Simplify auditing with SOC2 Reports
Article published in Finansavisen in Norway 28th of Feb written by BJØRN HENNING GRANDAL
Most industries and companies have increased their focus on security in recent times. The underlying reasons are among other things frequent reports in media, numerous incidents published, GDPR and the implementation of the NIS Directive.
Basefarm has a range of customers both at home and abroad and provides numerous complex and critical services, often involving large volumes of personal data. These are all services that their customers can outsource. However, the risk involved in providing such services must remain with the customer, and there is an increasing demand for a higher level of auditing and certification services.
“It is increasingly common to outsource IT operations to suppliers of cloud services, and the potential for local inspection and auditing of service providers is now much lower. As a result, third-party certification is of increasing interest and an important element in the follow-up and control of a company’s suppliers,” confirms Basefarm’s SVP Quality & Security, Esten Hoel.
Kevin McCloskey, a partner with Enterprise Risk Services in Deloitte, has also noted the increased focus on security from companies with foreign customers who require confirmation that their suppliers are “secure enough” to provide key information.
“It is not uncommon to have some kind of company certification/audit laid down in new contracts, and the supplier is expected to submit these once a year. GDPR has triggered a higher emphasis on security and distribution of responsibility between the data controller and data processor. This will undoubtedly result in increased demand for GDPR certificates or similar certification.”
Kevin McCloskey confirms that Deloitte is an independent supplier to Basefarm, assigned the task of conducting an independent assessment to confirm whether the internal control structure implemented at Basefarm functions according to its specifications.
Basefarm has numerous customers in the banking and finance segment, but also within tourism and e-commerce. One factor all these customers have in common is that they store large volumes of personal data, often including credit card information and payment details.
“GDPR has triggered a higher emphasis on security and distribution of responsibility between the data controller and data processors”
New reporting system SOC2
Auditing company Deloitte and Basefarm have now collaborated on the delivery of SOC2, a reporting system, which according to Esten Hoel, is not yet widely used. SOC2 is comprehensive and covers many of the same – but more than – the traditional auditing services found in the ISAE 3402 reporting standard, which is very popular.
“An ISAE 3402 report covers internal controls from a financial reporting perspective. Its purpose is to document compliance with legislation and regulations. The target group for the ISAE 3402 reports is the customer’s management group and auditors,” confirms Esten Hoel.
SOC2 encompasses internal controls related to information security in general, availability, confidentiality, data integrity and security for personal data.
“The purpose of internal control for each of these areas is defined in the standard. The target group for SOC2 reports is the customer’s management, information security supervisors and control functions,” explains Esten Hoel.
Simpler and more efficient
He believes that SOC2 is a standard that encompasses all aspects of information security, while ISAE 3402 is normally restricted to the processing of financial data.
Esten Hoel claims that SOC2 not only covers many of the elements included in ISAE 3402, but is also mainly based on ISO 27001 certification. According to Basefarm’s head of security and quality, this simplifies both auditing and ISO certification and provides a boost to inhouse efficiency.
“ISO 27001 is by now a prerequisite for service providers in the IT industry. We believe that SOC2 will follow suit, and that an increasing number of companies will look for service providers who can offer such reports. A SOC2 report provides much more detailed insight and information on how a service provider works with security than just an ISO certificate,” says Esten Hoel.
About Esten Hoel:
Esten Hoel is our SVP Security and Compliance and is part of the Basefarm management team. He has a long history in the IT industry but has also worked within the mobile communication and for the Winter Olympics in Lillehammer in 1994. He is passionate about transforming security to support the people and organizations and he believes that policies, technology and processes are here to help, not to stop organizations, and to enable innovation. His motto is “systematic work, always works”.
Esten Hoel, SVP Security and Compliance, Basefarm