As part of our journey to continuously improve our service quality, Ctac has made significant steps towards expanding the assurance reporting for private cloud infrastructure. By adding a new assurance report next to the already existing ISAE 3402 Type II assurance report for SAP and XV retail services, our customers obtain assurance on our private cloud infrastructure services.

Adapting to emerging cyber risks

The world today faces an increasing threat of cyber attacks and geopolitical disruptions that may impact digital infrastructure. The increasing risk level requires tighter controllability for ensuring stability and reliability of (outsourced) IT services. Regulators are anticipating the increased risk by drafting new or updated regulations such as NIS2 or DORA

In 2022, Ctac commenced an initiative to update and extend the internal risk and control framework by including infrastructure components and management processes. Based on globally accepted frameworks such as CobIT and the SOC2 Trusted Services Criteria a new set of risks and controls were designed and implemented to demonstrate Ctac’s ability in managing key process controls. Over 2023 the implemented controls were successfully audited by an external auditor (KPMG).

The effect of this change?

As before, Ctac continues the ISAE 3402 assurance reporting cycle for the internal control environment and risk management processes for SAP and XV-retail services in the Ctac private cloud. This assurance report includes all relevant process controls for financial statement auditors to elaborate on the IT risk assessment and General IT control testing. Objects in scope for this report are the SAP and XV application and database layer. The 3402 assurance report relates to the information systems processing information with a direct relation to the financial statement: SAP and XV.

As of 2023 Ctac will provide the new 3000 infrastructure assurance report. This report covers key infrastructure processes, such as IT security, IT supplier management, IT lifecycle and patch management, firewall management, IT availability management, incident/problem/change management and more. Objects in scope for this report include the operating systems, hypervisor, firewall, networking services and physical data center infrastructure.

The 3000 infrastructure assurance report can be used complementary to the 3402 assurance report for SAP and XV. By doing so, the Ctac client (and its auditor) obtains assurance on key IT risk management for the entire IT stack in the Ctac private cloud.

Proud

The 3000 infrastructure assurance report can be used complementary to the 3402 assurance report for SAP and XV. By doing so, the Ctac client (and its auditor) obtains assurance on key IT risk management for the entire IT stack in the Ctac private cloud.

Clients that solely make use of the Ctac private cloud infrastructure, the 3000 assurance report will provide assurance on key IT risk management for the outsourced infrastructure services. Within Ctac we strive at providing the best services possible and we are very proud that our investments in risk management and a fully redesigned internal control framework have resulted in two assurance reports that integrate towards our Ctac private cloud services whilst anticipating increasing cyber risks and upcoming regulatory requirements.

 

Rob Wismans

Manager Cloud Services