25. What is SOC 1 SSAE 18 reporting and why are information security policies and procedures important for SOC 1 compliance?

SOC 1 SSAE 18 reporting consists of Type 1 and Type 2 reporting using the AICPA SSAE 18 professional standard within the comprehensive Service Organization Control (SOC) reporting platform. Specifically, the SSAE 18 standard is a professional attestation standard put forth by the American Institute of Certified Public Accountants (AICPA) for reporting on controls at service organizations. These “service organizations” are essentially entities that generally provide essential outsourcing services to other businesses. It’s important to note that auditors who perform SSAE 18 assessments often require a healthy number of documented operational and information security policies and procedures to be in place.

I.T. Security Policies and Procedures are Essential for SOC 1 SSAE 18

Welcome to the world of regulatory compliance where policies and procedures are fast becoming a must have for any type of business. As for SSAE 18 Type 1 and Type 2 reporting, policy and procedure documents for risk assessment, network security, logical security, change management – just to name a notable few – are what organizations need to have in place for compliance. There’s no better organization to provide them than FLANK, a global leader in offering high-quality, well-written policies, procedures, and more. In fact, the FLANK21 set of templates – available for purchase and immediate download – comes complete with hundreds of policies, procedures, forms, checklists, templates, and much more. 

Another reason that makes operational and security policies and procedures so important for SOC 1 SSAE 18 compliance is the standard itself, which is quite flexible, ultimately allowing service organizations to include any number of control objectives as part of audit scope. What this ultimately means is that a large number of policies and procedures may be required for compliance, particularly general I.T. controls, such as change management, logical security, network security, physical and environmental security, and computer operations.

Additionally, the FLANK21 set of policies and procedures – and more – from FLANK, is exactly what service organizations need for assisting with SOC 1 SSAE 18 reporting. Not only will you receive policy and procedures template for SOC 1 SSAE 16 general I.T. control areas, but also for many operational and business specific categories, such as risk assessment, usage rights, social media, fraud, and more.