Are SAS 70 Type II Data Centers Dead? Yes, and No! Long Live SSAE 16!

Are SAS 70 Type II Data Centers Dead? Yes, and No! Long Live SSAE 16!

December 13

At a recent trade show I attended, the subject of SAS 70 Type II data centers came up … and it was stated that “customers should only use a data center that is SAS 70 Type II certified”.  I have to agree with that sentiment; however, a new standard — the Statement on Standards for Attestation Engagements (SSAE) 16 — effectively replaces the Statement on Auditing Standards No. 70 (SAS 70) for reporting periods ending on or after June 15, 2011.

So, if you’ve not see it already, you’ll see data center providers touting they’ve completed a “SSAE 16 Type II” audit.  And after June 15 of next year, stating a data center is SAS 70 Type II compliant will not mean anything expect that the data center provider has not kept up on getting an external audit of their systems and procedures!

You see, these audits and the reports that result from them are only valid for a year.  That’s right.  Data centers must pass an audit every year in order to claim they have met these auditing standards.  And if you’re trusting a data center with your data, you certainly want your provider to do this.

So what are SSAE 16 (SOC 1) and SSAE 16 SOC 2 reports?

SSAE 16 is a Service Organization Control (SOC) Type 1 report which documents the auditors’ opinion regarding the accuracy, completeness and suitability of the design of internal controls as of a set date.

An SOC Type 2 report (commonly referred to as “SSAE 16 Type II”) validates the implementation of the SSAE 16 report over a set period of time, typically 6 months to a year and requires sample testing of each control for operating effectiveness during the specified period.  An SSAE 16 Type 2 Report is officially a “Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls”.

In other words, the data center provider describes their system and how the design of that system is well suited and effective in meeting its purpose.  Then, independent auditors validate what management has described in order to generate the SSAE 16 Type 2 report.  Type 2 reports cover controls at a service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy.

In the data center world, an SSAE 16 Type 2 report can give you assurances that your data center:

  • Maintains sufficient data and power redundancy
  • Maintains appropriate physical security controls (Man Trap, Security Guards, Biometric Scanning, Video Cameras)
  • Maintains appropriate logical security controls (information is classified and protected as committed or agreed)
  • Monitors for excessive temperature fluctuations
  • Reviews alerts on a timely basis
  • Has proper fire/water detection and protection

SSAE 16 Type II Certified!  Well, not really, but I have a SOC 3 report for you!

No official SSAE 16 “certification” exists (and neither did a SAS 70 certification).  You may hear the SSAE 16 “certification” term thrown around by marketers like me, but that’s just because it sounds much cooler than “We’ve completed a SSAE 16 Type II audit.” which sounds so boring I almost fell asleep typing it.  But what’s important is any data center you trust with your data has in the past completed a SAS 70 Type II audit and have either completed or will complete a SSAE 16 Type 2 audit — and can provide the report documenting their successful completion.


You typically won’t get an organization’s SSAE 16 SOC 2 report unless you request it specifically.  You see, an SOC 1 report is an “auditor-to-auditor” communication and SOC 2 reports are generally “restricted use reports”.  But an SOC 3 report is a general use report a data center provider can deliver to current and prospective customers to demonstrate their data center has appropriate controls in place to mitigate risks related to security, privacy, etc.  That’s not to say you can’t get a data center’s SOC 2 report depending on your needs … and here are some guidelines about what SOC report is right for you.

It’s your data.  So hold your data center provider to a high standard and insist on independent audit validation — because it’s your business and data to loose.