Skip to main content

Outsourcing Assurance

Are you sure that services delivered by your company are in accordance with relevant regulations?  Being compliant with regulation can be at once quite straightforward and incredibly complex for cloud service providers. Complex and confusing and simultaneously, regulation will have a significant impact on your business.  ISAE 3402 | SOC 1 and ISAE 3000 | SOC 2   can be helpful in structuring risk management and helping your company to be compliant with regulations.  Which of these standards should you choose?

SOC 1 or SOC2?

Which Standard?

For an ISAE 3402 | SOC 1 report, there are no predefined criteria, but rather a set of control objectives that are aligned to the financial processes of the organization. An ISAE 3000 | SOC 2 report follows a predefined set of criteria; the trust service criteria. In designing the risk framework and controls there still can be flexibility to meet these criteria. 

Generally speaking; if systems, software or procedures have an impact on the annual report of your clients, a SOC 1 should be preferable. If the demand for risk control has a wider scope than financial processes, a SOC 2 should be preferred. In the following example is explained why ISAE 3402 is relevant for the management of risks in an outsourcing situation. Typically, investment companies are confronted with specific regulations and should disclose to supervisory authorities how all outsourced processes are controlled. 


Outsourcing assurance

The answer is quite simple. Compliance will have a distinctive value add to either acquisition of a new business or the improvement of efficiency. For inviting contractors for tenders, risk reduction is becoming an increasingly important aspect. 

Outsourcing services have expanded to system operations, business support and providing rack space. Market and regulatory requirements require outsourced risks to be managed. Organizations that serve different industries are confronted with a myriad of regulations. ISAE 3402 and ISAE 3000 can cover all these regulations in a single report and assurance opinion. How?



Investment companies are typically confronted with extensive and complex regulation. This implies that internal procedures of the investment company should be in accordance with this regulation. The question is whether the suppliers of the investment company (e.g. a SaaS provider or back-office services providers) also work in compliance with relevant regulations. And if this is the case, do the suppliers of the supplier also work in accordance with this regulation? Suppliers of suppliers are considered subservice organizations in the ISAE 3402 standard.

The entire industry comprising of all subservice organizations should work in accordance with the same requirements and regulations. In an ISAE 3402 | SOC 1 and an ISAE 3000 | SOC 2 this process is diligently structured, providing comfort to each organization within the industry 'chain'.

ISAE 3402

Risk assurance

Why assurance is important


Software-as-a-service varies from office software to cloud-provided specialized applications. More and more business-critical processes are outsourced to software providers. Outsourcing implies improving efficiency but brings also risks.

Risks of hacking and attacks by malicious software increase and suppliers should be able to be trusted to have solid procedures in place for change-, incident management and data-integrity (back up). The control framework in place can be described and included in an ISAE 3402 or ISAE 3000 report. This results in risk mitigation of outsourced risk and assurance that the risk framework operates effectively.

Critical data


The most valuable assets of organizations are entrusted to datacentre providers. One of the first steps in determining a datacenter providers' ability to host and secure critical information is evaluation compliance with relevant standards. 

Your clients require for all colocation services, virtualized servers or hybrid cloud deployments that the best practices for both physical and logical control are implemented and operated effectively at all times to safeguard their valuable data. These controls vary from power and temperature monitoring to timely resolving of any incident, either physical threats or the risk of compromising critical data.