SSAE 18 - Attestation Standards (SOC Reporting)

International

v2017 (Effective 2017)

20 domains

67 controls

Statement on Standards for Attestation Engagements No. 18 (SSAE 18) provides the framework for SOC (System and Organization Controls) reporting engagements. It governs SOC 1 (internal controls over financial reporting), SOC 2 (Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy), and SOC 3 reports. Published by the AICPA, it is the standard used by auditors worldwide for service organization control assessments.

Unverified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (20)

AUP

1 controls

Controls in the AUP domain of SSAE 18 - Attestation Standards (SOC Reporting) — 1 controls
Code	Title	Description
SSAE-04	Agreed-Upon Procedures (AT-C 215)	AUP engagements involve performing specific procedures and reporting findings without providing an opinion or conclusion...

Acceptance

1 controls

Controls in the Acceptance domain of SSAE 18 - Attestation Standards (SOC Reporting) — 1 controls
Code	Title	Description
SSAE-08	Preconditions for Attestation Engagement	The practitioner must establish preconditions including suitable and available criteria, sufficient evidence access, and...

Documentation

1 controls

Controls in the Documentation domain of SSAE 18 - Attestation Standards (SOC Reporting) — 1 controls
Code	Title	Description
SSAE-17	Engagement Documentation	Documentation must be sufficient to enable an experienced practitioner with no previous connection to the engagement to...

Ethics

1 controls

Controls in the Ethics domain of SSAE 18 - Attestation Standards (SOC Reporting) — 1 controls
Code	Title	Description
SSAE-09	Independence and Ethics	The practitioner must be independent of the responsible party and comply with the AICPA Code of Professional Conduct thr...

Evidence

1 controls

Controls in the Evidence domain of SSAE 18 - Attestation Standards (SOC Reporting) — 1 controls
Code	Title	Description
SSAE-12	Written Representations	The practitioner must obtain written representations from the responsible party regarding responsibility for the subject...

Examination

1 controls

Controls in the Examination domain of SSAE 18 - Attestation Standards (SOC Reporting) — 1 controls
Code	Title	Description
SSAE-02	Examination Engagements (AT-C 205)	Examination engagements provide a high level of assurance and require obtaining sufficient appropriate evidence to reduc...

General Standards

1 controls

Controls in the General Standards domain of SSAE 18 - Attestation Standards (SOC Reporting) — 1 controls
Code	Title	Description
SSAE-01	Common Attestation Concepts (AT-C 105)	SSAE 18 reorganises attestation standards into a common concepts section (AT-C 105) that applies to all attestation enga...

Planning

2 controls

Controls in the Planning domain of SSAE 18 - Attestation Standards (SOC Reporting) — 2 controls
Code	Title	Description
SSAE-10	Engagement Risk Assessment	The practitioner must obtain an understanding of the subject matter and assess risks of material misstatement to design...
SSAE-11	Materiality in Attestation	The practitioner must consider materiality when planning procedures and evaluating findings, recognising that materialit...

Quality

1 controls

Controls in the Quality domain of SSAE 18 - Attestation Standards (SOC Reporting) — 1 controls
Code	Title	Description
SSAE-18	Quality Management at Firm and Engagement Level	Firms must implement a system of quality management with engagement-level controls including engagement quality reviews...

Reporting

3 controls

Controls in the Reporting domain of SSAE 18 - Attestation Standards (SOC Reporting) — 3 controls
Code	Title	Description
SSAE-13	Other Information in Reports	When other information accompanies the subject matter information, the practitioner must read it for material inconsiste...
SSAE-19	Modifications to the Standard Report	When circumstances warrant, the practitioner must modify the standard report through qualification, adverse opinion, or...
SSAE-20	Use by Specified Parties and Restricted Distribution	Reports on subject matter intended for specified parties must include a restricted use paragraph identifying intended us...

Review

1 controls

Controls in the Review domain of SSAE 18 - Attestation Standards (SOC Reporting) — 1 controls
Code	Title	Description
SSAE-03	Review Engagements (AT-C 210)	Review engagements provide limited assurance through inquiry and analytical procedures, expressed as a conclusion about...

