Instituted in 2011, SSAE (Statement on Standards for Attestation Engagements) 16, which comes from the American Institute of Certified Public Accountants (AICPA), defines how third-party service vendors deploy security controls. The program produces two standards; SOC 1 & SOC 2.
i.SOC – (Service Organization Controls) 1 focuses on financial reporting.
ii. An SOC 2 report evaluates an organization’s internal information systems’ security, confidentiality, availability, processing integrity, and privacy. Each of the five areas has its own set of criteria. Vendors can support one or two rather than all five and still adhere to the standard.
ISO & IEC
Two groups, the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), worked together to craft a second set of standards numbered in the 27000s.
These specifications outline an Information Security Management System (ISMS)
, a suite of activities designed to manage information security risks. An ISMS ensures that security procedures are fine-tuned and can keep pace with changing security threats, vulnerabilities, and business impacts.
The 27001 specification focuses on information security policy, information risk assessment process, information risk treatment process, information security objectives, and the competence of the people working in information security.
The 27018 spec provides guidance aimed at ensuring that cloud service providers offer suitable information security controls to protect the privacy
of their customers’ clients by securing PII (personally identifiable information) entrusted to them. This standard was crafted in 2014, so few cloud solution providers currently support it. Industry standards offer organizations a good start-
ing point when they are evaluating a potential cloud provider’s security posture.
Article by Workday