Ways to certify a SaaS for security

Question

Is it common for small companies to get security certificates/compliance from audit agencies for their SaaS to present to customers for their assurance?

If so what are the suggested certifications?

Answer 1

It's something I've seen but seems to be most common with either larger companies or those serving markets that particularly need/value certifications (e.g. finance, government).

In terms of which ones to look at there's a couple of options that I'm aware of, some of which are geographic in nature.

• ISO27001. General InfoSec one, but very useful as evidence of security processes for a lot of companies
• SSAE16 (Formerly SAS70). US focused service organisation certification. Again some US companies might well look for this
• FIT 1/94 - Bit niche and UK based, only look at it if a customer asks.

The advantage of these certs can be that you can avoid customers who have audit requirements from coming and bothering you a lot (i.e. they can rely on the cert and don't need to prove control levels themselves)

Answer 2

This will depend on your customer needs and what areas they need assurance.

ISO 27001 series certifications will address your IS management requirements.

SSAE16/SOC1 is specific to controls which have a material impact on financial reporting.

A SOC 3 engagement allows you to provide a seal on your website showing that you meet the WebTrust Criteria. You may also benefit by providing a SOC 2 engagement, which is also more technically focused.

AICPA provides a comparison of SOC1, SOC2, and SOC3.

Depending on the number of customers you have and their specific requirements, they may send their own people to review or engage a third party accounting/consulting firm to provide agreed upon procedures to have a third party review.