Gartner Blog Network

Time to Stop Misusing SSAE 16 in Vendor Marketing

by French Caldwell  |  October 9, 2012  |  5 Comments

Some vendors and their auditors appear to be misusing SSAE 16 the same as they did SAS 70. For example, today I saw an announcement from security vendor Prolexic with the headline, “Prolexic Completes SSAE 16 Examination for Distributed Denial of Service (DDoS) Attack Mitigation Services.”

SSAE 16 (aka SOC 1) like SAS 70 before it is a standard focused on financial reporting integrity — a fact that Prolexic clarifies in a note at the bottom of its press release. To the extent that Prolexic’s customers must ensure that Prolexic has adequate controls to support Sarbanes-Oxley or similar rules, then SSAE 16 is appropriate — but you have to read the press release carefully to glean that context.

However, Prolexic’s president Stuart Scholly went further and stated in the press release: “Completing these examinations assures enterprises that Prolexic has adopted relevant controls that are well designed and operating properly.”

That’s just not true.

SSAE 16, aka SOC 1, does not contain a list of control objectives. The controls to be audited are specified by the vendor and agreed upon by the auditor, and thus it is not easily comparable between vendors.  And the SOC 1 report is not supposed to be shared with prospects.

So, to be clear, SSAE 16 (or SOC 1) is relevant for compliance with Sarbanes-Oxley and similar laws. It does not provide comprehensive assurance for security, availability, processing integrity, confidentiality or privacy controls. That’s the purpose of SOC 2, a companion standard to SOC 1.

SOC 2 and SOC 3, a short form of SOC 2 that can be used in marketing, do have a set of control objectives that can be objectively audited, and the results compared to other companies. INetU is an example that has used SOC 2 and SOC 3 to communicate its controls assurance.  And the SOC 3 can be shared with prospects.

Now, Prolexic goes on to state that they have PCI DSS certification. Good on ’em — PCI DSS is one of several alternatives for vendors who want to demonstrate effective controls. Other standards and certifications include ISO 27001 certification, Shared Assessments, Cloud Security Alliance, and many more.

For more on SSAE 16 (SOC 1), SOC 2, SOC 3, and alternatives see:

Cloud Security and Risk Standards, by Jay Heiser and Rob McMillan

IT Audit Standards, Frameworks, and Guidelines for Auditees and Auditors, by Khushbu Pratap

SAS 70 Is Gone, So What Are the Alternatives?, by French Caldwell

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: cloud  compliance  grc  standards  vendor-contracts  

Tags: cloud-2  compliance  vendor-risk-management  

French Caldwell
VP and Gartner Fellow
15 years at Gartner
19 years IT industry

French Caldwell is a vice president and Gartner Fellow in Gartner Research, where he leads governance, risk and compliance research. Mr. Caldwell also writes and presents on knowledge management. His research includes analysis of the impact… Read Full Bio

Thoughts on Time to Stop Misusing SSAE 16 in Vendor Marketing

  1. Thank you for speaking out on this topic Mr. Caldwell. I hope that the market hears you very soon. I will be doing my part to make that happen.

  2. George Bishop, CPA, CISA says:

    Well stated. As a provider of SOC 1, 2, and 3 examinations (and SAS 70s, WebTrusts, and SysTrusts before that), I am often frustrated by thier misuse beyond the purposes intended – especially among some CPAs. I believe SOC 2 provides a great opportunity for qualified practitioners (those with both attestation examination experience and skills in IT audit and control relevant to the scope of the examination) to provide independent assurance and useful, detailed reporting about risk areas areas that users of service organizations have been seeking for some time. The more user organizations that have some understanding of these exams and insist on quality reporting from their service organizations, the more consistent utility and value they will provide.

  3. >goes on to state that they have PCI DSS certification

    Actually, that one is more likely to be iffy as well as PCI DSS assessment is meant for payment providers, not security providers. I bet their RoC has plenty of N/As. Like, most of them? 🙁

  4. Daniel Golding says:

    PCI DSS is not meant for payment providers only – this is incorrect. There are numerous service providers, including datacenters with PCI DSS – see the VISA list of global service providers.

  5. Jon Dee says:

    A very useful discussion guys
    Anything that increases the understanding of standards by those that are potentially seeking to rely on this assurance is very welcome.
    I suspect that ISAE 3402 is also being used for marketing in a similar way.
    Best wishes

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.