Cloud security standards: what you should know


Cameron Tinsler

Global Security Auditor

The cloud has arrived. Cloud computing is altering the IT landscape and is not just shifting business objectives, but fundamentally changing the way companies operate. And, the rate of this change appears to be accelerating. Jim Laverty, president of Upp Technology, Inc., states that nearly 90 percent of businesses have adopted the cloud in some capacity. A 2014 IDG Cloud Computing Study found that cloud investments have increased by 19 percent in large-scale enterprises spending on average $3.3 million per year. The study also found that in 2015, 24 percent of IT budgets will be allocated to cloud solutions due to shifting trends—since accessing secure information from anywhere is becoming a basic requirement for many companies. Whether data is stored in the cloud or on premise, the safety of business data is critical to every organization. Some even argue that cloud providers are often more competitive and reliable than companies that prefer data storage on-premise, due to more focus on and investments in security.

With more and more companies adopting cloud technologies to adapt to the increasing pace of the business world, data security in the cloud remains an important topic of conversation. Transparency about how companies are testing and auditing their security is becoming prevalent.

Service Organization Control (SOC) reports are a great way for customers to ensure that service providers are practicing safe and secure controls and protecting data. A SOC report ensures accurate understanding of the organization’s controls and the risks associated with the companies services. It’s important to note that an SOC audit report cannot be bought, but rather, it must be earned via a third party audit.

The SOC audits are an industry standard that have been in place for several years. Overall, an SOC report enables service organizations to present a strong position to its user organization clients about their control environment relevant to processes that impact user organizations’ financial reporting. The somewhat notorious predecessor, the SAS 70 report, allowed companies to write controls and fill parts of their reports with fluff. SOC audits, in contrast, require adherence to specific Trust Criteria, which provide guidance when offering assurance services. Companies can select applicable criteria, but cannot drop particular controls on a whim.

Many organizations are already thinking about the SOC reporting framework and how it impacts what SOC report is most valuable for their company, those in charge of governance, and their auditors. It is important for service organization management to be fully educated on the new SOC framework, so they are well prepared to discuss the effective use of a SOC 1, 2, or 3 report when requested by a user organization.

SOC 2 is emerging as a mainstream report requested by a broad range of user organizations. The benefit of the SOC 2 report for service organizations is that they can now offer clients a separate report focusing on internal controls not related to financial reporting. These reports can help clients better understand internal controls at the service organization related to its system’s security, availability, processing integrity, confidentiality, and privacy.

Anaplan is pleased to announce the completion of our first SOC 2 audit. The SOC 2 audit tested Anaplan’s product offering in the areas of security, availability, and confidentiality. The audit was performed by the independent audit firm Grant Thornton, LLP. In this Type 1 audit, issued August 31, 2015, the external auditors interviewed subject matter experts across many departments and inspected evidence to ensure Anaplan’s controls were properly designed.

The American Institute of Certified Public Accountants (AICPA) designed the SOC audits. The purpose of the SOC 2 report, in their words is, “To give … user entities and others a report about controls at a service organization relevant to the security, availability or processing integrity of the service organization’s system, or the confidentiality and privacy of the data processed by that system.”

Before the end of the 2015, Anaplan will issue another, SOC 2 report, which will evaluate the operating effectiveness of the controls.

To request a copy of the audit report, please email