SOC 1

1 controls

Controls in the SOC 1 domain of SSAE 18 - Attestation Standards (SOC Reporting) — 1 controls
Code	Title	Description
SSAE-05	SOC 1 Engagements (AT-C 320)	AT-C 320 governs SOC 1 engagements over controls at a service organisation relevant to user entity ICFR, requiring writt...

SOC 1 - Internal Controls over Financial Reporting

6 controls

Controls at a service organization relevant to user entities' internal control over financial reporting (ICFR)

Controls in the SOC 1 - Internal Controls over Financial Reporting domain of SSAE 18 - Attestation Standards (SOC Reporting) — 6 controls
Code	Title	Description
SSAE18-SOC1-01	Control Environment	The service organization demonstrates a commitment to integrity and ethical values. Management establishes structure, au...
SSAE18-SOC1-02	Risk Assessment	The service organization identifies risks to the achievement of its objectives and analyzes risks as a basis for determi...
SSAE18-SOC1-03	Information and Communication	The service organization generates and uses relevant, quality information to support the functioning of internal control...
SSAE18-SOC1-04	Monitoring Activities	The service organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the co...
SSAE18-SOC1-05	Control Activities for Financial Processing	The service organization selects and develops control activities that contribute to the mitigation of risks to the achie...
SSAE18-SOC1-06	Transaction Processing Controls	Controls over the completeness, accuracy, timeliness, and authorization of transaction processing on behalf of user enti...

SOC 2

1 controls

Controls in the SOC 2 domain of SSAE 18 - Attestation Standards (SOC Reporting) — 1 controls
Code	Title	Description
SSAE-06	SOC 2 Engagements (AT-C 205 with TSC)	SOC 2 engagements apply AT-C 205 examination standards to controls relevant to the Trust Services Criteria covering secu...

SOC 2 - Additional Trust Services Categories

10 controls

Availability, Processing Integrity, Confidentiality, and Privacy criteria

Controls in the SOC 2 - Additional Trust Services Categories domain of SSAE 18 - Attestation Standards (SOC Reporting) — 10 controls
Code	Title	Description
SSAE18-A1.1	A1.1 - Availability Commitments and Requirements	The entity maintains, monitors, and evaluates current processing capacity and use of system components to manage capacit...
SSAE18-A1.2	A1.2 - Environmental Protections and Recovery	The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmen...
SSAE18-A1.3	A1.3 - Recovery Plan Testing	The entity tests recovery plan procedures supporting system recovery to meet its objectives.
SSAE18-C1.1	C1.1 - Confidential Information Identification	The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality.
SSAE18-C1.2	C1.2 - Confidential Information Disposal	The entity disposes of confidential information to meet the entity's objectives related to confidentiality.
SSAE18-P1.1	P1.1 - Privacy Notice	The entity provides notice to data subjects about its privacy practices to meet the entity's objectives related to priva...
SSAE18-P1.2	P1.2 - Choice and Consent	The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal...
SSAE18-PI1.1	PI1.1 - Processing Integrity Definition	The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related t...
SSAE18-PI1.2	PI1.2 - System Processing Completeness and Accuracy	The entity implements policies and procedures over system processing to result in products, services, and reporting to m...
SSAE18-PI1.3	PI1.3 - Processing Error Handling	The entity implements policies and procedures over system inputs, including controls over completeness, accuracy, and ti...

SOC 2 - Logical and Physical Access Controls

11 controls

Trust Services Criteria for logical and physical access, system operations, and change management

