SSAE16 vs. SSAE18: What’s The Difference?

September 14th, 2018 by · Leave a Comment

This Industry Viewpoint was authored by Tim Mullahy, EVP and Managing Director at Liberty Center One

There’s a new SOC audit standard in town – and you need to know what it is and means if you’re to make an informed decision about your hosting company.

For years, SSAE16 has been the go-to standard for data centers and secure vendors.

It consists of three primary segments. SOC1 is tied to financial reporting – we won’t discuss that here, as it’s not really relevant to what we’re focused on. SOC2, meanwhile, is all about a business’s reporting as it pertains to information processing, system confidentiality, data integrity, and cybersecurity. Lastly, SOC3 covers the security controls in place with the aforementioned.

Though it’s not a certification as some hosts might have you believe, it’s still as good an auditing tool as there ever was to demonstrate that a vendor is serious about protecting client data. Recently, however, there’s been a new kid on the block. A new set of auditing guidelines has started making the rounds – and you should most definitely be aware of them.

Introduced in May 2017 and designed to replace its predecessor, SSAE18 differs in a few key areas from SSAE16:

  • It mandates that a service organization such as a cloud or colocation provider must disclose and identify all subservice organizations that operate in tandem with it. For example, if an IaaS provider works with a vendor that offers DDoS mitigation, it must disclose that relationship and include a description of what it relies on from the subservice vendor.
  • It requires service organizations to provide auditors with risk assessments highlighting their key internal risks, and demonstrating that there are controls in place to mitigate those risks.
  • It requires service organizations to constantly vet subservice organizations, and requires that they implement tools and systems to monitor the security controls at any subservice organizations they work with. The auditor must report the controls implemented to perform this monitoring, which can include…
    • Site visits
    • Security tests at the subservice organization
    • Monitoring of external communications
    • Review of the subservice organization’s SOC reports.
    • Regular review of output reports
  • It expands reporting to include compliance with certain laws and regulations, contractual arrangements, and outsourced services.

“The changes made to the standard this time around will require companies to take more control and ownership of their own internal controls around the identification and classification of risk and appropriate management of third party vendor relationships,” reads a blog post on the SSAE16 website.”These changes, while, not overly burdensome, will help close the loop on key areas that industry professionals noted gaps in many service organization’s reports.”

In short, SSAE18 is designed to provide clients with more visibility into the operations of their vendors, and to make vendors better manage their business partners. Mind you, it’s not essential – a vendor that has undergone an SSAE16 audit is not necessarily less secure than one that was audited under SSAE18. Eventually, however, the former will replace the latter – and before that happens, it’s important that you understand what that means.

Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One, a new breed of data center located in Royal Oak, MI. Tim has a demonstrated history of working in the information technology and services industry.

If you haven't already, please take our Reader Survey! Just 3 questions to help us better understand who is reading Telecom Ramblings so we can serve you better!

Categories: Datacenter · Industry Viewpoint · Standards

Discuss this Post


Leave a Comment

You may Log In to post a comment, or fill in the form to post anonymously.





  • Ramblings’ Jobs

    Post a Job - Just $99/30days
  • Event Calendar