise IT, Strategic Management, Benefits Realization, Risk Optimization and Resource Optimization. CGEIT-certified professionals also must have at least five years of cumulative work experience in IT enterprise governance, including at least one year defining, implementing and managing a governance framework. (Individuals may take the CGEIT exam before meeting the experience requirements, which must be met before the CGEIT designation is awarded.)

Additionally, CGEIT holders are expected to comply with the ISACA Code of Professional Ethics as well as the CGEIT Continuing Education Policy, attaining an annual minimum of 20 continuing professional education (CPE) hours in related coursework to reach a minimum of 120 CPE hours for a three-year reporting period.

Depending on the third-party payroll providers clients, the CGEIT certifications can form part of their global business continuity and TPRM audit criteria.

Download

CMMC

On January 31, 2020, the Office of the Under Secretary of Defense for Acquisition and Sustainment in the United States Department of Defense (DoD) released v1.0 of the Cybersecurity Maturity Model Certification (CMMC). Developed to serve as a single cybersecurity standard for all future DoD acquisitions, CMMC requires that each of the more than 300,000 DoD contractors become CMMC certified beginning in October 2020, with a five-year phase-in and renewals every three years after that.

CMMC requires companies achieve third-party certification against cybersecurity and information handling best practices, with that certification eventually determining whether a company can be awarded a contract by the DoD. Meant to help small businesses demonstrate cybersecurity protections more easily and cost-effectively, CMMC aims to ensure that our entire national defense supply chain is secure and resilient.

All DoD contractors must be certified in one of five levels, from Level 1 (lowest, Basic Cyber Hygiene) to Level 5 (highest, Advanced/Progressive) based on the Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for controlled unclassified information (CUI) from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 per the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204.7012.

Although certified auditors (C3PAOs) must assess DoD contractors in order to demonstrate compliance with their target level of certification, companies that are doing, or wish to do, business with the US federal government can assess themselves against the requirements as well.

CRISC

Certified in Risk and Information Systems Control (CRISC) is a certification program that recognizes knowledge and training in the field of risk management for IT. CRISC is one of many certifications available from Information Systems Audit and Control Association (ISACA) which is accredited by the American National Standards Institute (ANSI).

CRISC can provide IT security professionals with a visible marker of experience and knowledge in risk management for enterprise and financial sectors. 

CRISC Areas of Risk Management

CRISC breaks down areas of risk management specialization into 4 domains:

  • Identifying risks
  • Assessing risks
  • Responding to and mitigating risks
  • Controlling, monitoring and reporting about risks

Within these domains, CRISC measures an individual’s ability to deal with risks in an enterprise business and to use information system controls.

Prerequisites for CRISC include three years’ experience in a risk management role with one year at least in domain 1 or 2. Candidates must agree to uphold the ISACA professional code of ethics and comply with the continued education policy. The certification has one requisite exam with 150 questions.

Individual experience and relevant certifications often form part of a third-party risk management (TPRM) and Business Continuity Program audit.

Download

 

CTSCA

The California Transparency in Supply Chains Act is a law enacted in 2012 that requires companies to disclose their efforts to ensure that the goods they sell are not produced by workers who are forced into servitude or labor. The law applies to any company that does business in the U.S. state of California, with at least $100 million in global revenue, and that makes or sells goods in California.

A company's public disclosure must be conspicuous and include information on how it:

Verifies labor practices in its supply chains
Audits suppliers
Certifies that materials are not produced by forced labor
Maintains internal accountability
Trains employees and management

EBA

The EBA Guidelines set out the internal governance arrangements that credit institutions, payment institutions and electronic money institutions should implement when outsourcing internal services, activities or functions. 

The EBA Guidelines require robust management and tracking of service provider risks. They specify that a policy for managing risk should be in place, including internal controls-based assessments and continuous monitoring of third-party outsourcing arrangements. The policy should be codified in a contract between the financial institution and the outsourcing relationship, with proper documentation and reporting for both remediation efforts and audit capabilities.

