Your Perfect Cybersecurity Partner

Stay Connected:

Statement Of Standards For Attestation Engagements (SSAE) 18


SSAE 18, is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). SSAE18 is an attestation standard geared towards addressing engagements conducted by ‘Service Auditors’ (or) ‘Practitioners’ on service organizations for purposes of reporting on the design of controls and their operating effectiveness.

As of now, SOC 1 SSAE 18 engagements conducted by service auditors on service organizations will result in the issuance of either an SSAE 18 Type 1 or Type 2 Report.

Speak to an Expert

For more information, how our Briskinfosec penetration testing services can help to safeguard your organisation, call us now on +91 860 863 4123 or request a call back using the form below.

Awesome Image

What is SOC 1 and SOC 2 Reports?

SOC 1 Reports: Reporting on controls relevant to internal controls over financial reporting (ICFR) and reporting is conducted in accordance with Statement on Standards for Attestation Engagements - SSAE as per the standards of SSAE 18 audit guide.

SOC 2 Reports: Reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 2 reporting are conducted in accordance with AT Section 101 and will utilize an audit guide titled Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy


What is Type 1 & Type 2 Report?

  • Type 1 report is technically known as a "Report on Management's Description of a Service Organization's System and the Suitability of the Design of Controls", or simply known as a SOC 1 SSAE 18 Type 1 report.

  • Type 2 report, it is technically known as a "Report on Management's Description of a Service Organization's System and the Suitability of the Design and Operating Effectiveness of Controls", or simply known as a SOC 1 SSAE 18 Type 2 report.

Free Download Center

Cybersecurity starts from appropriate awareness. Briskinfosec BINT LAB cybersecurity researchers continuously put extraordinary effort to help you to realise cybersecurity better and faster. For more information, download the One-page flyer, Case Study and Threatsploit Adversary report.

Need a Quote

To plan, build and certify your Organization as HIPAA Compliant. Kindly provide your contact details, as mentioned below.

Approach to SOC & How it Works?

Data security is a concern for customers of service organizations across all industries, but especially for companies that process financial transactions on behalf of others.

Assessment about Readiness

Once the scope is determined, a service organization like Briskinfosec may decide to assess the gap and existing controls in place and to determine if they satisfy management’s control objectives are in place.

Through this, internal controls would be analyzed to determine

  • Whether they meet the control objectives and all are in order
  • In case if controls are not adequate a remediation effort will be designed / developed to take counter measures and to fix the gaps.

At the end of this phase, Top Management will receive a final report that identifies key controls for each control objective and criteria, and any necessary remediation efforts.

Remediation Services of control gaps

Following sequence of steps occur during the remediation phase:

  • Remediation services would be provided and efforts are tracked and adequacy of controls established in order to close and to fix the gaps.
  • Service provider will draft a system description that identifies processes and controls that deliver the services within the scope of the engagement. This description is the basis of the auditor’s opinion and will be included in the final report.

Authentication - Accuracy about the Controls

Following sequence of steps occur during the remediation phaseAfter remediation services performed and identified control gaps including the control description. The successful result of these procedures is the issuance of a Type 1 SOC report with Service Auditors Opinion as of a specific date.

Awesome Image

Benefits of A SOC Report

It’s a kind of belief and trust from your valuable Customers; who have received services from your organization, for the internal controls maintained and implemented.

Because of the changes from SSAE 16 to SSAE 18, your service organization can benefit in the following ways:

  • Provide a broad-based Centric Approach, enhanced reporting of your control system.

  • Full Assurance for your customers on the internal control Audits affecting their financial reporting are timely and accurate in order to stay in compliance with company policies and government regulations.

SSAE 18 engagements identify key areas for improvement that can ultimately help to reduce risk, decrease the frequency of irregularities, and minimize chances of fraud.


What Does CPA Reporting Mean - For SSAE18 physical security compliance?


When an independent CPA reports about your high compliance to SSAE, you’d be able to assure your clients that you have high level of security that would not be compromised.

This is because means that you have set the right hierarchical responsibility for access to your premises and most importantly that you work with partners that don’t take data security lightly.

How Is SSAE 18 Different From SSAE 16?

While the SSAE 16 was specific to SOC 1 audits, SSAE 18 is an umbrella standard that applies to most types of attestation engagements, clarifying and formalizing requirements to enhance their reporting potential. The SSAE 16 examination will no longer be referred to as an SSAE 16 examination but will simply be known as a SOC 1 examination.

SSAE 18 features significant changes in the following areas:

  • Vendor management
  • Risk assessment
  • Complementary subservice organization controls
  • Data validation

    What is SSAE 18 Compliance in Access Control?

