ISAE 3000 Report Available
Although "IT" and "business management" often seem to be far removed from each other in everyday life, they are actually closely connected. Nowadays, IT infrastructure is the lifeblood of many companies, which means it is just as much a focus for auditors as, for instance, accounts. For this reason and with immediate effect, cloudscale.ch is offering a report based on the ISAE 3000 standard to customers whose audits also cover outsourced IT processes, thus helping them to adhere to internal and external compliance requirements.
Comprehensive reporting – also for IT
Most people tend to first think of accounts when they hear the term "audit". However, correct financial statements alone are often not sufficient and other processes, e.g. those relating to IT, may be important for the survival of a company and therefore be included in audits and business reporting. This is where a report based on ISAE 3000 comes in.
The abbreviation "ISAE 3000" stands for "International Standard on Assurance Engagements 3000", which is an international test standard issued by the International Federation of Accountants (IFAC). The standard creates a uniform framework for "assurance engagements other than audits or reviews of historical financial information." In the process, an independent auditor checks the internal control system of a company or specific division and produces a corresponding report.
While ISO 27001 deals specifically with information security and prescribes more than 100 associated controls, ISAE 3000 basically does not include any requirements relating to controls or internal control as such. However, the actual scope of an audit based on ISAE 3000 is disclosed in detail in the resulting audit report, which then allows readers to assess whether the tested controls meet their own requirements. To compare: an ISO 27001 certificate documents that the standard has been adhered to across its whole scope, but does not provide further details about its implementation.
Audit procedure based on ISAE 3000
A theoretical starting point is a worst-case scenario, e.g. "A burglar publishes secret data." To achieve the reassuring sense that this worst case will most probably not occur requires several steps. Once the risk has been identified, the next step is to formulate an objective to prevent it from happening ("Unauthorized persons have no access to secret data"). To achieve the objective, specific controls are in turn defined ("The server room is always locked", "The data are encrypted").
In an audit based on ISAE 3000, an auditor assesses three issues: do the controls seem suitable for achieving the objective? Were the controls actually implemented? Were they also effective?
By answering these questions for all the important processes and objectives of a company, an auditor can provide top management with a statement about whether the objectives have been achieved. It goes without saying that the auditor is not omniscient, but by using professional judgement and auditing a sufficient quantity of random samples, an adequately high level of certainty can be achieved about whether the assessment corresponds to (an ultimately always unknown) reality.
Reporting beyond corporate boundaries
Gaps in audits of one's own company inevitably occur wherever a process has been outsourced, e.g. when cloudscale.ch cloud services are used instead of running one's own servers and data centers. In this case, it makes sense for the outsourcing partner to be audited separately. This audit report enables auditors to close the gaps in their own audit and, once again, obtain a complete overview of processes within the company.
At cloudscale.ch, an audit report based on the ISAE 3000 standard is available to our customers with immediate effect. For a contribution towards the cost of producing the report, we will be happy to provide you with a copy if required. The specific nature of reports of this kind makes this particularly relevant for customers who are themselves audited based on a standard such as ISAE 3000 and who would like to or are obliged to close the above-mentioned gaps that exist in purely internal audits.
No surprises in terms of content
While a company can define its own objectives and controls for internal processes, a service provider such as cloudscale.ch needs to make a selection. This selection aims to cover the typical requirements of many customers, but cannot cater to every individual case. While the format of an ISAE 3000 report was completely new to us here at cloudscale.ch, the selected objectives and controls were tried-and-tested ones. From the outset we have consistently used our customers' requirements as a guide and taken those measures that we believe to be relevant to our customers.
While these include obvious matters such as limited access to our server systems and continuous training of our employees, they also include features such as at-rest data encryption and the option of separate private networks, as we have already reported on. The independent external audit and formal reporting are new; the specific measures that we take to contribute to the security and reliability of your cloud resources are, however, long established.
Our customers know and appreciate the technical focus that we have always had at cloudscale.ch and that we still maintain today. Preparing our first own ISAE 3000 report was a completely new experience for us. Now that we have committed to it, it feels doubly good that the technical foundation we have developed continuously also stood the test of a business audit. And, far more importantly, having an independent auditor's report means that we can help our customers in complying with their own specifications.
Your cloudscale.ch team