Joint Standard Compliance and the Limits of “Substitute Standards"

South Africa’s financial-services regulatory environment has materially evolved with the introduction of Joint Standard 1 of 2023 and Joint Standard 2 of 2024, issued by the Financial Sector Conduct Authority and the Prudential Authority.

These Joint Standards establish formal expectations for IT governance, cybersecurity capability, and cyber resilience within regulated financial institutions.

A recurring question in the market is whether existing certifications and assurance standards can serve as substitutes for demonstrating compliance.

My professional view is clear:

Substitute standards can support compliance — but without structured, clause-level mapping and gap analysis, they will not meet regulatory expectations.

What the Joint Standards Require

The Joint Standards extend beyond technical security controls. They embed cybersecurity into governance, risk management, and resilience at an institutional level.

Regulatory expectations include:

• Board and governing body accountability for IT and cybersecurity

• Integration of IT and cyber risk into enterprise risk management

• Formal cyber resilience capability, including recovery and continuity

• Structured third-party risk governance aligned to materiality

• Incident response and regulatory reporting capability

• Ongoing monitoring and evidence of operating effectiveness

• A documented and defensible residual cyber risk position

This is not a checklist exercise. It is a governance and resilience framework.

The Role — and Limits — of Substitute Standards

Institutions frequently rely on:

• ISO/IEC 27001

• ISO/IEC 22301

• ISAE 3402 reports (Type I and Type II)

• NIST Cybersecurity Framework

• SOC 1 / SOC 2 reports

These frameworks are valuable and often form part of a mature control environment.

However, none of them were written to demonstrate compliance with the Joint Standards.

They differ in:

• Regulatory specificity

• Governance expectations

• Accountability structures

• Reporting triggers

• Materiality requirements

• Cyber resilience emphasis

Without explicit mapping, gaps remain untested and potentially unidentified.

ISAE 3402: A Precise Clarification

It is important to distinguish between Type I and Type II reports.

An ISAE 3402 Type I report:

• Assesses control design

• At a specific point in time

• Does not test operating effectiveness over a defined period

This is insufficient on its own to demonstrate regulatory compliance where ongoing effectiveness is expected.

An ISAE 3402 Type II report:

• Assesses both control design and implementation

• Tests operating effectiveness

• Over a defined review period

Therefore, it is accurate that a Type II report does test control effectiveness.

However, ISAE 3402 is primarily designed around controls relevant to financial reporting and financial systems at service organisations.

It does not automatically address:

• Board-level IT governance requirements

• Institutional accountability under the Joint Standards

• Enterprise-wide cyber risk governance

• Regulatory reporting obligations

• Cyber resilience capability beyond financial system controls

• Materiality tiering expectations

The Joint Standards are broader than financial control assurance.

Accordingly, even a Type II ISAE 3402 report, while valuable evidence, does not equate to Joint Standard compliance unless it is explicitly mapped and evaluated against each regulatory requirement.

Why Clause-Level Mapping Is Essential

A defensible compliance position requires:

• Explicit clause-to-clause mapping between the Joint Standards and existing controls

• Identification of partial alignments and uncovered requirements

• Clear allocation of accountability

• Assessment of operating effectiveness

• Documentation of residual risk

High-level domain alignment is insufficient.

True mapping should identify gaps. If an assessment concludes full alignment without enhancement areas, it likely lacks depth.

The Risk of False Comfort

Certifications and assurance reports can create the impression of compliance.

However:

• ISO certifications confirm conformity to ISO standards — not to the Joint Standards

• ISAE 3402 confirms effectiveness of specific service organisation controls — not full regulatory alignment

• NIST CSF supports maturity assessment — not compliance confirmation

Regulators do not regulate certifications. They regulate institutions.

Without structured integration and documented alignment, reliance on substitute standards risks creating perceived compliance rather than demonstrable compliance.

Professional Opinion

ISO standards, ISAE 3402 Type II reports, SOC reports, and NIST frameworks are all valuable components of a mature control environment.

However, none of these standards — individually or collectively — satisfy the Joint Standards without:

• Clause-level mapping

• Gap identification

• Proportionality and materiality analysis

• Institutional accountability assessment

• Independent challenge and documented conclusions

Substitution without integration is not compliance.

Effective mapping is not administrative overhead. It is the mechanism that converts supporting standards into defensible regulatory compliance.

Without it, institutions risk relying on comfort instead of evidence — and regulators are unlikely to accept comfort as compliance.