These requirements represent a full set of controls implemented across the outsourcer organization and are well beyond the scope of a simple automated scan of external-facing infrastructure.

Download Guide

Guidelines on outsourcing-arrangements

EBA regulation and policy

EU Directive

EU Access Legal Act

Download

 

GDPR

Organizations who collect, store, process, or transfer personal data of EU citizens must comply with this regulation. These data protection obligations extend not only to organizations operating within the EU, but also to any companies (payroll service providers and their downstream partners) outside of the EU that offer goods or services to EU residents.

To be compliant with GDPR, organizations must take necessary steps to protect citizens’ data in their care, including data that is shared with third parties. Because many data breaches occur through third-party relationships, GDPR clearly states that third parties (known as data processors) must handle data privacy and security in a way that is compliant to the regulation. In fact, under this legislation, they are legally obligated to comply with all aspects of the regulation to ensure consistency and true protection for customers.

Under GDPR, regulatory authorities have greater power to act against companies that break this law, with fines totalling up to 4% of annual global revenue or 20 million euros, whichever is greater. It's therefore imperative to conduct due diligence of your organization's vendors, suppliers and other third parties to ensure they are adhering to GDPR requirements.

Download

 

HSAW

This documentation serves as an overview of Health and Safety at Work.

Work from Home is no different to Work from the Office – the employer has a responsibility to their employees Health and Safety and the investment in regular compliance audits help support wider and longer term Business Continuity Plans.

We and our partners know exactly what the law demands of your business. We have practical experience and understand how to balance compliance with commercial need. That’s why both small businesses and leading brands trust us to support their health and safety compliance. A business with a good reputation for safety is one that staff want to work for and other organisations want to do business with.

Risk assessments relevant to the law. P3 work with leading experts in region: 

We spot the health & safety hazards that put you on the wrong side of the law.  Then we help you cut them out.

Practical fixes.

We give practical advice on how to remove risk and deliver duty-of-care. So you can be sure you’re not breaking the law, without breaking the bank.

A watertight written report. 

You get a written risk assessment from a health & safety expert that stands up to scrutiny if you ever face a claim in court. 

Improved employee wellbeing. 

Safe workers make better workers. Your risk assessment reduces the chance of work-related sickness and increases productivity.

A plan for growth. 

We give you an action plan to improve your health & safety and get the best for your business as it grows.

Download

ISO 22301

Flood, Cyber attack, Supply chain failure or losing a key employee. Disruptions to your business can happen at any moment.

Business continuity is about having a plan to deal with difficult situations, so your organization can continue to function with as little disruption as possible. Whether it’s a business, public sector organization, or charity, you need to know how you can keep going under any circumstances.

A good BC plan recognises potential threats to an organization and analyses what impact they may have on day-to-day operations. It also provides a way to mitigate these threats, putting in place a framework which allows key functions of the business to continue even if the worst happens.

Security and resilience – Business continuity management systems – Requirements, is a management system standard published by International Organization for Standardization that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. It is intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity.

Download

 

ISO 27001

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

The ISO 27001, 27002 and 27018 standards set requirements for establishing, implementing, maintaining and continually improving an information security management system.

ISO 27001 is the stringent evaluation of cyber and information security practices. It provides requirements for establishing, implementing, maintaining and continually improving an information security management system.

ISO 27002 is a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001. It helps organizations consider what they need to put in place to meet these requirements.

ISO 27018, when used in conjunction with the information security objectives and controls in ISO 27002, creates “a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor.”

With respect to managing information security in supplier relationships, Section 15 of 27001 and 27002 summarizes the requirements for securely dealing with various types of third parties.

Download

ISO 27002

ISO 27002 is a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001. It helps organisations consider what they need to put in place to meet these requirements.​

ISO 27018

"ISO 27018, when used in conjunction with the information security objectives and controls in ISO 27002, creates “a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor.”​

With respect to managing information security in supplier relationships, Section 15 of 27001 and 27002 summarises the requirements for securely dealing with various types of third parties."

