“Our Cloud Service Provider already has a SOC 2 Type 2,

do we need our own SOC 2 as well?”

Let's understand the background, if you build your application on top of Cloud Service Provider (CSP), your company’s SOC Reports will not include the controls that are CSP's responsibility. So, you land up building a Software-as-a-Service (SaaS) application on top of CSP Infrastructure / Platform Services.

When these SaaS applications we build need to show their compliance comes the question are we hosting on our own or using a Partner. This in turn generate need for CSP's to demonstrate compliance via SOC Reports to stakeholders such as investors and customers that our and their infrastructure is highly secure and highly available. In addition, customer of CSP's Infra want to know if CSP applied controls on IT or Non-IT Assets, are effectively implemented.  Leveraging SOC, ISO 27001, ISO 27017 and ISO 27018 Compliant CSP Infra to create your own compliant application is common amongst lnc SaaS solutions to gain customer confidence.

CSP's like AWS, Azure...etc. are compliant with just about every standard and regulation you can think of. Using SOC, ISO 27001, ISO 27017 and ISO 27018 Compliant CSP for your IaaS, PaaS use is a great way to leverage another CSP SOC 2 controls to build a SOC 2 compliant SaaS application.

Benefits of utilizing CSP SOC 2 controls, the number of applicable SOC 2 controls covered in your report will be less than what you were responsible. A good audit firm will pass along the time savings associated with testing fewer controls and you should receive a savings on budgeted spending during your Audits. If you have other Sub-Service providers that are required to meet some of the SOC Controls as they relate to your SaaS solution, this reduces those that are your own SaaS company’s responsibility as they relate to the applicable SOC 2 Controls already in place.

The AICPA defines a service organization as “The entity (or segment of an entity) that provides services to a user organization that are part of the user organization’s information system.”

As an example: lnc offers its clients a SaaS solution that is hosted by a Infrastructure-as-a-service (IaaS) CSP, which provides physical security, environmental control, and monitoring services for the SaaS / SaaS Solutions company. In this case, lnc is becomes a SaaS company / SaaS Solution provider is the service organization and the IaaS CSP is the Sub-Service organization. The Carved-out Audit Report method allows a service organization to describe services performed by a Sub-Service organization within its system description but excludes the Sub-Service organization controls within the service organization’s SOC report. While this approach excludes Sub-Service organizations’ controls, the service organization is required to note (within its description of its “system”) the controls used to effectively monitor the Sub-Service organization.

The AICPA defines an organization as “a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.” You could also think of subservice organizations as the entities that service organizations outsource some of their operations to.

One of the recent updates provided within the AICPA’s SSAE 18 omnibus guidance includes additional Monitoring of Sub-Service Organizations. Service organizations should ensure they have monitoring controls for organizations in place. The monitoring should include obtaining SOC 1, SOC 2 and SOC 3 reports from Sub-Service organizations and reviewing the controls and results of control testing in the reports. If a SOC report is not available from a Sub-Service organization, reviews could include reviewing and reconciling output reports, holding discussions with the Sub-Service organization, site visits to the Sub-Service organization, and testing controls at the Sub-Service organization by members of the service organization’s internal audit function, etc.

To Summarize: It is customary for SaaS / SaaS Solutions companies to use Sub-Service organizations such as Infrastructure-as-a-service (IaaS) OR Platform-as-a-service CSP. In these cases, the SaaS company has outsourced the performance of certain controls to a Sub-Service provider. The controls outsourced to Infrastructure-as-a-service (IaaS) OR Platform-as-a-service CSP may also address some of the SOC 2 criteria. In that case, the Service Organization (SaaS / SaaS Solutions company) should monitor the Sub-Service organization to ensure that they are performing the controls related to SOC 2 requirements consistently. This can be accomplished by reviewing Sub-Service Organizations SOC report and the relevant areas to your SaaS service.

For more details write to: info@loadncode.com and we will get you in touch with our sales team for SOC Compliant SaaS Solutions with Partner CSP's.

Author: Jawahar Bhatia, JPBhatia@loadncode.com