SEEBURGER has once again successfully passed the ISAE 3402 attestation SOC 1 audit. This makes it much easier for SEEBURGER cloud customers to provide the security and data protection evidence relevant for their respective auditors. All other advantages for SEEBURGER cloud customers are clearly summarized here.
ISAE 34202 – Trust is good, control is better!
Today, modern companies fulfil their IT requirements in the cloud. Companies do everything possible to continuously optimize the resources needed to achieve their business objectives. This is not only understandable, but also part of their duty. Another duty is to ensure security and compliance with internal and external rules and regulations. Accordingly, companies must set-up an internal control system (ICS) that embeds effective controls in their processes and provides sufficient assurance that the processes are compliant.
If a company now outsources business-relevant functions to the cloud, the responsibilities for proper processing are not automatically outsourced. They remain with the company and present it with a difficult challenge: how can the company ensure that the service provider complies with controls, maintains separation of functions and protects access to data?
Auditors who need to assess the effectiveness of the ICS in the company also want to examine the outsourced IT functions more closely. The existence of a SLA (Service Level Agreement) and regular reports on the services are not enough here. Instead, the auditors insist on the existence of an ISAE 3402 audit report. ISAE is an initialism of ‘International Standard on Assurance Engagements’ and certifies the control system of the service provider as a whole. In this context, the ISAE audit report has meanwhile developed into a quasi-standard for outsourcing service providers. The diagram below illustrates the context.
ISAE 3402 SOC 1 Confirms Effectiveness of SEEBURGER’s Internal Control System
The annual audit of the International Standard on Assurance Engagements (ISAE) 3402 SOC 1 focused on the following processes for providing outsourcing services to our clients:
- Risk Management
- User & Access Management
- Physical Security
- Backup & Recovery
- Business Continuity Management
as well as cloud service operating processes:
- Go-Live Process
- Event Management
- Incident Management
- Change Management
The auditors of a sizable accounting organization spent three weeks retrospectively evaluating a large number of samples from an entire year. The samples were selected based on the defined processes and control objectives of the aforementioned subject areas. If deviations were found, the possible deviation was verified by additional samples.
This approach makes it clear that with ISAE it is not sufficient to ensure proper operation only at the time of the audit, as is the case with many other certifications where only key date observations (snapshots) are made. ISAE requires a service provider to meet control objectives at all times and to provide complete evidence of compliance.
SEEBURGER has once again successfully passed the audit of the International Standard on Assurance Engagements (ISAE) 3402 SOC 1 and thus successfully demonstrated the effectiveness of its internal control system (ICS).
ISAE 3402 Attestation – The Advantages for our Customers
- The customer has proof from an independent auditing organization that their sensitive business processes are safe at SEEBURGER.
- The successful audit confirms the best possible security and data protection with SEEBURGER as a trustworthy provider.
- This considerably simplifies the customers’ obligation to provide proof to their own customers and auditors, because:
- a reliability check is no longer necessary for the outsourced processes (as evidenced by the certification)
- the effectiveness of these processes does not have to be proven individually in the future
- ISAE certification ensures that this internal control system works, i.e. that it (a) is methodologically appropriate to ensure that all employees in the company behave properly and that this (b) has been proven in many spot checks.
The renewed attestation according to ISAE 3402 offers our customers the reassuring certainty that their data is in the best of hands with us.
ISAE 3402 Attestation – More Security with SEEBURGER
The SEEBURGER ISAE 3402 (SOC 1) certificate is a valuable document for our customers to prove the effectiveness of the internal control system of the SEEBURGER cloud services. Ultimately, the audits and processes required in advance for an attestation also significantly increase operational reliability. In order to be able to react appropriately to constantly increasing security requirements and rapidly changing and increasingly complex threat situations, SEEBURGER has developed an internal control system (ICS) in accordance with COSO (Committee of Sponsoring Organizations of the Treadway Commission) as a central management process. This ensures that the system is integrated into the business processes in the application area and that responsibilities are defined.
The purpose of the internal control system is to protect all information received, generated, distributed, archived and deleted in the course of business activities in accordance with legal requirements, national and international standards, internal company standards and contractual obligations.
ISAE 3402 Attestation – Automated Processes Simplify Future Monitoring of Control Objectives
Even before the introduction of ISAE attestation, the SEEBURGER operations team asked the following question: How can an internal control system be established without causing an enormous manual monitoring effort? The answer sounds as banal as it is simple: through extensive automation! SEEBURGER accordingly integrated the monitoring of its control objectives directly into its business processes and cloud organization from the outset.
Using applications developed in-house, for example, all access to the cloud systems is centrally controlled, monitored and seamlessly documented. An automated monitoring and reporting system monitors compliance with each individual control – many thousands of times a day. This high degree of automation has enabled SEEBURGER to reduce manual effort to such an extent that the additional work involved in the monitoring, implementation and testing has been more than compensated for.
Dr. Martin Kuntz, Chief Cloud Officer: ‘At SEEBURGER we pursue the extensive automation of complex control objectives less for the sake of certification, but primarily to optimize business processes and organizational structures. This almost automatically results in economically sensible synergies and qualitative improvements for our customers’.
Martin Kuntz continues: ‘Another, rather unexpected positive side effect is that the high degree of automation, the increasing effectiveness of internal processes and the internal continuous improvement process that is lived-out has increased the motivation of the operating personnel. Employees can concentrate on their core tasks and are relieved of tedious documentation tasks’.
Get in contact with us:
Please enter details about your project in the message section so we can direct your inquiry to the right consultant.
Written by: Uwe HeberUwe Heber is one of the two corporate information security officers at SEEBURGER and has been with the company since 2000. He has 22 years of experience in consulting, support, contract management, cloud operations and information security for enterprise application integration, EDI, B2B, MFT, API, ITSM and digital transformation - both on on-premises systems and from the cloud. He is involved in the ISO/IEC 27001, ISAE 3402 (SOC 1) Type 2 and TISAX certification for SEEBURGER Cloud Services and knows all about the intricacies of compliant data centre operations in international environments.