ISO 27031

ISO/IEC 27031:2011 describes the concepts and principles of information and comunication technology (ICT) readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation) for improving an organization's ICT readiness to ensure business continuity.

It applies to any organization (private, governmental, and non-governmental, irrespective of size) developing its ICT readiness for business continuity program (IRBC), and requiring its ICT services/infrastructures to be ready to support business operations in the event of emerging events and incidents, and related disruptions, that could affect continuity (including security) of critical business functions. 

It also enables an organization to measure performance parameters that correlate to its IRBC in a consistent and recognized manner.

The scope of ISO/IEC 27031:2011 encompasses all events and incidents (including security related) that could have an impact on ICT infrastructure and systems. It includes and extends the practices of information security incident handling and management and ICT readiness planning and services.

Download

ISO 9001

ISO 9001:2015 is an international standard that establishes the criteria for a quality management system. It is the only standard in the ISO 9000 family that results in a formal certification.  

The standard is based on several quality management principles, including clear focus on meeting customer requirements, strong corporate governance and leadership commitment to quality objectives, process-driven approach to meeting objectives, and focus on continuous improvement.

ISO 9001:2015 helps organisations improve customer satisfaction by focusing on the consistency and quality of products and services provided to customers.

Download

 

Modern Slavery Act of 2015

The Modern Slavery Act of 2015 is a UK law that requires organisations to publicly communicate their practices to ensure that forced labor, human trafficking, and other forms of involuntary servitude are not taking place in their businesses or supply chains. The "Transparency in Supply Chains" section of the Act (Part 6, Section 54) defines what form this should take for third-party relationships.

NERC CIP

The North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) standard establishes new cybersecurity requirements for electric power and utility companies to ensure, preserve, and prolong the reliability of the bulk electric system (BES). Enforceable starting on July 1, 2020, responsible entities have 18 months to comply in order to avoid penalties. NERC is authorised to penalise registered entities up to $1 million per day per outstanding violation.

Third-party risk management plays a pivotal role in ensuring supply chain security through the regular assessment of supply chain partners’ internal security controls and the ongoing monitoring of vendor risks in real time. Taken together, this inside-out, outside-in view provides more complete visibility in supply chain risks.

NIST SP 800-53r4

The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. One of NIST's responsibilities includes establishing computer and information technology-related standards and guidelines for federal agencies. Because NIST evolved into a key resource for managing cybersecurity risks, many private sector organisations consider compliance with these standards and guidelines to be a top priority.

NIST requires robust management and tracking of third-party supply chain security risk. Because NIST has evolved into a key resource for managing cybersecurity risks, many private sector organisations consider compliance with these standards and guidelines to be a top priority.

NIST Special Publication (SP) 800 series establishes computer and information technology-related standards and guidelines for both federal agencies and private organisations. NIST Cybersecurity Framework v1.1 realises that specific controls and processes have already been covered and duplicated in existing standards, and thus provides streamlined, high-level guidance for improving cybersecurity defenses. NIST Special Publication (SP) 800-161 is a supplement to SP 800-53 and provides guidance to federal agencies on identifying, assessing, and mitigating information and communications technology supply chain risks at all levels of their organisations.

These NIST standards specify that:

A policy for managing risk should be in place

Security controls should be selected 

A policy should be codified in supplier agreements where appropriate suppliers should be managed and audited to the requirements and controls

In the simplest terms, an organisation needs to establish and implement the processes to identify, asses and manage supply chain risk.

NIST SP 800-161

The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. One of NIST's responsibilities includes establishing computer and information technology-related standards and guidelines for federal agencies. Because NIST evolved into a key resource for managing cybersecurity risks, many private sector organisations consider compliance with these standards and guidelines to be a top priority.

NIST requires robust management and tracking of third-party supply chain security risk. Because NIST has evolved into a key resource for managing cybersecurity risks, many private sector organisations consider compliance with these standards and guidelines to be a top priority.

