SOC 2, also known as Service Organization Control 2, is a criterion and audit procedure geared towards tech companies and providers that store confidential customer data in the cloud.
SOC 2 is a set of guidelines for compliance requirements for companies that use cloud-based storage of customer data. SOC 2 is an essential component of your organisation’s regulatory oversight, vendor management programs, and governance.
SOC 2 is a technical audit, and it requires comprehensive information security policies and procedures to be written and followed.
Created by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), SOC 2 is expressly designed for service providers storing customer data in the cloud. This means that SOC 2 applies to nearly every SaaS company, as well as any company that uses the cloud to store customer data and their customers’ information.
The purpose of a SOC 2 report is to evaluate an organisation’s information systems concerning their security, availability, processing integrity, confidentiality and privacy.
Before 2014, only companies providing services in the cloud were required to meet SOC 1 compliance requirements. Currently, any company storing customer data in the cloud must meet SOC 2 requirements to minimise risk and exposure to that data.
We’re so pleased we found this solution, it made everything fit together more easily.
Choosing to protect against data breaches is not just a defensive strategy. It can also help your company grow, which you can do by passing a SOC 2 audit to assure customers and prospects that their data is safe from malicious threats like damaging breaches!
SOC 2 compliance can strengthen a company’s reputation by documenting, evaluating, and improving its internal controls.
Type 2 certification is not the only SOC report companies can earn, but it is one of the most robust.
SOC 2 Type 2 certification can benefit organisations in the following ways:
A SOC 1 report focuses on the performance of outsourcing services by organisations that are relevant to a company’s financial reporting.
A SOC 2 report addresses the risks of outsourcing to third-party providers in areas that are not financial reporting. These reports rely on Trust Services Criteria, covering five categories: security, availability, processing integrity, confidentiality and privacy.
SOC 3 reports are similar to SOC 2 reports. They’re general-use reports that the service organisation can use as a marketing tool and provide to prospective customers.
SOC 2 reports attest to the effectiveness of a service organisation’s internal controls relevant to five Trust Services Categories (formerly known as trust services principles) established by AICPA.
Organisations will periodically evaluate the effectiveness of their policies and procedures governing unauthorised access to information and take appropriate steps when a breach occurs.
The information and systems in an organisation need to be both available for use and operational to meet the entity’s objectives.
The system processes the transaction accurately, on time, and with authorisation.
If data is considered confidential, access and disclosure must be restricted to a specified set of people. Examples include company personnel, business plans, intellectual property and other sensitive financial information.
Personally identifiable information (PII) must be collected, used, disclosed and disposed of in a secure way. Protecting customer and client information from unauthorised access is a top priority for service organisations that process, store, or transmit data belonging to external clients.
Book a tailored hands-on session
based on your needs and goals
Book your demo
SOC 2 is an auditing procedure that makes certain your service providers securely manage your data to protect the interests of you and your organisation. SOC 2 compliance is a minimal requirement for security-conscious businesses when considering a SaaS provider.
SOC 2 isn’t a prescriptive list of controls, tools, or processes. Instead, it gives the criteria that must be in place to maintain robust information security. This lets each company adopt practices and procedures relevant to its objectives and operations.
ISMS.online can provide you with a platform to get you on the way to achieving SOC 2 compliance. Each section of SOC 2 is detailed in the secure platform, making it easy to follow. This cuts down on your workload, costs and the stress of not knowing if you have done everything right.
Numerous benefits of SOC 2 compliance include:
A SOC 2 audit can only be performed by an auditor with a license from the Certified Public Accountant (CPA) firm, specialising in information security.
Auditors who perform SOC audits are regulated by and must adhere to the rules set by the AICPA.
In addition, an audit must follow specific guidance related to planning and executing procedures. AICPA members must also undergo a peer review to ensure the audits they conduct are done according to acceptable auditing standards.
A SOC 2 report assures service organisation clients, management, and user entities of the suitability and effectiveness of security-relevant controls.
The SOC 2 audit generally includes the following:
While SOC 2 refers to a set of audit reports, ISO 27001 is a standard that establishes requirements for an Information Security Management System (ISMS).
The question shouldn’t be either ISO 27001 or SOC 2, because SOC 2 is an audit report and ISO 27001 is a standard for establishing information security management systems. It can be viewed as one of the outputs that can be delivered by an ISMS implementation.
ISO 27001 certification is not mandatory to create an SOC 2 report, but an ISO 27001 ISMS can provide a solid basis for preparing this document without major additional cost and effort. This will increase customers’ confidence that the organisation can protect their information.
| – | ISO/IEC 27001 | SOC 2 |
|---|---|---|
| Structure | International Standard | Attestation Standard |
| Location | Worldwide | USA Based |
| What’s Audited? | The design and operating effectiveness of your Information Security Management System (ISMS) at a point in time | Type 1: The design of controls at a point in time. Type 2: The design and operating effectiveness of controls over a period of time |
| Result | A audit report is provided to the said organisation and an ISO certificate – if certification is granted | SOC 2 Attestation Report – SOC 2 is not a certification |
| Expiration | 3 Years | 1 Year |
| Trusted Service Criteria | ISO/IEC 27001 Control & Requirement |
|---|---|
| TSC – SECURITY | A.6.1.5 (Information security in project management – 1 control) |
| A.6 (Mobile devices and teleworking – 2 controls) | |
| A.8.1.3 (Acceptable use of assets – 1 control) | |
| A.11.2 (Equipment – 9 controls) | |
| A.13 (Communications security – 7 controls) | |
| TSC – CONFIDENTIALITY | A.8.2 (Information classification – 3 controls) |
| A.13.2 (Information transfer – 3 controls) | |
| A.9.1 (Business requirements of access control – 2 controls) | |
| A.9.2 (User access management – 6 controls) | |
| A.9.4 (System and application access control – 5 controls) | |
| TSC – PROCESSING INTEGRITY | A.14 (System acquisition, development and maintenance – 13 controls) |
| TSC – AVAILABILITY | A.17 (Information security aspects of business continuity management – 4 controls) |
| TSC – PRIVACY | A.18.11 (Identification of applicable legislation and contractual requirements – 1 control) |
| A.18.1.4 (Privacy and protection of personally identifiable information – 1 control) |
I certainly would recommend ISMS.online, it makes setting up and managing your ISMS as easy as it can get.
Download our free guide to fast and sustainable certification
Both the Type I and II SOC 2 reports provide an independent assessment of the service organisation, including their description of controls and expert opinions on management representation. These two report types also have equal procedures for assessing suitability among system designs.
The main difference between a SOC 1 and SOC 2 is that SOC 1 focuses on an organisation’s internal controls that can impact customers’ financial statements. In contrast, SOC 2 focuses on operational controls outlined by the AICPA’s Trust Services Criteria.
Work performed by the service auditor for SOC 2 and SOC 3 reports is very similar. Both report to AICPA standards, so the controls identified and tested are typically the same for both reports. The key difference between these two statements is in their reporting. A SOC 3 is always a Type II and does not have the option for Type I. Additionally, SOC 2 reports are restricted use – designed to be used by management, customers, and their customer’s auditors.
SOC 3 reports are less detailed than SOC 1 & 2 reports because they contain little to no confidential information. The service organisation can distribute them freely and are more appropriate for general use documents with little detail.
This report doesn’t go much into detail about the system and how it operates, what controls were tested, and the results of those tests. SOC 3 is a great way to market yourself to prospective customers, but, on its own, SOC 3 would typically not satisfy current customer needs or their auditors.
