INFORMATION SECURITY PORTAL
Below is links to different reporting standards. There are reports you can perform yourself, e.g. self-assessment, and there are reports that require external audit.
Depending on several different parameters, e.g. the size of your business or your customer requirements a certain standard. A yearly SOC or ISAE report for customers I would call best practice, the reason for this could be legal requirements or to avoid several customers audit.
Some of the reporting standards are free (self-assessment) and some costs money (primarily time for consulting).
System and Organization Controls (SOC) is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations.
There are different types of SOC reports, e.g. SOC 1 Type 2 that is an internationally recognized auditing standard developed by American Institute of Certified Public Accountants (AICPA). The report requires an independent and rigorous evaluation of internal controls related to financial reporting, policies, and procedures over many months.
International Standard on Assurance Engagements 3402 (ISAE 3402), titled Assurance Reports on Controls at a Service Organization, is an international assurance standard that prescribes Service Organization Control (SOC) reports, which gives assurance to an organisation's customers and service users that the service organisation has adequate internal controls. ISAE 3402 was developed by the International Auditing and Assurance Standards Board (IAASB) and is published by the International Federation of Accountants (IFAC).
The ISAE 3000 is a standard for assurance for all other non-financial purposes.
The CIS Controls Self-Assessment Tool, or CIS CSAT, is a free web application that enables security leaders to track and prioritize their implementation of the CIS Controls. CIS CSAT’s questions are based off the popular Critical Security Manual Assessment Tool excel document and the platform was developed by our partners at EthicalHat . For each CIS Control and sub-control, CSAT helps organizations track its documentation, implementation, automation, and reporting.
Software Assurance Maturity Model - Our mission is to provide an effective and measurable way for all types of organizations to analyze and improve their software security posture. We want to raise awareness and educate organizations on how to design, develop, and deploy secure software through our self-assessment model. SAMM supports the complete software lifecycle and is technology and process agnostic. We built SAMM to be evolutive and risk-driven in nature, as there is no single recipe that works for all organizations.
Direct link to SAMM Assessment.