  • The SSAE 18 guidance primarily clarifies existing auditing standards. It is also intended to reduce instances of duplication within similar standards that cover Examinations, Reviews and Agreed Procedure engagements.
  • As of May 1, these engagements – specifically, SSAE nos. 10-17 – will fall under the SSAE 18
  • This is why SSAE 18 access control compliance for today’s service companies entails more than just physical requirements.

How Briskinfosec would help you?

  • Briskinfosec would like to become a trusted partner to your business to safeguard the data / Information including assets of your Organization.
  • Compliance always keeps your goals and priorities at the forefront of our services delivery process and as an Information Security Organization, we know about the risk and controls.
  • As your trusted service partner, we are at your doorsteps and ready to provide support for all your IT compliance, Information and cyber security needs.
  • Our Security solutions not only save on audit and compliance costs but more importantly, reduce your internal level of effort and time your key personnel spend on annual compliance.

    The first level to conduct an SSAE SOC Audit is

  • Gap Assessment including Risk Analysis and Control Definition: Readiness Assessment, Remediation Services, Testing
  • Implementation – Support
  • Presentation and final documentation

Highest Success Rate:

  •  Nearly 90% of the financing companies, who are providing services on SOC 2 using SSAE 18 standards to their valuable customers, are treated as one of the Key Partners in their business activities

Awards and Affiliations



Is there any changes been made to Statements on Standards for Attestation Engagements (SSAE) No. 18 that will affect service auditors’ engagements?

Whether SOC 2 is more appropriate than a SOC for security?

Based on our experience, the SOC 2 is increasingly valuable in business to business compliance and assurance. It continues to expand in usefulness as a tool to meet other requirement standards (i.e. GDPR, HIPAA & PCI) that require detailed oversight of third-party vendors. This clearly indicates that they are expanding their business and controls and better protecting their responsibilities to their valuable clients..

Is there any way that SOC for Information / Cyber security more appropriate than a SOC 2 or SOC 3?

We are examining thru R & D that the SOC for security is more useful for large MNC Companies including MSME that need a measurement of their own cyber security posture. CISO needs to quantify risk over time for board members who want to know if cyber security risks are being adequately mitigated. It is a great way to measure whether very specific controls have provided ROI..

Who is responsible for HIPAA?

Both the healthcare organization and individual staff members who accesses PHI are responsible. The organization is responsible to put all necessary safeguards in place for HIPAA compliance. Every individual (office manager, doctor, etc.) is held responsible for health information they should, can, or do access. Individuals and companies can independently face criminal charges for mishandling PHI.

Whether is there any prescribed set of control objectives for SSAE 18 – SOC 2 & 3 engagements?

A service auditor may be engaged to report on a description of a service organization’s system and the suitability of the design and operating effectiveness of controls relevant to one or more of the trust services principles

In SSAE 18 - SOC 2 and SOC 3 engagements, the service auditor uses the criteria mainly Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids)), for evaluating and reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy.

Accordingly, in every SOC 2 and SOC 3 engagement that addresses the same principle(s), the criteria will be the same (the applicable trust services criteria).

What are the Basic Requirements for SOC 2 Compliance?

The most important requirement of SOC 2 is that businesses need to develop security policies and procedures that are written out and followed by everyone. These policies and procedures serve as guides for auditors who will review them.

Policies and procedures should cover security, availability, processing integrity, confidentiality and privacy of data stored in the cloud.

What needs to be monitored?

The most important things to monitor include any unauthorized, unusual or suspicious activity to a specific client. This type of monitoring usually focuses on the level of system configuration and user access and monitors for known and unknown malicious activity, such as phishing or other types of inappropriate and unauthorized access. The best means of monitoring is through a continuous security monitoring service.

What alerts are needed?

Alerts set up to detect unauthorized access to customer information and customer data, or any other anomalous behaviour related to a client’s data, are crucial in assisting busy IT leaders in meeting SOC 2 requirements.

What Is A SOC 2 Readiness Assessment?

A SOC 2 scoping and readiness assessment helps service organizations better determine the necessary scope of a specific audit. This important exercise helps IT teams understand which important elements of the control environment require attention and remediation before performing the official audit.

Who must comply with SOC 2 Requirements?

SOC 2 requirements are mandatory for all engaged, technology-based service organizations that store client information in the cloud. Such businesses include those that provide SaaS and other cloud services while also using the cloud to store each respective, engaged client’s information.

How often must A Service Organization schedule A SOC 2 Audit?

Most SOC 2 reports cover for one year period, but there are times when service organizations perform this audit every three / six months, depending on the client’s preference and any ongoing concerns in the operational control environment.

Speak to an Expert

For more information on how our Briskinfosec penetration testing services can help safeguard your organisation, call us now on +91 860 863 4123 or request a call back using the form below.