PiTuKri ISAE 3000 Type II Report

Overview

Amazon Web Services (AWS) has completed the PiTuKri ISAE 3000 Type 2 Report. The International Standard on Assurance Engagements (ISAE) 3000 is a standard which is applied for audits of internal controls, sustainability, and compliance with laws and regulations, and completion of the ISAE 3000 Type 2 Report verifies that AWS’s control environment is appropriately designed and implemented to align with Criteria for Assessing the Information Security of Cloud Services (PiTuKri) requirements. AWS’s alignment with PiTuKri requirements demonstrates our continuous commitment to meeting the heightened expectations for cloud service providers set by Finnish Transport and Communications Agency, Traficom.

The PiTuKri ISAE 3000 Type 2 Report, conducted by an independent third party audit firm, provides Finnish customers with the assurance that AWS’s control environment is appropriately designed and implemented to address security requirements expected from cloud service providers. Additionally, the report provides customers with important guidance on complementary user entity controls (CUECs), which they should consider implementing as part of AWS’s Shared Responsibility Model to help them comply with PiTuKri requirements. Customers can use the AWS’ PiTuKri ISAE 3000 report as a tool to conduct their due diligence on AWS, which may minimize the effort and costs required for compliance. 

• What is PiTuKri?

  Criteria for Assessing the Information Security of Cloud Services (PiTuKri) is a guidance document published by Traficom’s Cyber Security Centre for assessing the security of cloud computing services.
  

• What services are covered by the PiTuKri attestation report?

  The AWS services that are in scope of the PiTuKri attestation report can be found within AWS Services in Scope by Compliance Program.
  

• What does this mean to me as a customer?

  The PiTuKri ISAE 3000 Type 2 Report, conducted by an independent third party audit firm, provides Finnish customers with the assurance that AWS’s control environment is appropriately designed and implemented to address security requirements expected from cloud service providers. Additionally, the report provides customers with important guidance on complementary user entity controls (CUECs), which they should consider implementing as part of AWS’s Shared Responsibility Model to help them comply with PiTuKri requirements. Customers can use the AWS’ PiTuKri ISAE 3000 report as a tool to conduct their due diligence on AWS, which may minimize the effort and costs required for compliance.
  

• Can I get a copy of PiTuKri ISAE 3000 Type 2 Report?

  Yes. The audit report can be downloaded via AWS Artifact.
  

• Why AWS is offering PiTuKri ISAE 3000 report for Finnish customers?

  PiTuKri is designed to meet Finland’s national needs, the criteria are intended for use by customers to assess the security of cloud services. AWS takes compliance seriously and offers tools such as this ISAE3000 report for our Finnish customers to assess AWS against the PiTuKri requirements.