Security Certifications Explained

Types of security certificates you need to know:

What is an ISO 27001 certificate?

The ISO 27001 is the global benchmark for demonstrating security management. It enables companies to implement an ISMS (Information Security Management System) framework. This framework includes a requirement for detailed documentation of IT policy and procedures.

Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it is designed to support companies in managing their information security by organising people, processes, and technology to ensure confidentiality and availability, and integrity of information.

The certification includes a formal certification framework with annual surveillance audits to ensure that the information security evolves with the business. If a company is compliant with the ISO 27001 standard, it assures that a strong foundation of Information Security principles is implemented. The framework can then be used to build upon other regulatory or client requirements, including ISAE 3402 and SOC2.

What are the ISAE 3000 and ISAE 3402 standards?

ISAE 3000 is an international declaration standard. In Denmark, it is developed by the FSR (chartered accountants) and the Danish Data Protection Agency. The purpose is to ensure that your vendor complies with the requirements of the GDPR.

This type of statement can be made either for a point in time or a specific period - e.g., a year. ISAE 3000 is the overarching international guidance for performing assurance engagements, and an increasing number of companies require that their vendors have an ISAE3000 declaration in place.

ISAE 3402, which falls under ISAE 3000, is specific to service organisation engagements. ISAE 3402 is a framework that contains an audit of a wide range of areas. It relates to all business processes around the IT function: development, operation, emergency preparedness, etc. It also relates to the more basic stuff, such as where the data centres are located. The 3402-I shows a snapshot, and 3402-II covers a period, typically one year.

What is a SOC report?

SOC reports are widely leveraged and well-respected information security and audit frameworks that provide clients with a high degree of assurance as to the security of the vendor's SaaS solution. There are three kinds of SOC reports:

  • SOC 1 report - Relates to assurance on controls that could impact financial statements.
  • SOC 2 report - Relates to assurance on IT controls.
  • SOC 3 report - Relates to assurance on IT controls. Usually, these reports are not detailed and are generic in nature.

SOC 2 is specifically designed for service providers storing customer data in the cloud. That means SOC 2 is relevant to nearly all SaaS companies and any company that uses the cloud to store customers' information. SOC 2 might mean performing background checks on all employees, ensuring that employees' laptops are password-protected, or configuring the company's services safely. SOC 2 is created by the American Institute of CPAs (AICPA). The report can include up to five categories, known as the Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. A SOC 2 report can reference a "point in time" (Type I) or a "period of time" (Type II) evaluation of anywhere from one to all five of the trust principles.

Concluding remarks

It's a jungle to understand the different security documentation, certifications, and standards, but getting this information from your vendors is vital. First, the GDPR requires that you only share personal data with vendors that can keep the data secure. Secondly, as a company, you can rely on the certificates of your vendors, resulting in a reduced auditing budget.

When looking at the different documents, it is good to keep in mind that the ISO certification is merely proof of a company's ability to maintain an effective Information Security Management System at a certain point in time.

A SOC2 or ISAE 3000 audit examines the existing technology and processes behind the security, thus proving the vendor's ability to maintain controls instead of simply executing them.