NIST Special Publication (SP) 800 series establishes computer and information technology-related standards and guidelines for both federal agencies and private organisations. NIST Cybersecurity Framework v1.1 realises that specific controls and processes have already been covered and duplicated in existing standards, and thus provides streamlined, high-level guidance for improving cybersecurity defenses. NIST Special Publication (SP) 800-161 is a supplement to SP 800-53 and provides guidance to federal agencies on identifying, assessing, and mitigating information and communications technology supply chain risks at all levels of their organisations.

These NIST standards specify that:

A policy for managing risk should be in place

Security controls should be selected 

A policy should be codified in supplier agreements where appropriate suppliers should be managed and audited to the requirements and controls

In the simplest terms, an organisation needs to establish and implement the processes to identify, asses and manage supply chain risk.

NIST CSF v1.1

The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. One of NIST's responsibilities includes establishing computer and information technology-related standards and guidelines for federal agencies. Because NIST evolved into a key resource for managing cybersecurity risks, many private sector organisations consider compliance with these standards and guidelines to be a top priority.

NIST requires robust management and tracking of third-party supply chain security risk. Because NIST has evolved into a key resource for managing cybersecurity risks, many private sector organisations consider compliance with these standards and guidelines to be a top priority.

NIST Special Publication (SP) 800 series establishes computer and information technology-related standards and guidelines for both federal agencies and private organisations. NIST Cybersecurity Framework v1.1 realises that specific controls and processes have already been covered and duplicated in existing standards, and thus provides streamlined, high-level guidance for improving cybersecurity defenses. NIST Special Publication (SP) 800-161 is a supplement to SP 800-53 and provides guidance to federal agencies on identifying, assessing, and mitigating information and communications technology supply chain risks at all levels of their organisations.

These NIST standards specify that:

A policy for managing risk should be in place

Security controls should be selected 

A policy should be codified in supplier agreements where appropriate suppliers should be managed and audited to the requirements and controls

In the simplest terms, an organisation needs to establish and implement the processes to identify, asses and manage supply chain risk.

NY CCR 500

In early 2017, the New York State Department of Financial Services (DFS) instituted 23 NY CRR 500 to establish new cybersecurity requirements for financial services companies. The regulation is designed to protect the confidentiality, integrity and availability of customer information and related IT systems.

23 NY CRR 500 was enacted in response to the alarming growth in data breaches and cyber threats against financial institutions. A key component of complying with 23 NY CRR 500 is managing vendor IT security controls and data privacy policies.

Two sections of the regulation specifically address third-party providers:

Section 500.04 relates to the appointment of a CISO, who can be employed by an affiliate or third-party.

Section 500.11 directly addresses third-party service provider security policy. It requires covered entities to have a written policy that addresses third-party information systems security based on a risk assessment.

NY Shield Act

Signed into law by the Governor of the US State New York on July 25, 2019, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act is a data protection law that has broadened the definition of personal information to include username and password for an online account and biometrics; requires specific data security controls for organisations to protect the personal information of New York residents; and sets specific data breach notification requirements and penalties on organisations where the data of New York residents has been compromised.

Largely an update to previous New York state laws, the SHIELD Act will go into effect on March 21, 2020 and is meant to improve cybersecurity protections and data breach notification, with penalties ranging from $5,000 per violation to $20 per failed notification (capped at $250,000). Much like what the California Consumer Privacy Act (CCPA) does for that state, if your organisation collects any kind of personal information from a resident of New York State – or you exchange information with a business partner that does – the law applies to you regardless of where your organisation is located.

OCC Bulletin

The Office of the Comptroller of the Currency (OCC) is the group within the Department of the Treasury that charters, regulates, and supervises all national banks and federal savings associations, as well as federal branches and agencies of foreign banks. The OCC enforces its regulations with examinations, and it can deny applications for new charters or take other actions against banks and thrifts that do not comply with laws and regulations or otherwise engage in unsafe practices.

