SOC 2

SOC 2 (System and Organization Controls 2) is a framework developed by the American Institute of Certified Public Accountants (AICPA) that defines how service organisations should manage customer data and protect information systems. It focuses on the Trust Services Criteria, which include security, availability, processing integrity, confidentiality, and privacy. A SOC 2 report is the outcome of an independent audit, providing assurance to clients that the organisation has implemented appropriate processes and controls to meet these criteria. 

What SOC 2 Entails

  • Developed by the AICPA:

    The standard is based on established auditing principles from the American Institute of Certified Public Accountants. 

  • Focus on Trust Services Criteria (TSC):

    The framework assesses an organization's controls in five key areas:

    • Security: Protection of systems against unauthorized access. 

    • Availability: Systems are operational and accessible for use. 

    • Processing Integrity: Data processing is complete, accurate, timely, and authorized. 

    • Confidentiality: Confidential information is protected as agreed. 

    • Privacy: Personal information is collected, used, retained, and disclosed in accordance with commitments and recognized privacy principles. 

  • For Service Organizations:

    SOC 2 is specifically designed for service organizations, such as cloud providers and SaaS vendors, that store, process, or transmit sensitive data on behalf of their clients. 

The SOC 2 Report

  • An Auditing Framework:

    It provides a detailed report of the auditor's findings and opinion on the organization's controls. 

  • Types of Reports:

    • Type 1: Assesses the design of controls at a specific point in time. 

    • Type 2: Evaluates the operational effectiveness of controls over a specified period (typically 6 months to a year). 

  • Verification:

    The report serves as a third-party verification that an organization's systems and data are secure, available, and managed appropriately. 

How we do it

  • Begin with ISO/IEC 27001 control framework – We map your ISO 27001 control framework to the (TSC) trust service criteria to avoid duplication of effort.

  • Implementation of TSC – We assess your current level of compliance and work with you to implement all of the controls needed to meet the TSC requirements.

  • Evidence optimisation – We identify the required evidence and audit internally to gather the information to ensure you are ready for the external audit and also to make the audit efficient.

  • Verification & Reporting – We arrange the auditors and manage the audit planning, process and delivery.

  • Integration – We integrate the ISO/IEC 27001 with the SOC 2 program to have one annual internal audit process.