New Year, New SOCs

New Year, New SOCs

New Year, New SOCs

The new SSAE 18 standard was introduced just after we had completed our 2017 SOC 1 assessment (under SSAE 16). We interpreted this as an opportunity to re-run the audit process at the end of the year (and maintained our tradition of passing without exception!).

The decision to recertify only 6 months after completing the previous assessments was welcomed by corporate clients as it has allowed us to realign with their end of year SOC reporting cycles. For a service organization like Options, there’s a lot to be said for starting the New Year guided by a fresh set of SOC 1 and SOC 2 accreditations that have been awarded on the most recent industry criteria.

There is confusion as to what now falls under the SSAE 18 guidelines for SOC 1 versus the previous SSAE 16. In its simplest form, the examination is now referred to as SOC 1 (not SSAE 16, nor SSAE 18 etc). But aside from the nomenclature, the new standard has brought some additional mandatory security requirements:

  1. Vendor management

Robust controls to monitor subservice providers (such as colocation facilities)

  1. Risk assessment

More specific requirements around identifying risk and risk management

  1. Complementary subservice organization controls

As SSAE 18 recognizes that more organizations outsource key functions, this concept establishes and defines the controls for which user entities must now assume in the design of the system description.

  1. Written assertion requirement

As it implies, a written assertion from the service organization that the system description is true and complete (previously it was optional to sign this statement in the SOC 1).


Don’t hesitate to contact us if you would like to know more about these new controls or a get copy of our latest SOC accreditations.


— John Gracey, VP Cybersecurity


Leave a Reply

Your email address will not be published. Required fields are marked *