Information security is a reason for concern for all organisations, including those that outsource key business operation to third-party vendors (e.g. IT, SaaS, cloud-computing providers etc.).
SOC 2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organisation and the privacy of its clients. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider.
What is SOC 2?
Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 defines criteria for managing customer data based on five Trust Service Principles. These are:
- Processing integrity
Unlike other standards such as the PCI DSS, which have a very rigid requirement, SOC 2 reports are unique to each organisation. In line with specific business practices, each designs its own controls to comply with one or more of the trust principles.
These internal reports provide you (along with regulators, business partners, suppliers, etc.) with important information about how your service provider manages data.
There are two types of SOC reports:
- Type I Report – describes a vendor’s systems and whether their design is suitable to meet relevant trust principles.
- Type II Report – details the operational effectiveness of those systems.
SOC 2 Certification
A SOC 2 is an attestation report that provides controls assurance over a defined set of the service provider’s systems. Each report covers a defined period of time (usually nine months) to be agreed on between the service auditor and service provider. SOC 2 certification is issued by the external service auditors. They assess the extent to which a vendor complies with one or more of the five trust principles based on the systems and processes in place.
ERS can help your organisation assess and achieve compliance against the SOC 2 requirements and also help facilitate external body audits and certification in relation to SOC2
For more information please contact us.