The OCC's mission is to ensure that national banks and federal savings associations operate in a safe and sound manner; provide fair access to financial services; treat customers fairly; and comply with applicable laws and regulations.

OCC Bulletin 2013-29, clarified with a FAQ in OCC Bulletin 2017-21, provides risk management guidance for “assessing and managing risk associated with third-party relationships.” OCC 2020-10 provides guidance to Examiners on what to look for when examining a bank’s third-party risk management program.

These bulletins highlight the need for an effective risk management process throughout the lifecycle of third-party relationships, including risk assessment, continuous monitoring, and reporting and documentation to facilitate oversight and accountability.

P3 Audit TPPPDS Validation

A comprehensive report covering gap analysis and exercise results with documented priorities to mitigate risks in accordance with Third-Party Vendor client Business Continuity Plan Priorities

Download

PIPL

China passed its Personal Information Protection Law (PIPL) on 20 August 2021. This is China’s first omnibus data protection law, and will take effect from 1 November 2021 allowing companies just over two months to prepare themselves. The PIPL is a game changer for any company with data or business in China. It will add another layer of complexity with respect to compliance with China’s security and data laws and regulations.

As is usual with all China laws, many of the concepts and requirements are high-level and we expect that some further details will be provided in regulations and practical guidances in the coming months.

PCI DESS

The PCI Security Standards Council operates programs to train, test, and qualify organizations and individuals who assess and validate compliance, in order to help merchants successfully implement PCI standards and solutions. The Council also qualifies payment hardware and software so that merchants select and implement approved solutions for securing payment data and systems.

Becoming PCI DSS compliant depends on the complexity of your payments environment, and the data security measures you already have in place. In fact, you may already be compliant and not realise!

Becoming compliant isn’t just a one-time task – you’ll need to take measures regularly to ensure you’re still complying with the rules. 

Download

 

SSAE 16

Statement on Standards for Attestation Engagements no. 16 (SSAE 16) is a deprecated auditing standard for service organizations, produced by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board, which supersedes Statement on Auditing Standards no. 70 (SAS 70) and has been superseded by SSAE No. 18.[1]

The "service auditor’s examination" of SAS 70 is replaced by a System and Organization Controls (SOC) report.[2] SSAE 16 was issued in April 2010, and became effective in June 2011. Many organizations that followed SAS 70 have now shifted to SSAE 16.[citation needed] Some service organizations use the SSAE 16 report status to show they are more capable, and also encourage their prospective end-users to make having an SSAE 16 a standard part of new vendor selection criteria.

SSAE 16 has two different kinds of reports. A SOC 1 Type 1 report is an independent snapshot of the organization's control landscape on a given day. A SOC 1 Type 2 report adds a historical element, showing how controls were managed over time. The SSAE 16 standard requires a minimum of six months of operation of the controls for a SOC 1 Type 2 report.

SSAE 16 reporting can help service organizations comply with Sarbanes–Oxley's requirement (section 404) to show effective internal controls covering financial reporting. It can also be applied to data centers or any other service that might be used in the delivery of financial reporting.

SSAE 16 provides guidance on an auditing method, rather than mandating a specific control set. In this respect, it is similar to ISO 27001:2013.

Service Organization Control (SOC) 2 is a standard that is designed to provide assurance that an organization's systems are set up to cover the security, availability, processing integrity, confidentiality, and privacy of customer data.

These five core subject areas are commonly known as Trust Service Principles. The purpose of a SOC 2 (also referred to as a Type 2 report) is for an organization to detail the operational effectiveness of their systems based on the five principles. To achieve compliance against a SOC 2 assessment, organizations must develop a clear documentation framework, built around security policies, security procedures and supporting documentation.

The five principles are further defined to account for criteria common to all five of the trust service categories (common criteria) and additional specific criteria for the availability, processing integrity, confidentiality and privacy categories. Clear objectives of each principle are set out within the Trust Services Criteria and provide an organization with clear expectations to look for when validating or verifying security controls.

Download