What Is The SSAE 18 Standard, Exactly?

We’ve already talked a bit about how SSAE 16 is a little more than meets the eye where data centers and vendors are concerned. Today, we’re going to tackle a topic that’s somewhat closely-related to that one. We’re going to talk about SSAE 16’s successor, SSAE 18.

You’ve probably already heard some buzz about how SSAE 16 has been replaced. How the American Institute of Certified Public Accountants (henceforth referred to as AICPA) has replaced their auditing process with one that’s a little more up-to-date. What you may not have figured out is why this has anything to do with your business.

In short, why should you care?

To explain that, let’s start with a bit of a refresher on what SSAE 16 and SSAE 18 actually are – an auditing framework used by certified public accountants in the united states. In essence, they’re meant to ensure service organizations are operating with integrity. They consist of three primary Service Organization Control Reports (SOCs), or components:

  • SOC1. This pertains to financial reporting. Not necessarily relevant for data center vendors or their clients.
  • SOC2. This pertains to a business’s reporting process for security, information processing, integrity, confidentiality, and availability of its systems. A little more relevant to data centers than SOC1.
  • SOC3. Here’s the one that really matters. SOC3 pertains to the security controls in place on all the systems detailed in SOC2.

Now, as we already mentioned in our previous piece, being SSAE certified is akin to passing a safety inspection. It means the data center provider has submitted to an audit in all three of the above areas and made their SOC2 reports available to clients. Now that we’ve established that, let’s move forward – what exactly is SSAE 18 in the context of all this?

In simple terms, it’s an update to SSAE 16. The two biggest changes it introduces is that it requires services organizations to implement a formal third-party vendor management program along with a formal annual risk assessment process. It also requires those organizations to include sections in their publicly-available SOC reports that detail both of those factors.

Other changes include:

  • Requiring that a vendor disclose all organizations that work with it. If, for instance, a cloud storage provider works with an IaaS vendor and a DDoS mitigation vendor, it must include that information in its reports.
  • Requiring a thorough vetting process for all business partners and subservice organizations, including monitoring the security controls at those organizations and regularly reviewing their security practices.
  • Expanding reporting to include regulatory compliance, contractual obligations, and outsourcing.

As you’ve probably surmised, SSAE 18 provides a bit more visibility into the operation of a vendor. It’s meant to close off some gaps that existed in SSAE 16’s audit reports, while also ensuring service organizations are more diligent about their business partners and associates. A data center provider that’s undergone an SSAE 18 audit is one that you can feel a little better about working with – it shows they take security and compliance seriously.