Controls in the SOC 2 - Logical and Physical Access Controls domain of SSAE 18 - Attestation Standards (SOC Reporting) — 11 controls
Code	Title	Description
SSAE18-CC5.1	CC5.1 - COSO Principle 10: Control Activity Selection	The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of obje...
SSAE18-CC5.2	CC5.2 - COSO Principle 11: Technology General Controls	The entity also selects and develops general control activities over technology to support the achievement of objectives...
SSAE18-CC5.3	CC5.3 - COSO Principle 12: Control Activity Policies	The entity deploys control activities through policies that establish what is expected and procedures that put policies...
SSAE18-CC6.1	CC6.1 - Logical Access Security Software	The entity implements logical access security software, infrastructure, and architectures over protected information ass...
SSAE18-CC6.2	CC6.2 - New User Registration and Authorization	Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and ext...
SSAE18-CC6.3	CC6.3 - Access Removal	The entity removes access to protected information assets when an individual no longer requires access.
SSAE18-CC6.4	CC6.4 - Physical Access Restrictions	The entity restricts physical access to facilities and protected information assets to authorized personnel.
SSAE18-CC6.5	CC6.5 - Logical Access to Protected Assets	The entity discontinues logical and physical protections over physical assets only after the ability to read or recover...
SSAE18-CC6.6	CC6.6 - External Threats and Security Measures	The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software.
SSAE18-CC6.7	CC6.7 - Data Transmission Restrictions	The entity restricts the transmission, movement, and removal of information to authorized internal and external users an...
SSAE18-CC6.8	CC6.8 - Unauthorized Software Prevention	The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software...

SOC 2 - Security (Common Criteria)

12 controls

Security criteria applicable to all SOC 2 engagements - the common criteria baseline

Controls in the SOC 2 - Security (Common Criteria) domain of SSAE 18 - Attestation Standards (SOC Reporting) — 12 controls
Code	Title	Description
SSAE18-CC1.1	CC1.1 - COSO Principle 1: Integrity and Ethical Values	The entity demonstrates a commitment to integrity and ethical values.
SSAE18-CC1.2	CC1.2 - COSO Principle 2: Board Independence and Oversight	The board of directors demonstrates independence from management and exercises oversight of internal control development...
SSAE18-CC1.3	CC1.3 - COSO Principle 3: Management Structure and Authority	Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilit...
SSAE18-CC1.4	CC1.4 - COSO Principle 4: Commitment to Competence	The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
SSAE18-CC1.5	CC1.5 - COSO Principle 5: Accountability	The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
SSAE18-CC2.1	CC2.1 - COSO Principle 13: Quality Information	The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
SSAE18-CC2.2	CC2.2 - COSO Principle 14: Internal Communication	The entity internally communicates information, including objectives and responsibilities for internal control.
SSAE18-CC2.3	CC2.3 - COSO Principle 15: External Communication	The entity communicates with external parties regarding matters affecting the functioning of internal control.
SSAE18-CC3.1	CC3.1 - COSO Principle 6: Risk Identification	The entity specifies objectives with sufficient clarity to enable identification and assessment of risks relating to obj...
SSAE18-CC3.2	CC3.2 - COSO Principle 7: Risk Analysis	The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for det...
SSAE18-CC3.3	CC3.3 - COSO Principle 8: Fraud Risk Assessment	The entity considers the potential for fraud in assessing risks to the achievement of objectives.
SSAE18-CC3.4	CC3.4 - COSO Principle 9: Change Management	The entity identifies and assesses changes that could significantly impact the system of internal control.

SOC 2 - System Operations and Change Management

8 controls

System operations monitoring, incident management, and change management controls

Controls in the SOC 2 - System Operations and Change Management domain of SSAE 18 - Attestation Standards (SOC Reporting) — 8 controls
Code	Title	Description
SSAE18-CC7.1	CC7.1 - Infrastructure and Software Monitoring	To meet its objectives, the entity uses detection and monitoring procedures to identify changes to configurations that r...
SSAE18-CC7.2	CC7.2 - Anomaly Monitoring in Operations	The entity monitors system components and the operation of those components for anomalies that are indicative of malicio...
SSAE18-CC7.3	CC7.3 - Security Event Evaluation	The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet...
SSAE18-CC7.4	CC7.4 - Incident Response	The entity responds to identified security incidents by executing a defined incident response program to understand, con...
SSAE18-CC7.5	CC7.5 - Incident Recovery	The entity identifies, develops, and implements activities to recover from identified security incidents.
SSAE18-CC8.1	CC8.1 - Infrastructure and Software Change Management	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to...
SSAE18-CC9.1	CC9.1 - Risk Mitigation Activities	The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disrup...
SSAE18-CC9.2	CC9.2 - Vendor and Business Partner Risk Management	The entity assesses and manages risks associated with vendors and business partners.

