What are the majors differences (or the complementary topics) between SSAE 16 audit and ISO 207001 certification?

A SOC report is likely to be well received with an end-user than an ISO certification. Generally, users of the Service Organization (SO) services would not know what the ISO certification meant, and the report does not cover controls over the initiation, processing and recording of data, making it irrelevant if this info is needed as part of the user's financial audit. -SOC 1 reports allow for customized controls which are more relevant to end-users, and auditors of user organizations. (And you can get very detailed with your security controls). -Additionally, the SOC2 and 3 allow for other specific guidelines from the AICPA Trust Principals surrounding data Security, Availability, Confidentiality and/or processing integrity. So - ISO 27001 is a great way for a company to show it has great security processes. This would be more useful to let's say, a third-party who is providing software and want to tout that they have their act together. For a third-party that hosts and/or processes transactions on behalf of another company, SOC is the way to go.

For an organisation looking to undergo an SSAE SOC2 audit, who sets the standards for the internal control system? With ISO 2700x it's fairly clear what you need to commit to to get a successful audit and therefore your clients know what you're promising when you tell them you've got it.

Criteria for SOC 2 reviews are based off of AICPA Trust Services criteria - you can get an overview and download them here for free: http://www.aicpa.org/INTERESTAREAS/INFORMATIONTECHNOLOGY/RESOURCES/TRUSTSERVICES/Pages/default.aspx The only thing with the SOC2's, unlike the SOC1's, is that they are very prescriptive and spell out all the controls an organization must have. Fortunately, they are not too hard to implement, but make sure you go through the trust principals which spell out what you need to have. Typically, some companies get tripped up because they think they have some of the required controls over security, privacy, etc, but they don't have exactly the controls spelled out in the standars

Does my company need an SSAE 16? Or do we do it just because someone ask?

The end user would request a SSAE 16 from your organization because they believe that your services affect their financial reporting controls. However, some organizations request a SSAE 16 when they are looking to have an organization demonstrate their controls over non financial reporting matters such as security, availability, and confidentiality. In that case a SOC 2 would be more appropriate. Just because someone asks for a SSAE 16 it doesn't mean that you should always say yes. Have them outline why they are asking for it. Typically, companies put these off unless a really big customer demands one, or, some companies use the SOC report as a marketing tool, to prove they have good controls. Depending on what industry an organization is in also affects these decisions. For example, a data hosting company or payroll processor would almost go out of business without one, because internal controls are so important in these examples. So, it becomes a cost of doing business based on client base and the type of service organization.

Are these audits called certifications

Riskpro can assist you in your SOC 1 / SOC 2 Attestation. Remember, these are not certifications, because no certificate is issued. Rather, these reviews are in the nature of audits and an attestation report is provided in accordance with AICPA guidelines. (more specifically SSAE 16)