What is SOC2

Framework

SOC 2 (Systems and Organizations Controls 2) is a framework that AICPA (Association of International Certified Professional Accountants) introduces based on the Trust Services Criteria. It is designed to help companies demonstrate the security controls they use to protect customer data and should meet today to compete in the market. Each Trust Services Criteria (TSC) is divided into some Points of Focus which can be a security control or a combination of some security controls or linked to one or some security controls. SOC 2 is similar to ISO 27001, which allows the company more flexibility in meeting the criteria.
SOC 2 is about the ability to report on the design of controls (and/or testing and operating effectiveness of those controls) for a service organization.

The trust services principles on which the report is based, the controls a service organization would include in its description, and the tests of controls a service auditor would perform for a specific type 2 SOC 2 engagement will vary based on the specific facts and circumstances of the engagement. Accordingly, it is expected that actual type 2 SOC 2 reports will address different principles and include different controls and tests of controls that are tailored to the service organization that is the subject of the engagement.

SOC2 trust categories:

  • Security
    To meet its objectives, information and systems are protected against unauthorized access (physical and logical). This category includes:
    • CC1.0 – The Control Environment
    • CC2.0 – Communication and information
    • CC3.0 – Risk assessment
    • CC4.0 – Monitoring of controls
    • CC5.0 – Control activities related to the design and implementation of controls
    • CC6.0 – Logical and physical access
    • CC7.0 – System operations
    • CC8.0 – Change management
    • CC9.0 – Risk Mitigation
  • Availability
    Information and systems are available for operation and use that includes three criteria

    • A1.1: The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
    • A1.2: The entity authorizes, designs, develops, or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives.
    • A1.3: The entity tests recovery plan procedures supporting system recovery to meet its objectives.
  • Confidentiality
    Confidential information is protected according to policy or agreement to meet the entity\’s objectives which consist of two criteria

    • C1.1: The entity identifies and maintains confidential information to meet the entity\’s objectives related to confidentiality.
    • C1.2: The entity disposes of confidential information to meet the entity\’s objectives related to confidentiality.
  • Processing Integrity
    System processing is complete, accurate, and authorized. This category includes four criteria

    • PI1.1: The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.
    • PI 1.2: The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity\’s objectives.
    • PI 1.3: The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity\’s objectives.
    • PI 1.4: The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity\’s objectives.
    • PI 1.5: The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity\’s objectives
  • Privacy
    Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives. This category includes:
  • P1.0: Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy
  • P2.0: Privacy Criteria Related to Choice and Consent
  • P3.0: Privacy Criteria Related to Collection
  • P4.0: Privacy Criteria Related to Use, Retention, and Disposal
  • P5.0: Privacy Criteria Related to Access
  • P6.0: Privacy Criteria Related to Disclosure and Notification
  • P7.0: Privacy Criteria Related to Quality
  • P8.0: Privacy Criteria Related to Monitoring and Enforcement

SOC 2 Types

  • SOC 2 Type 1 report on a service organization’s system and the suitability of the design of controls. That shows the current systems and controls and reviews documents around these controls.
  • SOC 2 Type 2 Report is very similar to the Type 1 report, except that the evidence of control effectiveness is described and evaluated for a minimum of six months to see if the systems and control in place are functioning as defined by the management of the service organization.

Related Posts