SOC 3

1 controls

Controls in the SOC 3 domain of SSAE 18 - Attestation Standards (SOC Reporting) — 1 controls
Code	Title	Description
SSAE-07	SOC 3 General Use Reports	SOC 3 reports provide an examination opinion on controls relevant to the Trust Services Criteria for general distributio...

Specialised

3 controls

Controls in the Specialised domain of SSAE 18 - Attestation Standards (SOC Reporting) — 3 controls
Code	Title	Description
SSAE-14	Reporting on Pro Forma Financial Information (AT-C 310)	AT-C 310 governs examinations and reviews of pro forma financial information, requiring the practitioner to evaluate man...
SSAE-15	Reporting on Compliance (AT-C 315)	AT-C 315 provides standards for examinations and reviews of an entity's compliance with specified requirements, includin...
SSAE-16	Examinations of Prospective Financial Information (AT-C 305)	AT-C 305 covers examinations of financial forecasts and projections, requiring evaluation of assumptions, preparation, a...

Your Compliance Coverage

If you comply with SSAE 18 - Attestation Standards (SOC Reporting), you already cover:

Azure Security Benchmark

21%

14 controls mapped

Compare →

NIST Cybersecurity Framework 2.0

19%

13 controls mapped

Compare →

NIST SP 800-53 Rev 5

19%

13 controls mapped

Compare →

+ 151 more: SOC 2 (19%), NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements (18%)

See all 154 mapped frameworks ↓

Maps to 154 other frameworks

67 total controls

Azure Security Benchmark

14 source controls mapped|9 target controls covered

21%

NIST Cybersecurity Framework 2.0

13 source controls mapped|18 target controls covered

19%

NIST SP 800-53 Rev 5

13 source controls mapped|22 target controls covered

19%

SOC 2

13 source controls mapped|13 target controls covered

19%

NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements

12 source controls mapped|11 target controls covered

18%

ISO 27018

12 source controls mapped|8 target controls covered

18%

NIST SP 800-190

12 source controls mapped|8 target controls covered

18%

AWS Well-Architected Security Pillar

12 source controls mapped|8 target controls covered

18%

ISO 27017

12 source controls mapped|8 target controls covered

18%

API 1164

10 source controls mapped|7 target controls covered

15%

NIST SP 1800-32

10 source controls mapped|7 target controls covered

15%

IEC 62443

10 source controls mapped|7 target controls covered

15%

ISO 27019

10 source controls mapped|7 target controls covered

15%

Annex 11 to EU GMP - Computerised Systems

9 source controls mapped|5 target controls covered

13%

ASIS SPC.1-2009 - Organizational Resilience Standard

9 source controls mapped|6 target controls covered

13%

NIST AI Risk Management Framework (AI RMF 1.0)

9 source controls mapped|11 target controls covered

13%

ISO/IEC 27031:2011

9 source controls mapped|6 target controls covered

13%

BSI IT-Grundschutz

9 source controls mapped|10 target controls covered

13%

ISO/IEC 23894:2023

8 source controls mapped|11 target controls covered

12%

UK GDPR (UK General Data Protection Regulation)

8 source controls mapped|3 target controls covered

12%

APRA CPS 230 Operational Risk Management

8 source controls mapped|7 target controls covered

12%

ISO/IEC 27557:2022 - Organisational Privacy Risk Management

8 source controls mapped|9 target controls covered

12%

AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)

8 source controls mapped|6 target controls covered

12%

SANS Incident Handler's Handbook and PICERL Methodology

8 source controls mapped|7 target controls covered

12%

Barbados Data Protection Act 2019

8 source controls mapped|5 target controls covered

12%

AICPA Privacy Management Framework (PMF)

8 source controls mapped|7 target controls covered

12%

DAMA-DMBOK2 - Data Management Body of Knowledge (2nd Edition)

8 source controls mapped|5 target controls covered

12%

NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI)

8 source controls mapped|12 target controls covered

12%

ISO/IEC 27400:2022

8 source controls mapped|8 target controls covered

12%

ISO/IEC 27011:2024

8 source controls mapped|8 target controls covered

12%

FTC GLBA Safeguards Rule (16 CFR Part 314)

