ICANN Completes 2023 Audit on Service Organization Controls for IANA functions

The Internet Corporation for Assigned Names and Numbers (ICANN) has completed another year of audits of the key systems used to deliver the Internet Assigned Numbers Authority (IANA) functions. The accounting firm, RSM US LLP, conducted two Systems and Organization Control audits: a SOC2 audit of the Registry Assignment and Maintenance Systems and a SOC3 audit of Root Zone Domain Name System Security Extensions (DNSSEC) services for the 12-month periods ending 30 September 2023 and 30 November 2023 respectively.

For the fourteenth consecutive year, an exception-free audit has been completed for the management of the Root DNSSEC Key Signing Key (KSK) securing the Domain Name System (DNS). Using the SOC 3 framework, the audit demonstrates that effective security, availability, and processing integrity controls exist to manage the root KSK. The report is publicly available here.

During this year's audit period, in addition to customary quarterly key signing operations, routine evolutionary activities took place such as introducing new hardware and Trusted Community Representatives. While a new KSK was generated in early 2023, that work was suspended in lieu of restarting the work in 2024 using a newer technical platform.

The SOC2 audit identified four exceptions during the period. While all identified issues have been remediated, this is the first time in many years any exceptions have been identified. These learnings will be used to strengthen operational practices across ICANN org.

"When the exceptions were identified by the auditors in August 2023, the ICANN organization took immediate steps to remedy them," said Kim Davies, Vice President of IANA Services and President of PTI. "We have also implemented additional procedures to address the identified issues moving forward."

In the next year, ICANN is planning to conduct a SOC3 audit in addition to the SOC2 audit for the Registry Assignment and Maintenance Systems. This will provide greater transparency, as it will result in the publication of a high-level report covering these systems, much like the report provided for Root KSK operations audit.

SOC audits evaluate an organization's controls in relation to "trust services principles and criteria" and are managed by the American Institute of Certified Public Accountants (AICPA). These independent third party audits form an important part of ICANN's multifaceted accountability for the IANA functions to the multistakeholder community.

ICANN's mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address - a name or a number - into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a nonprofit public benefit corporation with a community of participants from all over the world.