Simplify auditing with SOC2 Reports

Article published in Finansavisen in Norway 28th of Feb written by BJØRN HENNING GRANDAL

Most industries and companies have increased their focus on security in recent times. The underlying reasons are among other things frequent reports in  media, numerous incidents published, GDPR and the implementation of the NIS Directive.

Basefarm has a range of customers both at home and abroad and provides numerous complex and critical services, often involving large volumes of personal data. These are all services that their customers can outsource. However, the risk involved in providing such services must remain with the customer, and there is an increasing demand for a higher level of auditing and certification services.

“It is increasingly common to outsource IT operations to suppliers of cloud services, and the potential for local inspection and auditing of service providers is now much lower. As a result, third-party certification is of increasing interest and an important element in the follow-up and control of a company’s suppliers,” confirms Basefarm’s SVP Quality & Security, Esten Hoel.

Increased demand

Kevin McCloskey, a partner with Enterprise Risk Services in Deloitte, has also noted the increased focus on security from companies with foreign customers who require confirmation that their suppliers are “secure enough” to provide key information.

“It is not uncommon to have some kind of company certification/audit laid down in new contracts, and the supplier is expected to submit these once a year. GDPR has triggered a higher emphasis on security and distribution of responsibility between the data controller and data processor. This will undoubtedly result in increased demand for GDPR certificates or similar certification.”

Kevin McCloskey confirms that Deloitte is an independent supplier to Basefarm, assigned the task of conducting an independent assessment to confirm whether the internal control structure implemented at Basefarm functions according to its specifications.

Basefarm has numerous customers in the banking and finance segment, but also within tourism and e-commerce. One factor all these customers have in common is that they store large volumes of personal data, often including credit card information and payment details.

“GDPR has triggered a higher emphasis on security and distribution of responsibility between the data controller and data processors”

New reporting system SOC2

Auditing company Deloitte and Basefarm have now collaborated on the delivery of SOC2, a reporting system, which according to Esten Hoel, is not yet widely used. SOC2 is comprehensive and covers many of the same – but more than – the traditional auditing services found in the ISAE 3402 reporting standard, which is very popular.

“An ISAE 3402 report covers internal controls from a financial reporting perspective. Its purpose is to document compliance with legislation and regulations. The target group for the ISAE 3402 reports is the customer’s management group and auditors,” confirms Esten Hoel.

SOC2 encompasses internal controls related to information security in general, availability, confidentiality, data integrity and security for personal data.

“The purpose of internal control for each of these areas is defined in the standard. The target group for SOC2 reports is the customer’s management, information security supervisors and control functions,” explains Esten Hoel.

 Simpler and more efficient

He believes that SOC2 is a standard that encompasses all aspects of information security, while ISAE 3402 is normally restricted to the processing of financial data.

Esten Hoel claims that SOC2 not only covers many of the elements included in ISAE 3402, but is also mainly based on ISO 27001 certification. According to Basefarm’s head of security and quality, this simplifies both auditing and ISO certification and provides a boost to inhouse efficiency.

“ISO 27001 is by now a prerequisite for service providers in the IT industry. We believe that SOC2 will follow suit, and that an increasing number of companies will look for service providers who can offer such reports. A SOC2 report provides much more detailed insight and information on how a service provider works with security than just an ISO certificate,” says Esten Hoel.

About Esten Hoel:
Esten Hoel is our SVP Security and Compliance and is part of the Basefarm management team. He has a long history in the IT industry but has also worked within the mobile communication and for the Winter Olympics in Lillehammer in 1994. He is passionate about transforming security to support the people and organizations and he believes that policies, technology and processes are here to help, not to stop organizations, and to enable innovation. His motto is “systematic work, always works”.

Esten Hoel, SVP Security and Compliance, Basefarm


Would you like to know  more:
How to improve control and save cost with service organization controls (soc) reports. 

