http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202498009028 By Thomas Shaw Law Technology News June 22, 2011 Organizations need assurances about controls used by third-party data custodians, such as cloud service providers (CSPs). Two methods are typically used: 1) certification against a standardized set of controls, such as ISO 27001 certification using ISO 27002 controls, and 2) audit opinions about existing controls, such as Statement of Auditing Services (SAS) 70 reports. But much has changed in the last year -- or will soon be changing. What has changed already involves the types of audit reports on internal controls of service organizations. Looming changes will address certifications possible for service organizations, including updates to the ISO security standards for cloud computing. The first major change is that the International Auditing and Assurance Standards Board has promulgated the "International Standard on Assurance Engagements (ISAE) 3402 , Assurance Reports on Controls at a Service Organization." This standard, effective for reporting years ending after June 15, 2011, is focused on service organization controls in relation to financial reporting. Specifically, the auditor is looking to obtain reasonable assurance that the service organization's description of its system of controls is fairly presented and that these controls were "suitably designed" and operated effectively during the period under reporting. The Type 1 report includes the service organization's description of its system, assertions about the fair presentation of its system description and the suitable design of controls, and the auditor's reasonable assurance about these assertions. The Type 2 report includes everything in the Type 1 report and expands to include the operating effectiveness of the controls over the reporting period, and describes the tests conducted by the auditor and the results of those tests. [...] ___________________________________________________________ Tegatai Managed Colocation: Four Provider Blended Tier-1 Bandwidth, Fortinet Universal Threat Management, Natural Disaster Avoidance, Always-On Power Delivery Network, Cisco Switches, SAS 70 Type II Datacenter. Find peace of mind, Defend your Critical Infrastructure. http://www.tegataiphoenix.com/Received on Wed Jun 22 2011 - 23:50:18 PDT
This archive was generated by hypermail 2.2.0 : Wed Jun 22 2011 - 23:58:56 PDT