OC2 reports, everything you should know
In previous posts we have already commented on the origin of these reports (in this post) and on their complementarity with the cybersecurity rating that we carry out in LEET Security (in this other post), but we still frequently receive doubts about them and, therefore, we have decided to publish this new entry in which we are going to recap the most frequently asked questions.
WHO CAN ISSUE THIS TYPE OF REPORTS?
This type of work is carried out by audit firms registered in the corresponding national organizations with agreements with AICPA / CICA.
WHY DO CLIENTS REQUEST THIS TYPE OF REPORTS?
For some time now, the need to manage the risk of third parties has led to a search for mechanisms to ensure that third parties that are part of the supply chain do not pose a risk to end users. As we saw in our previous posts, the objective of these reports is for the auditor to evaluate the security measures implemented by the provider according to a series of principles (confidentiality, integrity, availability, security, privacy and lately, cybersecurity)
BY HAVING A SOC2 REPORT, IS A PROVIDER SAFE ENOUGH?
Absolute security does not exist, but of course, an audited supplier in accordance with the provisions of the ISAE3000 standard (the one that governs SOC2 reports) must assume a certain degree of security, since it has evidenced a specialized auditor in the matter that meets a series of control objectives (based on the audited principle or principles).
Now, is it safe enough? Not; that cannot be assured. It depends on the scope that has been audited, since, as in any audit, the scope must be verified. It depends on the principles that have been audited: for example, if the confidentiality has been audited, nothing can be concluded about the availability. And, of course, that it has sufficient security measures, in the auditor's opinion it does not presuppose that they are sufficient for the use that the client wants to make. The SOC2 report is like a novel, you have to read it all to see if you like it. If my neighbor likes that novel, it doesn’t mean I have to like it, or even if I like an author, that does not mean that all his novels will always please me.
WHAT IS THE RELATION OF THIS REPORT TO THE NEW FINANCIAL RATING, PINAKES?
As we mentioned in a previous post, SOC2 reports are compatible with the LEET Security rating and, of course, also with the new PINAKES rating. That is, those clients who are already doing SOC2-type audits will be able to take advantage of this effort, simply by ensuring that their auditing firm has an agreement, either with LEET Security, in the first case, or has been approved by the Interbank Cooperation Center, in the second.
At the end of the day, these rating systems provide an objective assessment (not a subjective one like the one carried out by the SOC2 auditor) and transparent about the level of security, that is, they add a rating system that allows us to understand much more easily what the novel is good, without having to read it to the end (the scope would suffice).
In our opinion, the most efficient approach would be to take advantage of this compatibility to, in the same audit process that ISA3000 entails, obtain the SOC2 report, as well as the PINAKES rating (which will allow working with the financial sector) and the LEET Security rating (for show other non-financial clients my level of security).
Suscribe to our newsletter here