Cloud computing is an efficient, conducive, and ubiquitous model for on-demand network access to a common pool of configurable computing resources, according to the National Institute of Standards and Technology (NIST) Special Publication 800-145. The goal of cloud computing is to achieve rapid provisioning with minimal service provider or management synergy. Cloud service providers typically deliver one of three types of services:

One of my favorite quotes from Ghostbusters is the exchange between Ray Stantz and Peter Venkman:

The American Institute of Certified Public Accountants (AICPA) has designed three distinguished SOC reports to accommodate the varying needs of service organizations, each with their own purpose and intended use. As such, when service organizations begin researching System and Organization Controls (SOC) reports, their first consideration often centers around determining which SOC report(s) is best for their needs.

Unfortunately, 2015 saw some seriously impressive information security hacks, the likes of which included those at major companies and entities like VTech, T-Mobile, the FBI, and even Trump Hotels. The silver lining? At the very least, hacks involving large organizations such as these garner tons of media attention and headline time, which brings awareness to the growing urgency of greater information security. But security executives like CISOs and CIOs still struggle to see eye-to-eye with non-security executives on the matter.

Have you ever wondered if the ISO 27001 certification is at all similar to a SOC 2 report? Many organizations today are dealing with multiple needs or demands for various compliance assessments or certifications. These organizations might wonder, “How can my ISO 27001 certification fit the needs for a SOC 2 report?” and vice versa. Below we have outlined the similarities and differences between an ISO 27001 certification and a SOC 2 examination.

During SOC 1 Type 2 examinations, which analyze both the design and operating effectiveness of your controls, deviations from the stated control process must be disclosed within the service auditor’s testing results, often referred to as testing “exceptions” or “deviations” as they are exceptions from the stated control activity. The identification of at least one testing exception is a common occurrence, whether it is due to an outage, failure to document a manual process, or a simple oversight. There are a few questions, however, that you can ask both your auditors and yourselves to help manage the exceptions.

Formerly known as Service Organization Controls (SOC) reports, what are now known as System and Organization Controls reports help companies establish trust and confidence in their services or products, including their delivery and business processes and their controls.

HITRUST, or the Health Insurance Trust Alliance, is a security organization and the creator of the Common Security Framework (CSF), "a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health, and financial information." Also, HITRUST developed a standard security report that addresses risk and compliance issues and helps compare security issues for an organization with others across the industry.