Ice skates are just as useless on snow as snow skis are on ice. In the same way SOC 1 is useless for providing assurance regarding security and availability because it is designed for supporting financial statement assertions. SOC 2 is equally useless for providing assurance relevant to internal controls over financial reporting (ICFR) because it is designed to provide assurance regarding security, availability, processing integrity, confidentiality, and privacy. Neither is better than the other, they are just designed for different purposes.
Why then, do we continue to see press releases that tout SOC 1 (SSAE 16) as providing assurance regarding security and availability? The Risk Assurance Guy and French Caldwell at the Gartner Group seem to be the only ones pointing out that this abuse continues in the market.
CISO New Year Resolution - ' I will not accept an SSAE 16 (aka SOC1) for security assurance' - gartner.com/resId=2287115 #GRC #Gartner
— French Caldwell (@iTGuru) January 3, 2013
Watch people trying to ski with ice skates here:
Tweets about ""SAS 70" OR "SAS70" OR "SSAE16" OR "SSAE 16""