8 source controls mapped|4 target controls covered

12%

Virginia CDPA

7 source controls mapped|2 target controls covered

10%

Uruguay DPL

7 source controls mapped|3 target controls covered

10%

UK AI Regulation Framework

7 source controls mapped|3 target controls covered

10%

Texas Data Privacy Act

7 source controls mapped|2 target controls covered

10%

Taiwan PDPA

7 source controls mapped|2 target controls covered

10%

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL)

7 source controls mapped|3 target controls covered

10%

ISO/IEC 29134:2023

7 source controls mapped|6 target controls covered

10%

ISO/IEC 27014:2020

7 source controls mapped|4 target controls covered

10%

Bahrain PDPL

7 source controls mapped|6 target controls covered

10%

ISO 26262:2018 - Functional Safety for Road Vehicles

7 source controls mapped|3 target controls covered

10%

NFPA 1600 - Standard on Continuity, Emergency, and Crisis Management

7 source controls mapped|4 target controls covered

10%

APPI

7 source controls mapped|6 target controls covered

10%

ISO/SAE 21434

7 source controls mapped|5 target controls covered

10%

ASD Strategies to Mitigate Cyber Security Incidents

7 source controls mapped|8 target controls covered

10%

ISO 27043

7 source controls mapped|5 target controls covered

10%

FFIEC IT Examination Handbook

7 source controls mapped|10 target controls covered

10%

APRA CPS 234

7 source controls mapped|11 target controls covered

10%

PCI PIN Security

7 source controls mapped|11 target controls covered

10%

PCI SSF

7 source controls mapped|10 target controls covered

10%

PCI P2PE

7 source controls mapped|10 target controls covered

10%

ISO 19011

6 source controls mapped|5 target controls covered

Authorised Economic Operator (AEO) Programmes - Global Standards

6 source controls mapped|3 target controls covered

ISO/IEC 29147:2018

6 source controls mapped|7 target controls covered

AS9100D - Aerospace Quality Management System

6 source controls mapped|5 target controls covered

ISO/IEC 27003:2017

6 source controls mapped|5 target controls covered

EASA Part-IS - Information Security in Aviation

6 source controls mapped|8 target controls covered

FFIEC Cybersecurity Assessment Tool (CAT)

6 source controls mapped|6 target controls covered

ISO/IEC 23837 - Security Requirements for Quantum Key Distribution

6 source controls mapped|4 target controls covered

ISO/IEC 38500:2024 - Governance of IT

6 source controls mapped|6 target controls covered

ISO 22320:2018

6 source controls mapped|7 target controls covered

COSO Internal Control - Integrated Framework (2013)

5 source controls mapped|4 target controls covered

UK FCA/PRA Operational Resilience Framework

5 source controls mapped|3 target controls covered

ISO 41001:2018 - Facility Management Systems

5 source controls mapped|4 target controls covered

ISO 39001:2012 - Road Traffic Safety Management

5 source controls mapped|4 target controls covered

ISO 22313:2020 - Guidance on Business Continuity Management Systems

5 source controls mapped|4 target controls covered

AML/CTF Act 2006 (Australia)

5 source controls mapped|3 target controls covered

ISO 13485

5 source controls mapped|4 target controls covered

FedRAMP High

5 source controls mapped|2 target controls covered

NIST SP 800-53 Revision 5.1 HIGH

5 source controls mapped|2 target controls covered

FedRAMP Moderate

5 source controls mapped|2 target controls covered

NIST SP 800-53 Rev 5 MODERATE

5 source controls mapped|2 target controls covered

NIST SP 800-53 Rev 5 LOW

5 source controls mapped|2 target controls covered

ISO 27799

5 source controls mapped|3 target controls covered

GDPR

5 source controls mapped|4 target controls covered

FBI CJIS Security Policy

5 source controls mapped|3 target controls covered

ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence

5 source controls mapped|8 target controls covered

IEC 62351 - Power Systems Communication Security

5 source controls mapped|4 target controls covered

Trinidad and Tobago Data Protection Act 2011

5 source controls mapped|5 target controls covered

Tanzania Personal Data Protection Act (Draft)

