Organizations are continuously searching for opportunities to exploit competitive advantage to increase markets and profits. Organizations are increasingly outsourcing non-core business functions. Nonetheless, is management ultimately responsible for risk management and the implementation of an effective control framework.

Organizations occasionally receive questions on security standards from (prospective) clients; what are the differences between an ISAE 3402 | SOC 1, ISAE 3000 | SOC 2 and an ISO 27001 audit? Which standard is more applicable to our company, ISAE or ISO 27001?

The general and most common term for reporting on third-party risks by service organizations to user organizations is Systems and Organization Control Report or SOC-report. This term is originated by the American Institute of Certified Public Accountants (AICPA) as a replacement for the SAS70 framework.