FAQ

Information security is all about protecting important information from unauthorised disclosure, modification and loss. This may include your customers’ personal information, employee information, business contracts, marketing strategies, credit card details, etc. We advise organisations on how to implement appropriate and cost effective solutions to keep their valuable information secure.

The rapid growth of information technology and the Internet have afforded organisations huge increases in efficiency, but have also made information much easier to copy, modify or delete. Organisations are increasingly reliant on information to achieve their objectives. As such, they must ensure that their information remains accurate, confidential and is available when needed.

An information security strategy will help you to identify the most important information within your organisation and the main risks to that information. This understanding will allow you to focus on the high risk areas and allocate resources where they will provide the most benefit.

Demonstrating effective management of information security can also provide reassurance to clients that they can trust you to keep their information secure.

To find out more, download our free whitepaper on the business case for information security.

No. Information security should encompass all forms of information, including paper documents. Most organisations have at least some reliance on paper documentation, so it’s important to consider the risks associated with this information too.

ISO, the International Organization for Standardization, is the world’s largest developer and publisher of International Standards. It is a network of the national standards institutes from 160 countries, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. So far it has developed over 18,500 International Standards on a variety of subjects.

The standards are designed to facilitate trade, spread knowledge, and share technological advances and good management practices. ISO standards avoid having to reinvent the wheel. They distil the latest in expert knowledge and make it available to all.

Being certified to ISO standards shows that an organisation has reached an international standard of best practice in that particular field. This levels the playing field and allows for transparency when comparing organisations’ capabilities.

To find out more, call us in Melbourne today on 1300 977 774.

Australian service providers are often asked to provide their clients with third party assurance of their information security. These requests may mention ISO 27001 certification or, usually if the client is US-based, SAS 70 or SOC reports. ISO 27001 is well recognised as the international standard for managing information security, but what are SAS 70 and SOC?

SAS 70 no longer exists as a current standard. It was replaced by SOC 1 in 2011. So if an organisation is asking for a SAS 70 report, what they should really be referring to is a SOC 1 report.

SOC 1, 2 and 3 are audit reports awarded to service providers demonstrating a defined level of security controls. SOC 1, 2 and 3 do not provide certification to any international standard. They are audits developed by the American Institute of Certified Public Accountants (AICPA) primarily to meet the needs of American companies. They have not been through the rigorous international review process common to international standards, and as such may disregard regional issues that tend not to exist in America. SOC 1, 2 and 3 audits can only be conducted by a Certified Public Accountant (CPA) registered with the American Institute of Certified Public Accountants.

There is an international equivalent to SOC 1 that may be more appropriate for Australian organisations. It is called ISAE 3402 and was developed by the International Federation of Accountants (IFAC). The SOC 1 assessment was actually developed from this standard, but differs from it slightly. However, the ISAE 3402 standard is not well known in the security industry, so many international organisations choose ISO 27001 certification instead.

SOC Categories

SOC 1 is an audit report on controls related to the protection of financial statements. This report is only likely to be relevant to those service providers that offer financial reporting services. SOC 1 audits are performed against an American standard called SSAE 16.

SOC 2 is an audit report on controls related to one or more of the following areas: security, availability, processing integrity, confidentiality and privacy. The scope of the report varies depending on which of these attributes the service provider decides to include. SOC 2 audits are performed against American standards known as the Trust Services and AT 101.

SOC 1 and SOC 2 reports can be either Type 1 or Type 2. A Type 1 report is restricted to an assessment of how the security controls are designed.  It does not include an assessment of how effectively the controls are operating. A Type 2 report includes an assessment of the design and operating effectiveness of the security controls.

SOC 2 reports are generally not provided to service providers’ clients because they may contain sensitive information about security controls. Instead, a service provider can obtain a higher level compliance report called SOC 3, which does not contain sensitive information. The assessment for SOC 2 and SOC 3 is the same, but the report is different. The SOC 3 report can be provided to clients to demonstrate compliance without disclosing any sensitive information. SOC 3 reports must be performed as a Type 2 assessment.