At Qase, we take keeping customer and stakeholder data secure very seriously. We’re happy to announce that we have taken steps to ensure our systems and controls have been designed appropriately. We sought out third-party attestation from a qualified auditing firm for a SOC2 and SOC3 examination as well as an independent assessment to achieve ISO/IEC 27001 certification.
Let’s take a look at what the SOC 2 and SOC 3 reports are and what they cover. Then we’ll explain what it means to achieve ISO/IEC 27001 certification and why we decided to undergo this rigorous compliance audit.
What is a SOC 2 report?
Obtaining a System and Organization Controls (SOC) 2 report is one way for a service organization to attest to the security of its digital environment.
Completing a SOC 2 examination through an accredited third-party auditor does not result in any certification. Instead, the resulting CPA’s report functions as a tool to help an organization communicate whether the internal controls they’ve put in place governing the security of customers’, partners’, and stakeholders’ data are properly designed, implemented, and maintained
In simpler terms, a SOC 2 report provides an avenue for current and potential stakeholders to assess risk by giving them a closer look at the policies and procedures put in place to ensure the organization’s services are provided safely and reliably.
What is a SOC 3 report?
A SOC 3 report is similar in scope to a SOC 2 report, but the information is packaged more concisely. This makes SOC 3 reports easier to read and a better fit for widespread distribution.
Both reports result from the same audit, and both can help communicate that an organization’s controls are properly designed and implemented and operating effectively.
What do these SOC2 and SOC3 reports cover?
SOC reports result from an examination performed by an accredited CPA firm under the standards defined by SSAE 18. An auditor tests the effectiveness of the internal controls outlined by the organization, then maps those controls to one or a combination of Trust Services Criteria established by the American Institute of Certified Public Accountants (AICPA).
In our case, those criteria include:
- Security: The system is protected against unauthorized access (both physical and logical).
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
The scope of a SOC report can also vary with regard to the time period covered. SOC 2 Type II reports examine controls over a period of time, usually between three and 12 months, and include both a list of the controls tested as well as the auditor’s test results.
The reporting period for Qase’’s latest SOC 2 and SOC 3 reports spanned from February 1, 2023 to January 31, 2024.
Why did we undergo this exam?
Receiving our latest SOC 2 and SOC 3 reports is a major milestone that demonstrates Qase’s commitment to data security and ensures we’re prepared to face the challenges of the ever-changing cybersecurity landscape.
“I am immensely proud to announce that our dedication to security and quality has been officially recognized through our achievement of SOC2, SOC3, and ISO/IEC 27001 compliance. These certifications underscore our unwavering commitment to providing our customers with the highest standards of data protection and operational excellence. We remain steadfast in our mission to deliver innovative, reliable, and secure solutions that empower businesses to ship quality products faster." - Glen Holmes, VP of Product at Qase
What is ISO/IEC 27001?
Considered the gold standard in information security, ISO/IEC 27001 is an internationally accepted compliance standard that mandates numerous controls for the establishment, operation, monitoring, maintenance, and continual improvement of an Information Security Management System (ISMS).
The certification attests that an organization has deep-rooted methodologies for business, people, and IT processes, along with an established framework to help identify, manage, and reduce risks surrounding information security.
In simpler terms, achieving ISO/IEC 27001 certification demonstrates that an organization adheres to industry standards for designing, maintaining, and continuously improving their security posture.
How does the certification process work?
Pursuing ISO/IEC 27001 certification is a multi-step process that begins with an internal audit assessing whether an organization’s ISMS has been developed, implemented, and maintained in accordance with the organization’s own standards, as well as those defined by ISO and the International Electrotechnical Commission (IEC).
Following the internal audit, organizations pursuing ISO/IEC 27001 certification are ready to begin the two-stage remediation and certification process, commonly known as the “certification audit.”
During Stage 1, an accredited third-party auditor tests the design of the organization’s ISMS, including reviewing documentation, identifying potential nonconformities, and evaluating the organization’s plan to remediate any issues. Organizations that successfully complete Stage 1 then move on to Stage 2, where the auditor tests the effectiveness of the ISMS, including ensuring areas of concern have been remediated.
At the conclusion of both stages, the auditor reviews the results of their assessments and makes a final decision on certification.
Why did we pursue ISO/IEC 27001 certification?
Achieving certification against this internationally recognized standard marks a huge step forward in Qase’s efforts to cement our commitment to data security and ensure that we’re prepared to face the challenges of the ever-changing cybersecurity landscape.
“At Qase, we are obsessed with quality and we set our standards high. Qase allows our customers to achieve their own high standards and deliver quality products faster. Our unwavering commitment to quality and standards is further illustrated in us achieving SOC2, SOC3 and ISO/IEC 27001 compliance. It's a testament to our relentless pursuit of quality excellence and our ongoing mission to deliver peace of mind alongside our innovative solutions. We are proud to provide our customers with the assurance they need to thrive in today's ever-evolving digital landscape.” - Glen Holmes, VP of Product at Qase
Where to find more information
Our auditing partner, BARR Advisory, has provided a comprehensive overview of the different types of SOC examinations and their unique requirements for cloud service organizations.
BARR Advisory digs deeper into the steps involved in pursuing and achieving ISO 27001 certification in a series of blog posts: