Proven quality – certificates for service providers: How can service providers prove the quality of the tasks they are commissioned with?

For service providers and their customers, successful certification provides another benefit alongside a quality seal, which should not be underestimated: the certificate allows them to use audit findings from third parties and therefore also reduces the effort required for their own audits. In this way, customers can forego their own auditing procedures to meet their individual responsibility and supervision obligations (with regard to the proper implementation of the processes and the monitoring measures set up by the service provider) for the outsourced areas and instead obtain evidence of compliance based on certificates generated in accordance with generally recognised principles. Using a certificate significantly reduces the auditing effort required.  

This article presents a selection of recognised certificates and frameworks that can serve as a basis for successful certification.  

ITIL (Infrastructure Library)  

ITIL (also known as IT Infrastructure Library) has now become the de facto global standard for implementing and monitoring control processes in IT. This procedure library, which was originally developed by a British government agency and is currently available in version 3, describes the planning and management of IT services. This is a recognised framework that consistently places a customer focus at the fore. Identifying the customer’s requirements is the start of the ITIL cycle, and the IT requirements are then derived from this. The endpoint, which is also the starting point for a new cycle, is monitoring and improving the services. Evidence of suitable IT service management can be provided through certification in accordance with ISO/IEC 20000.  

COBIT  

COBIT is another recognised framework. However, in contrast to ITIL, the focus is on the compliance and transparency of the ICS from an auditing perspective. The current version 5 created a basis for effective management of corporate IT. COBIT 5 includes methods, principles, best practices and guidelines that are useful for creating optimal added value through the deployment of IT. Using the cascading objectives in COBIT 5, companies can derive IT-related goals based on the objectives of the target groups and the corporate goals. Suitable COBIT processes can then be defined based on the identified goals. For companies like PROMOS that align themselves to recognised standards, focusing on COBIT provides a suitable basis for successful certification.  

IDW PS 951 (new version)  

The Institut der Wirtschaftsprüfer e.V. (German Institute of Certified Public Accountants, IDW) published IDW PS 951 for the first time in 2007. In addition to the international standards ISAE 3402 and SAS 70, this takes into account German regulatory requirements. An updated version was adopted on 16 October 2013. Auditing subjects according to IDW PS 951 are the description of the service-related ICS as well as the controls and control objectives presented in the ICS description. There are two versions:

Type 1: The actual design and setup of the ICS, including a proper description and appropriate design of the checks, is examined (structural audit). This does not provide for evidence of the ICS’s functional capability, so this type is only of limited use to third parties or auditors. In this case, further audit evidence is required to verify the effectiveness of the ICS. Type 2: In addition to the auditing procedures performed for type 1, this version examines the effectiveness of the checks over a specific period of time (functional check), thus allowing a direct evaluation of the effectiveness of the controls.  

For example, PROMOS decided to obtain evidence of the suitability and effectiveness of its ICS for its data centre and service processes by means of a special annual type 2 audit. With this evidence, when performing their audits in accordance with the IDW’s auditing standard PS 331, customers operating with PROMOS can draw on external auditors’ audit results for outsourced services.  

SAS 70/SSAE 16  

While the auditing standard in accordance with IDW PS 951 has become essentially become commonplace for companies that are headquartered and operate in Germany, SSAE 16 is a US standard from the American Institute of Certified Public Accountants (AICPA) and is used worldwide. This replaced the global standard SAS 70 in 2011. In a similar way to the new version of IDW PS 951, SSAE 16 provides instructions for independent auditors to perform a standardised audit of service provider organisations with the aim of providing a transparent picture of the ICS for the service provider organisation’s customers. This standard also has two types: the structural audit and the structural and functional audit. In addition, a distinction is made according to the target audience (SOC1/2/3):

• SOC 1 Report: primarily focuses on controls in financial reporting
• SOC 2 Report: contains an extensive and detailed presentation of security, availability, integrity, trustworthiness and data protection
• SOC 3 Report: in contrast to the SOC 2 report, this provides a summary (without sensitive information)

ISAE 3402  

ISAE 3402 was created by the International Auditing Assurance Standards Board (IAASB) and also allows certification based on the two types described above. In contrast to the other two standards, it provides a recognised and globally comparable reporting structure. To make the distinction clearer: It is anticipated that ISAE 3402 will become the preferred standard for all non-US companies (service provider organisations as well as their customers), while SSAE 16 will primarily be used by companies that are headquartered and operate in the US.  

ISO/IEC 27001  

Minimising IT risks and safeguarding the protection of information are major challenges for companies today, which is why implementing an Information Security Management System (ISMS) is primarily a strategic decision for companies. The ISO/IEC 27001 standard provides a management standard that defines how something should work in the form of a guideline. A management standard does not explicitly specify how situations should be characterised but uses the example of “information security” to show that planning, implementation, monitoring, verification and continuous improvement must be carried out. ISO/IEC 27001 is just one element from the 2700X family that can be used to assess the fulfilment level/conformity of the ISMS. Certification in accordance with ISO 27001 is thus a seal of quality, but is only partially suitable for an audit of annual financial statements as, in contrast to the other standards discussed, a review is not performed annually.  

BSI Baseline Protection catalogues  

IT Baseline Protection is a standard for information security developed by the Federal Office for Information Security (BSI). In addition to the BSI standards for security management, IT Baseline Protection covers IT Baseline Protection catalogues. The catalogues contain specific implementation aids for the security process. The modular structure of the catalogues allows them to be used in an individual, company-specific manner. Companies can also request an audit by the BSI at the preliminary levels (entry level and higher level) to prepare the ground for successful certification. BSI Baseline Protection is closely related to the ISO 2700X family. In 2005, the IT catalogues were adapted with the aim of covering the ISO 27001 certification. In contrast to simple ISO 27001 certification, BSI certification covers components from the entire ISO 2700X family. For example, the PROMOS co-location has an IT security certificate from the BSI: “ISO 27001 certificate based on IT-Grundschutz”.