Introducing the Term "SSAE SOC2"

I have been watching the SOC (formerly SAS 70) reports market since early last year, even before June 15th - the official date that SAS 70 died, and have taken note of many things. Among the good things I have noticed in the market is use of the term "SSAE SOC2." Whoever came up with this term is a genius. I noticed this term first in a blog post by @Internap.


The term is genius because it helps people overcome the fixation that people have unfortunately developed with the term "SSAE 16" while remaining 100% accurate.  Others have tried to do the right thing by getting a SOC2 report (SSAE 16 is not designed to provide assurance about security), but needing to satisfy their customer's misguided demand for an SSAE 16 report, told everyone that they had an "SSAE 16 SOC2" report.  This is not accurate because SSAE 16 has to do with SOC1 instead of SOC2.

The reason the term "SSAE SOC2" is 100% accurate is that SOC2 is based on AT-101 which is in turn based on SSAE 10, SSAE 11, SSAE 12, and SSAE 14 (I just had to go double check).

Okay, so you may be asking, "WHO CARES?", and wishing you could say, "Quit boring me!"


Here's why I care...last year, and into this year, we all witnessed the market completely ignore the changes in the standards the AICPA made to service organization control reporting.  The AICPA was clear..."SOC reports replace SAS 70", and "SSAE 16 is not designed to provide assurance regarding security, availability, processing integrity, confidentiality, or privacy." 


Instead, the market heard "SSAE 16 replaces SAS 70", and what happened?  Well, but for a few elite service organizations, everyone rushed out and got their SSAE 16 report.  Why? Because that's what customers were asking for.  The RFP said "SSAE 16", so service organizations gave them an "SSAE 16."

What the term "SSAE SOC2" enables us to do is easily transition to the report that IS designed to provide assurance regarding Security, Availability, Processing Integrity, Confidentiality, and Privacy - a SOC2 report.  The term will ease the minds of people that have latched onto the term "SSAE 16", and as long as SOC2 engagements are performed by competent security professionals, service organizations will be more secure, and user organization's data will be better protected.

1 comment:

  1. Interesting post! By the way, I made virtual data rooms comparison to get useful information about the ones.

    ReplyDelete