ISO/IEC 27001 – ISO 27001 for short – is an international standard for information security in private, public and non-profit organisations. It is part of the ISO/IEC 2700x family of standards and was published by the International Organization for Standardization (ISO). The principle-based standard describes the requirements for establishing, implementing, operating, optimising and updating (continuous improvement process) a documented Information Security Management System, which is developed on the basis of the families of standards from a total of six standards: ISO 27001 to 27005.
ISO certification is issued as a one-page certificate by accredited ISO auditors and reflects the situation on a given date. Until now, many companies have regarded ISO 27001 as a yardstick for the maturity of their own information security. But as risks are constantly evolving and penalties for errors and omissions are becoming stricter, it is not surprising that the required level of security for data and processes is increasing and a broader view is needed.
ISAE 3402 and SOC 1®
If a company outsources processes relevant to accounting and financial reporting, it must ensure that an appropriate internal control system and risk management are in place and effective. The outsourcing company and its statutory auditor must establish what internal controls the contracted service companies have in place. These service organisation audits are time-consuming and expensive.
The responsible auditing bodies have recognised this problem. The International Auditing and Assurance Standards Board (IAASB) has issued the International Standard on Assurance Engagements 3402 (ISAE 3402). The US equivalent is called the SOC 1® report and is based on the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA).
The purpose of both of these assurance engagements is to evaluate all of a company’s relevant information systems in terms of availability, integrity and/or confidentiality. The selection of the processes to be assessed is also at the discretion of the commissioning company but must be validated by the independent practitioner. Nonetheless, the ISAE and SOC® standards provide a degree of flexibility whereby a company can focus on those areas that are critical to its clients, investors and suppliers, as well as its statutory auditors. In particular, these auditors are required to consider the ISAE 3402 / SOC 1® report in accordance with ISA/ISA-CH 402 and ISA/ISA-CH 315 (Revised) in their work.
The best of both worlds
We all know that apples should not be compared with oranges. But we’re going to do it here anyway, in order to obtain some clarity about the advantages and disadvantages of the two examinations (see table).
|Report||Assurance report with opinion from the independent auditor||Certification with no opinion|
||Includes a Management Statement related to the control environment
|Deliverable||Comprehensive assurance report including the description of control environment, the design and implementation of controls (type I report) and the operating effectiveness of controls (type II report)||One page certification stating that the management systems is in place|
||Can be relied upon by customers and their statutory auditors as well as other stakeholders
||Does not provide any audit comfort
|Distribution||Restricted to defined stakeholders (except for ISAE 3000 and SOC 3)||No restriction|
|Level of acceptance||Recognized and accepted by customers and their statutory auditors as well as other stakeholders||Depending on the audience|
|Subcontractors||Transparency over subcontractors utilized and the reliance on their controls||Not disclosed
|Involvement of internal audit or compliance function||Possible and if work used by the independent auditor the fact is disclosed in the assurance report||Not applicable|
|Coverage / validity||
Point in time – Type I
Period over time – Type II / Typically 1 year
|Certification audit in year 1 and surveillance audits in the years 2 as well as 3, point in time
|Period under review||Retrospective||Forward-looking|
ISAE/SOC® report and ISO 27001 certificate compared
An ISO certificate is easier and faster to obtain than an ISAE or SOC® assurance report. While the ISO standard is limited to how controls are structured on day X, ISAE and SOC® enable the operating effectiveness of controls to be tested over a period of time. The scope of an ISAE or SOC® assurance report is therefore much broader than that of an ISO certificate. In an assurance report, in addition to the usual sections such as the company’s own assessment, and an outline and detailed description of the control objectives, the practitioner’s independent conclusion or auditor’s independent opinion is presented. This is completely missing from an ISO certificate. Accordingly, the external statutory audit may be based on an assurance report, but not on a certificate. The certificate merely provides management with information about which information security controls are sufficiently well developed and which, if any, need to be optimised or completely revisited in a prospective view.
Operational reporting on the upswing
As the profile and attractiveness of ISAE and SOC® assurance engagements grow, they are becoming increasingly important for companies with an international focus – and Switzerland is no exception. They offer strategic and operational management an in-depth insight into in-house process maturity and provide valuable pointers for high-quality control and risk management as well as contribute to the resilience of an organisation. ISAE and SOC® assurance reports cover the diverse requirements of different stakeholders. This means a company can avoid doubling up on work to meet audit requests from different parties. These operational assurance reports are also an excellent way for a company to show to its board of directors, clients and business partners that it operates in a responsible manner, and to demonstrate its trustworthiness and resilience in comparison with competitors.