New Service Organization Control Standards Turn Two
June 19th, 2013 By: Industry Perspectives
Hassan Sultan is a partner at Reckenen, which provides SOC audits to data centers and other service organizations.HASSAN SULTAN
Service Organization Control (SOC) examinations, which are performed by independent auditors in order to report on the internal controls of an organization, are part of a relatively new reporting framework issued by American Institute of Certified Public Accountants (AICPA). As we celebrate the second birthday of the new SOC reporting framework (the effective date was June 15, 2011), I would like to look back at the past two years and point out some trends in the application of SOC to the data center industry.
SOC Certification Represents a Competitive Advantage
We surveyed 91 data centers about the reason why they got SOC certification. Data centers cited the following reasons.
1. The customers of the data center are asking for a SOC certification.
2. Their competitors have a SOC certification so they want one as well.
3. The data centers without SOC certification are not being invited to bid on significant contract opportunities and they feel that having a SOC certification will enable them to bid on these contracts.
When we put these reasons together, a consistent message seems to emerge; SOC certification represents a competitive advantage.
Smaller Data Centers Can Benefit, Too
Increasingly, much smaller data centers are looking into getting a SOC certification. In the past, larger data centers with staff of over 50 people have been getting SOC certifications. Recently, we have seen that much smaller data centers (with staff < 20 people) have been in the market to get SOC certification. These data centers understand that a SOC reports allows them to compete more effectively and target more significant customers.
Ninety Percent of Data Centers are Either SOC 1 or SOC 2 Compliant
In our data center survey, we found that 90 percent of the colocations are SOC compliant. Also, the research showed:
1. 82 percent of the surveyed data centers choose to get SOC 1 (SSAE 16) certification only.
2. 6 percent of the surveyed data centers choose to get SOC1 (SSAE 16) and SOC 2 certification.
3. 3 percent of the surveyed data centers got SOC 3 certification.
SOC 2 is Becoming Increasingly Popular
Based on our survey, we are noticing a shift from SOC 1 certification only towards SOC 1 and SOC 2 certification in the data center industry. In 2013, the number of data centers which got both SOC 1 and SOC 2 certification has increased by 100 percent year-over-year.
After the issuance of SOC reporting framework in 2011, most data centers which had a SAS 70 certification initially obtained SOC 1 (SSAE 16) certification. SSAE 16 is based on financial audits and isn’t very specific to the data center audit. AICPA came up with SOC 2 for service organization like colocation providers and web hosts to provide a standard benchmark by which we could potentially compare two data centers.
Recently, an increasing number of data centers are leaning towards getting SOC 2 certification in addition to SOC 1 as it covers controls over security, availability, processing integrity, confidentiality and privacy which are more relevant to data center industry. The SOC 3 is the overview of the SOC 2 for the selected controls, comes with a public seal and is able to be shared with potential clients. In future, SOC 1 coupled with SOC 2 audits are becoming the standard for data centers and cloud based service providers.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.