There was a debate between two auditors about whether data centers need SSAE 16 or not captured in these two articles on Infosec Island: Why Datacenters Need SSAE 16 and Why Data Centers Don't Need SSAE 16.
Well the jury is in, and the market decided definitively that data centers need SSAE 16.
My question, however, is this, "Why do Data Centers Have to Choose Between SSAE 16 and SOC 2?"
If SSAE 16 is applied correctly, non-ICFR controls should not be included in the report.
This means that at the very least Physical Security and Environmental controls have to be removed from the SSAE 16 report.
For more information about how to determine if a control is non-ICFR, please refer to my post titled, "Use Degrees of Risk Separation (DoRS™) to Determine ICFR / non-ICFR":
- If Physical Security and Environmental controls are removed from SSAE 16 reports, customers are going to need to receive assurance about security and availability from another source.
- That is where SOC 2 comes in. SOC 2 is designed to provide assurance regarding both security and availability whereas, SSAE 16 is not designed to, nor can it provide assurance regarding security and availability.
- While the market was trying to figure out which was the right report, the answer was right there in front of us. Data centers need both an SSAE 16 report and a SOC 2 report.
Remove non-ICFR controls from most data center SSAE 16 reports, and you will be left with a very thin report. This will create the need for a SOC 2 in order for data centers to provide their customers the assurance that they will not cause a material misstatement (SSAE 16), and assurance regarding security and availability (SOC 2).
Some may be thinking..."What about cost? Won't two reports cost more than one?" The answer I give is that it will not cost more if the controls that were tested under SAS 70, and incorrectly under SSAE 16, map to the Trust Services Principles and Criteria.
The reports themselves do not take much effort to compile, and therefore should not cost much, if any more than one report. Where the additional cost comes in is when there are additional controls that need to be tested because of gaps between the existing report and the TSPC.
A DoRS analysis can help data centers separate out non-ICFR controls, and a TSPC mapping exercise can help data centers determine whether they will need to implement missing controls.
Doing these two things can help data centers determine whether to expect to have to pay additional audit fees moving forward. If anyone needs any help, please let me know.
Jon Long, CISA, QSA is a Senior Manager and Practice Builder at CompliancePoint and is currently championing an audit approach that allows organizations to combine multiple compliance requirements into a single SOC2 engagement.
Cross-posted from The Risk Assurance Guy