What is SOC 2
SOC stands for Service Organization Control. There are a few different types of SOC reports – simply put, SOC 1 deals with financial information and SOC 2 deals with non-financial information. Specifically, SOC 2 gives information service providers (like software companies) a way to verify their controls for protecting and securing data, as well as making sure it’s accessible.
Service Organization Controls reports are designed to help service organizations that operate information systems and provide information system services to other entities, to build trust and confidence in their service delivery processes and controls through a report by an independent certified public accountant.
The AICPA Assurance Services Executive Committee (ASEC) has developed a set of principles and criteria (trust services principles and criteria) to be used in evaluating controls relevant to the security, availability, or processing integrity of a system, or the confidentiality or privacy of the information processed by a system.
SOC 2 is an AICPA report that allows service auditor to provide an opinion on the following principles:
- Security: The system is protected against unauthorized access, use, or modification to meet the entity's commitments and system requirements.
- Availability: The system is available for operation and use to meet the entity's commitments and system requirements.
- Processing integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's commitments and system requirements.
- Confidentiality: Information designated as confidential is protected to meet the entity's commitments and system requirements.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed to meet the entity's commitments and system requirements.
It can include one or more of the above trust services principles but may need to address entire principle scoped in unless it was deemed not applicable.
For each of the principles there are detailed criteria that serve as benchmarks used to measure and present the subject matter and against which the practitioner evaluates the subject matter. The attributes of suitable criteria are: Objectivity, Measurability, Completeness and Relevance.SOC reports cover situations where one company outsources some portion of their business or technology to another company. Examples of service providers where a SOC 2 report might be relevant include cloud computing, customer call centers, enterprise IT outsourced services.
SOC 2 Trust Services Criteria
Many of the criteria used to evaluate a system are shared amongst all of the principles; for example, the criteria related to risk management apply to the security, availability, processing integrity, confidentiality, and privacy principles. As a result, the trust services criteria consist of criteria common to all five principles (common criteria) and additional principle specific criteria for the availability, processing integrity, confidentiality, and privacy principles.
For the security principle, the common criteria constitute the complete set of criteria. For the principles of availability, processing integrity, confidentiality, and privacy, a complete set of criteria consists of the common criteria and the criteria applicable to the principles addressed by the engagement.
The criteria for a principle addressed by the engagement are considered to be complete only if all of the criteria associated with that principle are addressed by the engagement. The common criteria are organized into seven categories:
- Organization and management.
- Risk management and design and implementation of controls.
- Monitoring of controls.
- Logical and physical access controls.
- System operations.
- Change management.
The most common reports based upon the trust principles are referred to as WebTrust and SysTrust.
There has been a Major Update to SOC 2 since its initial implementation. Contact us to learn more about the SOC2+ Additional Subject Matter and how it can be leveraged to reduce overall compliance costs and efforts.
What we offer?
If you are already immersed in the process of accreditation we provide independent consultancy to overcome successfully and without too much effort the audit
If you wish to accredit with us, we have the necessary means to perform the audit of your systems
Type I Report
We help you in the preparation of a type 1 report describing the organization of your systems
Type II Report
We verify the operational effectiveness of the implemented and described controls.
We check the current status of your systems and give you a report of the changes you need to access AICPA SOC 2 accreditation.
We take advantage of the documentation you already have from another certification as ISO 27001 and we help you reduce the effort based on it. If you wish, we will accompany you in parallel in both certifications.