SOC 2 is an abbreviation of “Report 2 of the System and Organization Controls (sometimes called “service organizations controls”) developed and overseen by the American Institute of Certified Public Accountants (AICPA).
There are three types of SOC assessments and reports. These assessments and the resulting reporting are overseen by a compliance auditor in collaboration with appropriate personnel from a service organization’s business and technical management.
There are also three variations of SOC 2 reporting. First, the audits of systems and policies that lead to the creation of these reports are led by compliance auditors.
At a high level, a SOC 2 report is intended to serve as a strong signal of trust to customers of SaaS providers. Essentially, it’s an assessment of whether the SaaS vendor:
The SOC 2 auditing and reporting process is guided by a framework called the Trust Service Criteria. Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy are intended for CPAs to provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program or SOC 2 engagements. The Trust Service Criteria framework is built upon five specific criteria:
Security – A business’s data and computing systems are fully protected against any unauthorized access, unauthorized and inappropriate disclosure of information, and any possible damage to systems that might compromise the processing integrity, availability, confidentiality, or privacy of data or systems that may affect the entity’s ability to meet its objectives.
Availability – All information and computing systems are always ready and available to meet the entity’s objectives.
Processing Integrity – All system processing is complete, accurate, valid, timely, and authorized to ensure that the entity meets its objectives.
Confidentiality – Any information designated as confidential remains secure to meet the entity’s objectives.
Privacy – All personal information collected, used, retained, stored, disclosed, or disposed of must meet the entity’s objectives.
Requirements – These five essential criteria are modeled around four broad areas of requirements – Policies, Communications, Procedures, and Monitoring. Each area provides the key information that helps determine if a service organization complies with the Trust Service Criteria. However, each SOC 2 report will be unique to each organization.
A SOC 2 report contains content from both your organization and the auditors. For instance, the company itself writes sections like Section 1: Management’s Assertion and Section 3: Management’s Description of the Service for the given audit period, whereas the auditors will compose the Section 2: Independent Service Auditor’s Report and Section 4: Trust Service Category, Criteria, Related Controls, and Tests of Controls.
Accounting firms enforce strong independence requirements and have a duty to serve the public interest and uphold the public trust in their profession. In addition to their traditional role of financial audit, accounting firms have teams of people who focus on technical audits related to topics like cybersecurity and disaster recovery, which are directly related to SOC 2.
Generally, you’ll need to complete a SOC 2 audit at least annually. However, the right policies, procedures, processes, and technologies enable your business to achieve and monitor your compliance continuously during the times when you are not directly preparing for or executing a SOC 2 audit. Continuous compliance – being ready all the time – is the goal.
Compliance with SOC 2 requires that your business credibly demonstrate the ability to monitor and provide alerts about any unauthorized, unusual, or suspicious activity related to proprietary data or personally identifiable information (PII). Relevant SOC 2 controls usually focus on system configurations and user access restrictions. Alerts that identify unauthorized access to customer information or any other anomalous behavior related to proprietary data or PII are crucial in meeting SOC 2 requirements.
Trustero Compliance as a Service is a combination of modern technologies, including cloud computing and artificial intelligence (AI), automation, and community knowledge. Trustero enables service organizations to achieve and sustain SOC 2 compliance while keeping critical procedures and processes intact, without expensive investment in computing hardware or services. Trustero provides:
Automated discovery of your production and IT infrastructures, operational processes, and procedures
Automated evidence gathering and monitoring to help achieve and sustain continuous compliance
Streamlined audit processes that reinforce a rhythm of continuous compliance fine-tuned for your specific business needs
A credible, demonstrable, effective, and sustained compliance posture that connects your business with your prospects and partners robustly and securely
See Trustero in Action