• Home
  • Product
  • Solutions
    • SOC 2
    • ISO 27001
    • Continuous Compliance
  • Auditors
  • Resources
  • Glossary
  • About
  • Contact
  • Login
  • Book a Demo
  • Home
  • Product
  • Solutions
    • SOC 2
    • ISO 27001
    • Continuous Compliance
  • Auditors
  • Resources
  • Glossary
  • About
  • Contact
  • Login
  • Book a Demo

What You Should Know About Meeting SOC 2 Compliance

What is SOC 2?

SOC 2 is an abbreviation of “Report 2 of the System and Organization Controls (sometimes called “service organizations controls”) developed and overseen by the American Institute of Certified Public Accountants (AICPA).

  • Service Organizations: Organizations that provide software, computing resources, and/or information systems to other organizations as a service, typically via cloud computing.
  • System and Organization Controls (SOC): a framework of recommendations and reporting requirements from the AICPA intended to define, establish, and maintain the trustworthiness of service organizations.

Trustero SOC2

There are three types of SOC assessments and reports. These assessments and the resulting reporting are overseen by a compliance auditor in collaboration with appropriate personnel from a service organization’s business and technical management.

  • SOC 1 focuses on financial reporting.
  • SOC 2 focuses on detailed assessments of measures and policies intended to protect customer data, such as personally identifiable information (PII).
  • SOC 3 largely presents SOC 2 information in less specialized terms intended for more general, less technical audiences.

There are also three variations of SOC 2 reporting. First, the audits of systems and policies that lead to the creation of these reports are led by compliance auditors.

  • SOC 2 Type 1 reports are point-in-time assessments of a service organization’s controls.
  • SOC 2 Type 2 reports are based on a longer-term assessment of a service organization’s controls – typically 9-12 months.
  • SOC 2+ reports incorporate SOC 2 assessments with one or more additional frameworks or standards, such as the Health Insurance Portability and Accountability Act (HIPAA).

The AICPA is the national association of Certified Public Accountants (CPA) in the United States. Founded in 1887, the AICPA boasts more than 428,000 in 130 countries. CPAs are required to take a stringent certification exam. They must also pass regular professional education courses to retain their certifications. Compliance auditors are CPAs.

At a high level, a SOC 2 report is intended to serve as a strong signal of trust to customers of SaaS providers. Essentially, it’s an assessment of whether the SaaS vendor:

  • Has good policies in place to secure its customer’s data and ensure that its application will be up and running when customers need it.
  • Is executing the right policies. These policies, procedures, and controls are called Trust Services Criteria by the AICPA.
AICPA Trust Services Criteria

SOC 2 Compliance Framework – The Trust Service Criteria

The SOC 2 auditing and reporting process is guided by a framework called the Trust Service Criteria. Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy are intended for CPAs to provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program or SOC 2 engagements. The Trust Service Criteria framework is built upon five specific criteria:

Security – A business’s data and computing systems are fully protected against any unauthorized access, unauthorized and inappropriate disclosure of information, and any possible damage to systems that might compromise the processing integrity, availability, confidentiality, or privacy of data or systems that may affect the entity’s ability to meet its objectives.

Availability – All information and computing systems are always ready and available to meet the entity’s objectives.
Processing Integrity – All system processing is complete, accurate, valid, timely, and authorized to ensure that the entity meets its objectives.

Confidentiality – Any information designated as confidential remains secure to meet the entity’s objectives.

Privacy – All personal information collected, used, retained, stored, disclosed, or disposed of must meet the entity’s objectives.

Requirements – These five essential criteria are modeled around four broad areas of requirements – Policies, Communications, Procedures, and Monitoring. Each area provides the key information that helps determine if a service organization complies with the Trust Service Criteria. However, each SOC 2 report will be unique to each organization.

  • Who writes the SOC 2 reports?

    A SOC 2 report contains content from both your organization and the auditors. For instance, the company itself writes sections like Section 1: Management’s Assertion and Section 3: Management’s Description of the Service for the given audit period, whereas the auditors will compose the Section 2: Independent Service Auditor’s Report and Section 4: Trust Service Category, Criteria, Related Controls, and Tests of Controls.

  • Why do accountants get involved in SOC 2?

    Accounting firms enforce strong independence requirements and have a duty to serve the public interest and uphold the public trust in their profession. In addition to their traditional role of financial audit, accounting firms have teams of people who focus on technical audits related to topics like cybersecurity and disaster recovery, which are directly related to SOC 2.

  • How often do you need to complete a SOC 2?

    ​Generally, you’ll need to complete a SOC 2 audit at least annually. However, the right policies, procedures, processes, and technologies enable your business to achieve and monitor your compliance continuously during the times when you are not directly preparing for or executing a SOC 2 audit. Continuous compliance – being ready all the time – is the goal.

  • SOC 2 Monitoring Requirements

    Compliance with SOC 2 requires that your business credibly demonstrate the ability to monitor and provide alerts about any unauthorized, unusual, or suspicious activity related to proprietary data or personally identifiable information (PII). Relevant SOC 2 controls usually focus on system configurations and user access restrictions. Alerts that identify unauthorized access to customer information or any other anomalous behavior related to proprietary data or PII are crucial in meeting SOC 2 requirements.

How does Trustero help?

Trustero Compliance as a Service is a combination of modern technologies, including cloud computing and artificial intelligence (AI), automation, and community knowledge. Trustero enables service organizations to achieve and sustain SOC 2 compliance while keeping critical procedures and processes intact, without expensive investment in computing hardware or services. Trustero provides:

Automated Discovery

Automated discovery of your production and IT infrastructures, operational processes, and procedures

Automated Evidence Gathering and Monitoring

Automated evidence gathering and monitoring to help achieve and sustain continuous compliance

SOC 2 Compliance Audit

Streamlined audit processes that reinforce a rhythm of continuous compliance fine-tuned for your specific business needs

SOC 2 Compliance

A credible, demonstrable, effective, and sustained compliance posture that connects your business with your prospects and partners robustly and securely​

See Trustero in Action

Get a Demo
  • Home
  • Product
  • SOC 2
  • Continuous Compliance
  • Auditors
  • Resources
  • Glossary
  • About
  • Contact
  • Careers
  • Login
  • Privacy Policy
  • Terms of Use
    LinkedIn Twitter

© 2023 Trustero. All rights reserved. Trustero is a registered trademark.