5 source controls mapped|4 target controls covered

Florida Digital Bill of Rights (FDBR)

5 source controls mapped|3 target controls covered

Austria Data Protection Act (Datenschutzgesetz, DSG, amended 2018)

5 source controls mapped|6 target controls covered

Illinois Biometric Information Privacy Act (BIPA)

5 source controls mapped|4 target controls covered

ITIL 4

5 source controls mapped|3 target controls covered

ISO 20000-1

5 source controls mapped|3 target controls covered

IEC 62304:2015 Medical Device Software Lifecycle Processes

5 source controls mapped|8 target controls covered

ISO 28001:2007 Supply Chain Security Management

5 source controls mapped|4 target controls covered

ISO 31000:2018

4 source controls mapped|3 target controls covered

ICAO Annex 17 - Aviation Security (AVSEC)

4 source controls mapped|2 target controls covered

APRA SPS 220 Risk Management (Superannuation)

4 source controls mapped|4 target controls covered

ISO 31000

4 source controls mapped|6 target controls covered

ISO 27005

4 source controls mapped|6 target controls covered

AS9100D:2016 - Quality Management Systems for Aviation, Space, and Defence

4 source controls mapped|3 target controls covered

ISO 22739:2024 - Blockchain and Distributed Ledger Technologies Vocabulary

4 source controls mapped|5 target controls covered

CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0

4 source controls mapped|5 target controls covered

ISO 19650 - Organisation and Digitisation of Information about Buildings and Civil Engineering Works (BIM)

4 source controls mapped|4 target controls covered

ISO/IEC 27006:2024

4 source controls mapped|4 target controls covered

ISO/IEC 17025:2017 - General Requirements for Testing and Calibration Laboratories

4 source controls mapped|4 target controls covered

ITU-T X.805 - Security Architecture for End-to-End Communications

4 source controls mapped|3 target controls covered

ISO/IEC 29100:2024

4 source controls mapped|6 target controls covered

Azerbaijan Law on Personal Data (2010)

4 source controls mapped|4 target controls covered

Albania Law on Protection of Personal Data (Law No. 9887, 2008, amended 2014)

4 source controls mapped|3 target controls covered

NIST SP 800-124 Revision 2 - Guidelines for Managing the Security of Mobile Devices

4 source controls mapped|5 target controls covered

UNESCO Recommendation on the Ethics of AI

3 source controls mapped|1 target controls covered

ISO 45001

3 source controls mapped|1 target controls covered

ISO 22000

3 source controls mapped|1 target controls covered

TISAX - Trusted Information Security Assessment Exchange

3 source controls mapped|2 target controls covered

Armenia Law on Protection of Personal Data (2015)

3 source controls mapped|4 target controls covered

MARS-E - Minimum Acceptable Risk Standards for Exchanges

3 source controls mapped|2 target controls covered

ISO 22318

3 source controls mapped|2 target controls covered

ISO 22317

3 source controls mapped|2 target controls covered

ISO 22316

3 source controls mapped|2 target controls covered

COBIT 2019

3 source controls mapped|2 target controls covered

ISO/IEC 27007:2020

3 source controls mapped|2 target controls covered

ISO/IEC 25012:2008 - Data Quality Model

3 source controls mapped|3 target controls covered

WCAG 2.2

3 source controls mapped|1 target controls covered

IEC 60601-1 - Medical Electrical Equipment Safety

3 source controls mapped|4 target controls covered

ISO 37000:2021 - Governance of Organizations

3 source controls mapped|4 target controls covered

21 CFR Part 58 - Good Laboratory Practice (GLP)

3 source controls mapped|3 target controls covered

ISO/IEC 30111:2019

3 source controls mapped|6 target controls covered

IAIS Insurance Core Principles (ICPs)

3 source controls mapped|3 target controls covered

ISO/IEC 29115:2023 - Entity Authentication Assurance Framework

3 source controls mapped|4 target controls covered

ISO 20400:2017 - Sustainable Procurement

3 source controls mapped|3 target controls covered

ISO/IEC 27010:2015

3 source controls mapped|2 target controls covered

3GPP 5G Security Architecture (TS 33.501)