Inera chooses Basefarm

Increased focus on innovation by appointing Basefarm as supplier of services for IT Operations

Stockholm, 3 October 2018: Inera, a developer of eHealth services for public sector health organizations and municipalities, has entered into an agreement with IT Operations supplier Basefarm. Through the cooperation Basefarm will manage and optimize operations and enable Inera to focus on innovation and development of smart digital services for the public.

“Digitalization is happening extremely quickly, and at Inera we’re actively working with developing smart services in eHealth,” said Petter Könberg, head of IT, Inera. “Working with Basefarm allows us to continue to be at the forefront, and let Basefarm help us with that they do best – being a proactive operations provider who ensures a stable and secure IT environment, where we can put our technology at work in the smartest way possible, short and long term.”

Working with Basefarm, means Inera will get a provider with proactive and modern working practices, who apart from offering accessible, stable and secure operations, also ensures that Inera always has access to the best and most effective digital solutions. For Inera, the partnership is a natural step forward, as they have a number of criteria to consider when delivering their services, something which requires internal resources not least to ensure demands are met when it comes to accessibility and data privacy.

“Our choice of partner is based on an in-depth analysis of current and future needs, and we look forward to working with Basefarm to meet these,” said Petter Könberg.

During the first two years of the contract, Basefarm and Inera will work intensively to migrate existing services to Basefarm. In parallel, a large number of new services will be implemented, and success will require a very tight collaboration between Inera and Basefar

“We are very much looking forward to working with Inera,” said Sara Murby Forste, Country Manager Sweden, Basefarm. “It’s a substantial project and our experts will work very tightly with Inera’s team. In the end it’s all about giving Inera the ability to focus on their core business, by allowing us to do what we are so very good at – all the operations related areas.

About Inera

Inera develops eHealth services for businesses, health services, regions and municipalities and is owned by public organization SKL. Inera has developed joint solutions for a number of public health services and projects including 1177 Vårdguiden, UMO (teenage services online) and Journal via nätet (Medical notes online). The organization had a turnover of approximately MSEK 850 in 2018 and employs over 300 people. The services developed is aimed at citizens as well as employees working in health organizations, regions and municipalities. www.inera.se

Basefarm is now AWS Public Sector Solution Provider and Authorized Government Reseller

Stockholm, December 13th, 2018:

Basefarm has been recognized as Amazon Web Services (AWS) Public Sector Solution Provider and Authorized Government Reseller. The new partner status means that Basefarm is officially authorized to both sell and manage AWS public cloud migrations and operations for public authorities and municipalities.

“We have helped many governmental institutions on their cloud journey, helping them to migrate applications and data to the cloud,” says Svein Johansen, Product Manager at Basefarm. “The new partner status officially authorizes us to help public sector customers with their AWS cloud transformations”.

As AWS establishes datacentres in Sweden, it attracts public authorities and municipalities that want to move data and applications to the cloud. At the same time, the public sector is heavily regulated and often involve sensitive and personal data. Therefore, it is important with flexibility to establish and run a cloud environment where data continuously can be stored and managed securely and according to current regulations. This will be facilitated as AWS has physical presence in the region. Another advantage of having AWS datacentres locally is that it will be easier to create low latency hybrid solutions, combining services in AWS datacentres and Basefarm’s datacentres in Stockholm and Oslo.

So far this year, AWS has released approximately 1500 new services, and new ones are constantly added. While the new services bring new opportunities, they could also affect IT operations as many services and applications affect each other. Here, Basefarm plays a crucial role for public sector organizations that are not able to, or chose not to, attract, keep and develop the necessary IT competence to manage the situation in-house.

By engaging Basefarm, these organizations will ensure that their critical applications and data will be optimized throughout the lifecycle utilizing our Flexible Cloud Operations Engagement Model leveraging consultative Guided Operations, 24/7 Frontline Operations and custom Platform Operations.

Basefarm is an Advanced Consulting Partner and AWS Public Sector Solution Provider and has developed deep expertise in AWS cloud while working with demanding customers in both commercial and public sector.

What is the next step on your cloud journey? Download our Cloud Report:

What should

you focus on in order to speed up your company’s digital transformation? Downloar our Digital Ability Report: