What is SOC 2? Show
Definition and UseLesser known as the longer version, “Systems and Organizations Controls 2”, SOC 2 (or SOC II) is a framework used to assist companies demonstrate security controls that are in place to protect customer data in the cloud. These controls became known as the Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality, and lastly Privacy. If your organization is considering cloud solution providers then meeting SOC 2 compliance should be a minimum requirement (checkout our comparison of SOC1 / SOC2 /SOC3 and our comparison of SOC 2 with ISO27001 blogs). SOC 2 CaveatSOC 2 is neither a proxy for actual security best practices nor a legal requirement. It is not driven by HIPAA compliance or any other standards or regulations, though the assessments do in fact cover core departments and processes that interact with sensitive data. External auditors perform certifications, not any governmental body or agency. There is no ‘pass / fail’ objective to the set of reports – the result is a subjective conclusion in-which only the auditor’s opinion is noted on record. Audit reports do not define SOC 2 certification as they are only attested as compliant, based on interpretation by a qualified licensed CPA. Nonetheless, SOC 2 is significant in the world of data security and should not be underestimated. SOC 2 BackgroundSOC 2 is a formal set of reports produced as the outcome of an audit. This audit is led by a CPA or a certified accountancy organization. It evolved from the Statement on Auditing Standards (SAS) 70, which was an older audit used to attest an organizations internal controls effectiveness. It was later renamed the Statement on Standards for Attestation Engagements (SSAE) 16, and once again renamed to Systems and Organizations Control 1 (SOC 1). SOC 2 came about in 2009 as there was a need to have a much stricter focus on security (the five Trust Principles). Nonetheless, SOC 2 is significant in the world of data security and should not be underestimated. What is Trust Service Criteria (TSC) The five quasi-overlapping categories that work toward the controls used in the SOC 2 reports are:
Who should look to SOC 2 as an organizationAny organization that stores customer data on the cloud should look to SOC 2 as a demonstration of the security roles they use to protect customer data. In effect, any SaaS company can use SOC 2 as a minimum attestation of compliance. SOC 2 and complianceThe importance of SOC 2 compliance means that looking from the viewpoint of any customer working with a potential vendor who is SOC 2 compliant gives them a guarantee of sorts. The customer will receive the assurances and information they need on how the vendor processes user data and keeps it private. And it goes a step further. The AICPA reports also play an important role in the following:
SOC 2 TypesIn the big picture, compliance to SOC 2 takes about six months with third-party assessors completing two separate audits. The SOC 2 Type 1 audit looks at the design and is a snapshot of your security processes in place at that point of time. SOC 2 Type 2 audit on the other hand, will verify your internal controls for operational effectiveness over the longer term. You must complete Type 1 as a prerequisite for Type 2 attestation. Explore our comparison of SOC1 / SOC2 / SOC3. SOC 2 Type 1
Expect this process to last about two months to allow for implementation, testing and fine tuning of policies. Once completed the assessment booked will typically involve interviews with employees, walk-throughs, and a detailed review of the documentation submitted. A SOC 2 Type 1 report will be generated after any clarifications to necessary exceptions were made. SOC 2 Type 2
In general, SOC 2 Type 2 reports typically last at least six months but can often take up to a year or longer. This is due to many factors involved in the journey to attestation which can be due to the company certification requirements that must be met. For example, if a company has a very diverse and extensive cybersecurity and IT infrastructure, the audit process will likely take more time than usual for a complete SOC Report. Other factors affecting the audit scope such as the kind, location and number of users in the company (i.e. on-site and offsite) will greatly impact the attestation process. Ultimately though the primary factor affecting the timeline to complete the SOC 2 process is incumbent upon the Type of SOC 2 report your company has selected. SOC 2 Final Audit Report ContentThe SOC 2 report content should cover the following:
SOC 2 and CertificationCritical to SOC 2 certification is an organizations compliance to the Trust Services Criteria as explained above (Security, Availability, Processing Integrity, Confidentiality, and Privacy). Not every organization will complete all five principles as many companies will have criteria that is not relevant to their particular business. What is important though is that the organization chooses the correct principles in their application for SOC 2 certification that meets the scope of the audit. Let’s look at an example. Your data center only offers storage to customers for a specific client as the client handles all data processing on their end. In this scenario, the security and availability principle applies but not the processing integrity principle. Additionally, if that storage data involves personal information, then the privacy principle would also apply. ISO 27001 and SOC 2 working togetherCheck out our comparison of ISO 27001 and SOC2 and our comparison of SOC1 / SOC2 /SOC3 We shouldn’t be asking which of the two frameworks to use simply because SOC 2 is an audit report while ISO 27001 was designed as a standards certification established to create a specific Information Security Management System. This means that SOC 2 can be seen as an output brought on by the delivery of an ISO 27001 ISMS implementation. The relationship between SOC 2 and ISO 27001 can best be seen as while ISO 27001 is not mandatory in a SOC 2 report, the completion of an ISO 27001 ISMS implementation provides (with little cost and effort) a solid basis for the preparation of the SOC 2 report. Additionally, client confidence and trust are further increased with the use of both frameworks, certified as completed within your organization. How Interfacing Assists in Easing the Burden of SOC 2 and ISO 27001 DocumentationWith the growing complexity of managing SOC 2 requirements, organizing information in a central location becomes increasingly important. When an auditor comes to site, they will assess management’s oversight of their third-party service providers as well as the company’s own controls. The majority of this oversight revolves mainly around documentation and the ability to review it. Proving this to an auditor means providing them with a record management system that can draw on the speed of access to the who, when and how’s of the organizations operations objectives. Keeping this in mind is what documentation workflow automation is all about. Creating a safe, secure and protected data ecosystem is our commitment to seeing your organization meet a successful SOC 2 or ISO 27001 certification. Why Interfacing?Interfacing’s digital Integrated Management System (IMS) provides you with a tool to control compliance by helping you manage the audit, assessment, non-conformity, CAPA, training, and execution of your underlying business processes. IMS supports control documentation, control testing, audit automation, and more to satisfy SOC 2 attestation. Ultimately, this will make compliance easier and more transparent throughout your organization. Only our Integrated Management System will give your company the ability to automatically and continuously monitor and manage your compliance initiatives. Implementing controls associated with processes and tasks ensures that compliance requirements are followed, while automatic tracking and documentation of all process changes gives management complete oversight. If you would like to see more or discuss how Interfacing can help your organization, be sure to click below. Contact us more for information. Efficiently govern your business complexity and continuous transformation through process based quality, performance and compliance management solutions. Compliance is a vital element of the internal control process of any organization, helping control content and reduce costs. Interfacing’s Digital Twin Organization software provides the transparency and Governance to improve Quality, Efficiency and ensure Regulatory Compliance. Take a moment to read blogs about GXP, Regulatory Compliance, today’s trends, and much much more! Discover how your organization benefits from an Interfacing solution.A key differentiator of Interfacing to other digital and business transformation consulting firms is that Interfacing offers its own innovative technology solution in support of transformation programs. Interfacing’s software solutions deliver the transparency required to reduce complexity, improve execution and facilitates agility and change. Interfacing’s integrated management system is a one-stop-shop for managing transformation programs. We know it’s a very competitive environment out there. It is for that reason our strength is in our commitment to maintain flexibility throughout the project lifecycle whether it is in our innovative products or in our team of experts.
Which principles must be always included in a SOC 2 auditing report?More SOC 2 Resources
The principles again are: Security, Availability, Confidentiality, Processing Integrity and Privacy. Security must be included in any non-privacy principle SOC 2 audit engagement.
What are the principles of SOC 2?Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.
What is included in a SOC 2 report?What is a SOC 2 audit report? A SOC 2 audit report provides detailed information and assurance about a service organisation's security, availability, processing integrity, confidentiality and privacy controls, based on their compliance with the AICPA's TSC, in accordance with SSAE 18.
Which of the following trust principles are included in Zoho's SOC 2 Type II report?SOC 2 reports can address one or more of the following principles: Security, Confidentiality, Availability, Processing Integrity, or Privacy.
|