2 source controls mapped|3 target controls covered

Estonia Personal Data Protection Act (Isikuandmete kaitse seadus, 2019)

2 source controls mapped|1 target controls covered

Australian Privacy Principles (APPs)

2 source controls mapped|3 target controls covered

BS 65000:2014 - Guidance on Organizational Resilience

2 source controls mapped|3 target controls covered

ISO 8000 - Data Quality

2 source controls mapped|2 target controls covered

NATO STANAG 4774 (Confidentiality Metadata Labels) and STANAG 4778 (Metadata Binding)

2 source controls mapped|2 target controls covered

ISO 56002

2 source controls mapped|4 target controls covered

ISO 37002:2021 - Whistleblowing Management Systems

2 source controls mapped|3 target controls covered

BRCGS Global Standard for Food Safety Issue 9

2 source controls mapped|3 target controls covered

Automotive SPICE (ASPICE) v4.0 - Process Assessment Model

2 source controls mapped|2 target controls covered

ISO/IEC 27004:2016

2 source controls mapped|3 target controls covered

ISO/IEC 27050 - Electronic Discovery (Parts 1-4)

2 source controls mapped|1 target controls covered

Nebraska Data Privacy Act

2 source controls mapped|2 target controls covered

ISO 14064 - Greenhouse Gas Accounting and Verification (Parts 1-3)

2 source controls mapped|1 target controls covered

21 CFR Part 211 - Current Good Manufacturing Practice

2 source controls mapped|1 target controls covered

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

2 source controls mapped|1 target controls covered

ISO 30401

2 source controls mapped|1 target controls covered

ISO 55001

2 source controls mapped|1 target controls covered

ISO 37301

2 source controls mapped|1 target controls covered

ISO 9001

2 source controls mapped|1 target controls covered

ISO 37001

2 source controls mapped|1 target controls covered

Nevada Gaming Control Board Cybersecurity Requirements

2 source controls mapped|1 target controls covered

NIST SP 800-171

2 source controls mapped|1 target controls covered

Canada ITSG-33 - IT Security Risk Management

2 source controls mapped|1 target controls covered

ISO 27002:2022

1 source controls mapped|1 target controls covered

ISO/IEC 42001:2023

1 source controls mapped|1 target controls covered

ISO 22301:2019

1 source controls mapped|2 target controls covered

Space ISAC (Information Sharing and Analysis Center) - Threat Framework

1 source controls mapped|1 target controls covered

Bank Secrecy Act / Anti-Money Laundering (BSA/AML)

1 source controls mapped|1 target controls covered

Aged Care Quality Standards (Australia)

1 source controls mapped|1 target controls covered

Compare SSAE 18 - Attestation Standards (SOC Reporting) with Azure Security Benchmark

Frequently Asked Questions

What is SSAE 18 - Attestation Standards (SOC Reporting)?

SSAE 18 - Attestation Standards (SOC Reporting) is a compliance framework from International with 20 domains and 67 controls. Statement on Standards for Attestation Engagements No. 18 (SSAE 18) provides the framework for SOC (System and Organization Controls) reporting engagements. It governs SOC 1 (internal controls over financial reporting), SOC 2 (Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy), and SOC 3 reports. Published by the AICPA, it is the standard used by auditors worldwide for service organization control assessments. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does SSAE 18 - Attestation Standards (SOC Reporting) have?

SSAE 18 - Attestation Standards (SOC Reporting) has 67 controls organised across 20 domains. The largest domains are SOC 2 - Security (Common Criteria) (12 controls), SOC 2 - Logical and Physical Access Controls (11 controls), SOC 2 - Additional Trust Services Categories (10 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does SSAE 18 - Attestation Standards (SOC Reporting) map to?

SSAE 18 - Attestation Standards (SOC Reporting) maps to 154 other compliance frameworks. The top mapping partners are Azure Security Benchmark (21% coverage), NIST Cybersecurity Framework 2.0 (19% coverage), NIST SP 800-53 Rev 5 (19% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with SSAE 18 - Attestation Standards (SOC Reporting) compliance?

Start your SSAE 18 - Attestation Standards (SOC Reporting) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about SSAE 18 - Attestation Standards (SOC Reporting) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 67 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required