All news with #soc 2 tag

🔒 The Winter 2025 SOC 1 report from AWS is now available, covering 184 services for the 12‑month period January 1–December 31, 2025. Customers can download the report through AWS Artifact. AWS reiterates its commitment to meeting heightened expectations for cloud service providers, and to continuously bring additional services into compliance scope. If you have questions or feedback, contact your AWS account team or the AWS Compliance team.

🛡️ The AWS European Sovereign Cloud has published initial independent assurances including SOC 2 Type 1 and C5 Type 1 attestations plus seven ISO certifications covering 69 services. Announced after general availability in January 2026, these reports validate control design and implementation mapped to the ESC-SRF, with EU-resident operations and strict data residency. Customers can access the reports via AWS Artifact; AWS plans to expand coverage over time.

🔒 AWS announced the issuance of the Swiss FINMA ISAE 3000 Type II attestation report covering 183 services for the period 1 October 2024 to 30 September 2025. The independent attestation maps AWS controls against FINMA circulars including outsourcing, operational risks and resilience, and proposed BCM minimum standards. AWS added five services to the FINMA scope: Amazon Verified Permissions, AWS B2B Data Interchange, AWS Resource Explorer, AWS Security Incident Response, and AWS Transform. The report is available via AWS Artifact and customers are reminded that security is shared between AWS and the customer.

🔒 Amazon Web Services (AWS) announced the issuance of the PiTuKri ISAE 3000 Type II attestation report covering 183 services, confirming its control environment aligns with the Finnish Traficom Cyber Security Centre’s criteria. The independent report covers October 1, 2024 to September 30, 2025 and adds five services to scope: Amazon Verified Permissions, AWS B2B Data Interchange, AWS Resource Explorer, AWS Security Incident Response, and AWS Transform. Customers can obtain the attestation via AWS Artifact, and AWS reiterates that security is a shared responsibility between the provider and the customer.

🔒 Increasing reliance on third-party IT and software significantly expands an organization’s attack surface, and security leaders must act before incidents force their involvement. The article provides a focused checklist of 13 practical questions for CISOs covering evidence of controls (e.g., SOC 2 Type II, ISO/IEC 27001), change management, identity posture, and workflow validation. It stresses independent testing, clear contractual responsibilities, timely incident notification, and rigorous handling of OAuth and API integrations to reduce supply-chain risk.

🔒 CISOs entering 2026 should treat compliance as a baseline, not a destination. While frameworks like HIPAA, SOC 2 and ISO 27001 provide essential controls, relying solely on checklists breeds complacency and misses evolving threats such as AI-enabled attacks, third-party failures and future quantum risks. Adopt longer time horizons, scenario-based risk assessments and financial impact modelling to align security with business priorities and secure board support.

🔐 As enterprises outsource more IT and adopt third-party SaaS, recent high-profile breaches show attackers are exploiting vendor trust pathways like help desks, OAuth tokens, and permissive integrations. CSOs should treat vendor selection as continuous risk management and demand strong attestations (e.g., SOC 2 Type II, ISO/IEC 27001), inventories of OAuth/API relationships, and evidence of actual workflow execution. The article lists 13 targeted questions covering controls, notification commitments, testing cadence, isolation measures, and insurance to reduce supply-chain risk.

🔒 Third Party Risk Management (TPRM) is a strategic program that helps organizations identify, assess, and control risks arising from external vendors and service providers. Core elements include risk identification and assessment, contract management, continuous monitoring and audits, and employee training. Compliance drivers such as SOC 2 and GDPR make robust TPRM essential to prevent legal and reputational damage. Integrating TPRM into enterprise risk frameworks and using automation improves consistency and oversight.

🔒 AWS has published its Fall 2025 SOC 1, SOC 2, and SOC 3 reports covering 185 services for the 12‑month period from October 1, 2024 through September 30, 2025, providing customers with a full year of assurance. Customers can download SOC 1 and SOC 2 reports via AWS Artifact, while the SOC 3 report is available on the AWS SOC compliance page. AWS continues to expand the set of services in scope and encourages customers to contact their account team with questions.

📁 AWS Artifact now provides self-service access to previous versions of compliance reports, eliminating the need to contact AWS Support or account representatives. Customers with the IAM permission artifact:ListReportVersions—included in the managed policy AWSArtifactReportsReadOnlyAccess—can view prior SOC, ISO, and C5 report versions directly in the console by selecting available versions. Availability of historical coverage varies by compliance program, and the feature is generally available in US East (N. Virginia) and AWS GovCloud (US-West).

🔍 As organizations outsource more critical systems and security functions to managed service providers, the complexity and frequency of third-party incidents are rising — 47% of organizations reported a third-party breach in the 12 months to mid-2025. Security leaders must balance rigorous, standards-based assurance (for example ISO 27001 or SOC 2) with relationship-driven vetting that fosters transparency and shared responsibility. Experts from media company Advance, the University of Queensland and vendor advisors argue that questionnaires alone are insufficient: meaningful dialogue, selective disclosure (summaries of pen tests rather than full reports), contractual clarity, and AI-aware controls are all needed to assess and manage evolving risks.

🔒 AWS has published its Summer 2025 SOC 1 report covering 183 services for the period July 1, 2024 through June 30, 2025. The report provides independent assurance on controls relevant to customer financial reporting. Customers can download the report via AWS Artifact in the AWS Management Console for on-demand access. AWS says it will continue to expand service coverage and invites customers to contact their account team or the Compliance team with questions.

📘 AICPA SOC 2 Compliance Guide on AWS provides detailed, prescriptive guidance for cloud architects, security and compliance teams, and DevOps professionals to implement SOC 2–aligned controls using AWS services. The whitepaper maps Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) to AWS services and constructs and explains complementary user entity controls. It outlines strategies for evidence collection, documentation, and audit readiness and highlights automation best practices. The guide places controls within the AWS shared responsibility model and points to AWS Security Assurance Services for further assistance.

🔒 AWS completed the 2024 pooled audit run by the Collaborative Cloud Audit Group (CCAG) with major European financial institutions. The multi‑phase engagement (February–December 2024) was grounded in the CSA Cloud Controls Matrix and aligned to IIA IPPF and ISACA ITAF benchmarks, with on‑site fieldwork at two AWS locations. Assessments covered data confidentiality and sovereignty, incident detection and response, privileged access controls, operational resilience, API security, supplier governance, interoperability and centralized compliance oversight.