02

SOC1, SOC2 READINESS & AUDIT

An efficiently managed IT security control environment is key for any organization. Inadequately protected IT systems can leave companies vulnerable to threats such as unauthorized access to business-critical data, malware-induced disruptions, or other IT incidents that affect business continuity. The situation is even more critical if the organization processes or stores confidential data for its customers as part of an IT service.

To help service organizations provide assurance on the adequacy of controls that mitigate risks to their customers, the American Institute of Certified Public Accountants (AICPA) has developed a 5-step audit process based on the "Trust Service Principles" that assesses a service organization’s internal controls for security, confidentiality, processing integrity, availability and privacy, using general compliance requirements.

SOC1

The SOC1 report is not only about compliance but also about trust. The trust that the service provider organization receives from its customers, partners, and investors by strictly adhering to the compliance of its business processes and ensuring the effectiveness of the controls embedded in its processes. The SOC1 report provides an excellent opportunity for service provider organizations to demonstrate their commitment to establishing and operating a robust corporate control environment, thereby ensuring the quality and value-added impact of their services.

 Download SOC1 eBook (Hungarian version)

SOC2

At the end of the process, an independent auditor's SOC2 (Service Organization Control) report is issued.  SOC2 report can be used to show customers that the service organization operates an effective information security environment. For SOC2 reporting the best cases usually include companies that store/process customer data, provides trust services or wants to provide assurance on the operational effectiveness of information security controls for its customers. For security-conscious businesses, requiring SOC2 reports has now become a baseline when considering the use of an IT service provider, and is often included in contracts.

Deloitte has more than 15 years of experience in conducting SOC1/SOC2 audit investigations. We pride ourselves on our team of experts, whose main profile is to coordinate and conduct these audits efficiently while meeting our clients' needs. We are able to issue both SOC2-Type I (design of IT controls) and SOC2-Type II (implementation and operational effectiveness) audit reports.

By having our assurance SOC2 audit report, our clients can gain a significant market advantage and enhance their brand and reputation. Unlike a generic audit certificate, it gives a much more detailed and realistic picture of the IT security posture of an organization.

 Download SOC2 eBook

03

ISO 27001

Being on top of cyber challenges is instrumental for business leaders and managers to thrive in this era of interconnectivity, technological dependency, and increasingly advanced threats. Effectively managing these challenges is complex and can only be done with a structured approach, which includes all levels of an organization, usually referred to as a management system.

Management systems exist for a wide variety of topics, and are usually documented in international standards or frameworks. ISO/IEC 27001 is the internationally recognized standard for information security management. It specifies requirements for establishing, maintaining and improving an Information Security Management System (ISMS).

Implementing an ISMS will bring you advantages such as:

• ●
  Manage risk: Ensure a proper understanding of risks by top management, giving them the information they need to get involved and make informed decisions, leading to a reduction in risks.
• ●
  Support the business: Being on top of security and privacy risks enables you to focus on the business, sparking the confidence to move full speed ahead.
• ●
  Operationalize and demonstrate compliance: Demonstrate ongoing compliance with security and privacy laws, regulations or frameworks like the NIS directive, TISAX, GDPR and other international data privacy legislation.

Deloitte has a multidisciplinary team that has experience in designing, implementing, running, continuously improving, and auditing management systems. We are by your side in every stage of your journey, just as we are and have been with multiple other organizations.

Our proven experience brings you:

• ●
  A tailored approach: The context of the organization determines the approach that is right for you. Together we determine what makes sense for your organizations and what does not.
• ●
  A pragmatic approach: Although there is a certain formalism in management systems, we ensure that what we co-create is pragmatic and brings value.
• ●
  A compliant approach: Regardless of whether you want to pursue certification in the short term or not, our modular approach ensures that each building block is aligned with ISO standards, so that whenever you decide to go for certification, you can face the auditors with confidence.

When properly executed, a management system will be the catalyst for transformation. Let us be the partner to launch you on this exciting journey. Reach out today and we can get in touch to further explain our approach and demonstrate our expertise.

04

ISO 27701 READINESS

We have a team of experienced professionals who can provide you with the guidance and support you need to achieve ISO 27701 certification quickly and efficiently.

Our services include:

• ●
  Gap analysis: We'll conduct a gap analysis to identify areas where your organization needs to improve to meet the requirements of ISO 27701.
• ●
  PIMS development: ​We'll work with you to develop and implement a privacy information management system that meets the requirements of ISO 27701.
  
• ●
  Training: We'll provide training to your staff to ensure they understand the requirements of ISO 27701 and are equipped to implement and maintain the PIMS effectively. 
  
• ●
  Certification audit: ​We'll help you prepare for the certification audit and provide support during the audit to ensure a successful outcome.
  

05

TISAX READINESS

Information security in the automotive industry

The German Association of the Automotive Industry (Verban der Automobilindustrie – VDA) established the TISAX certification in order to have standardized information security requirements through the whole automotive supply chain. TISAX is mainly based on ISO27001 framework to ensure to protection of critical data and assets. Having TISAX certificates demonstrates commitment to information security, validated by and independent party. 

Deloitte and TISAX

We believe information security should not be a compliance issue only, but proper management of information security risks can add real value to day-to-day operations. We utilize our extensive automotive and information security experience to help our clients.   

We can support our customer with the following services on their TISAX journey: 

• ●
  We perform a pre-assessment based on TISAX requirements so gaps could be identified.
• ●
  We provide action plan to solve the gaps based on industry good practice and based on our TISAX experience.
• ●
  We help our clients to close those gaps e.g. consultation on information security governance framework, risk assessment procedures or personal data protection 

07

MICROSOFT SSPA ASSESSMENT

Let’s see more about SSPA Compliance

If your SSPA Data Processing Profile includes selections that are considered higher risk to Microsoft, a Self-Attestation against the applicable items of Microsoft's Data Protection Requirements will be followed by an Independent Assessment requirement, too. Profile selection options that will trigger an Independent Assessment are published in the SSPA Program Guide. It is a great idea to check on this each year before you submit your Profile, so you can allocate time and sufficient resources to complete the requirements you will be posted.

Interpreting Microsoft’s Data Protection Requirements (DPR), confirming applicability and compliance might be challenging for suppliers and here's where our in depth knowledge of the SSPA Program and the DPR can save you time and efforts.

Microsoft takes compliance and deadlines very seriously, which is protective of Microsoft as well as their suppliers and customers and not the least it is crucial for Microsoft suppliers to stay Green in the SSPA to be available for business with Microsoft.

 Learn more about SSPA