SOC 2 (System and Organisation Controls 2) compliance is a widely recognised framework for assessing and reporting on the security, availability, processing integrity, confidentiality, and privacy of data within service organisations.
Its requirements differ from other information security standards and frameworks as there is no minimum list of prescriptive controls established for compliance.
Instead, the American Institute of Certified Public Accountants (AICPA) establishes general criteria that can be selected by your organisation to demonstrate that controls are in place to mitigate risks to the service you provide.
Get a Quote
This audit type evaluates your organisation’s systems to determine if their control design aligns with the applicable trust criteria that were implemented at a specific moment in time.
This audit type assesses the ongoing effectiveness of controls over a specified duration. Typically, user organisations and their auditing teams opt for a six-month timeframe for evaluation.
Enhance your global reputation and competitive advantage by following an internationally recognised standard
Avoid financial penalties and reputational damage associated with a data breach
Easily implement controls that help ensure compliance and accelerate certification to other frameworks (e.g IS0 27001)
This service is crafted to not only guarantee your business’s adherence to the established criteria but also to furnish transparent and easily auditable evidence of SOC 2 compliance, all while minimising any disruption to your business, operations, and resource allocation.
At a minimum, SOC 2 reports must include the Security or Common Criteria — any other TSCs selected will depend on your business requirements.
The Trust Services Criteria are selected from the following:
Security: This TSC ensures protection against unauthorised access, encompassing both physical and logical security. It examines aspects like logical access to critical infrastructure, such as source code repositories, and covers elements like password parameters, network device configurations, firewalls, and physical security measures safeguarding key infrastructure.
Availability: Here, the focus is on ensuring that the system is accessible and operational as intended and agreed upon. Compliance with availability criteria necessitates documented business continuity and disaster recovery plans and procedures. It also involves regular backups and recovery testing.
Confidentiality: This criterion safeguards information marked as ‘Confidential’ as per policy or agreement. It’s important to note that confidentiality criteria are distinct from privacy criteria. They apply to the protection of confidential data, including intellectual property and shared information from business partners.
Processing Integrity: This TSC ensures that system processing is complete, accurate, and authorised. Processing integrity isn’t as frequently addressed as availability and confidentiality TSCs and typically applies to systems involved in transaction processing, like payment systems.
Privacy: The privacy criteria come into play when handling ‘personal information’ within the system. It’s crucial to differentiate privacy criteria from confidentiality criteria, as the former is concerned with personal data, while the latter pertains to other types of sensitive information.
Once the TSC selection and Confirmation have been completed, we’ll work with your organisation to proceed with the following;
Assessment and Remediation: Where controls are insufficient or not present to demonstrate compliance to a selected TSC, we’ll recommend cost-effective remedial actions to ‘fill the gap’ and demonstrate compliance. We’ll also recommend controls that are most effective in the people, process, or technology.
Upon completion of the first four steps, we’ll conduct a workshop with your business stakeholders to ensure their understanding of the findings and SOC 2 compliance requirements. The workshop seeks to guide attendees through the steps required to obtain a favourable Type 1, SOC 2 Report.
Our service comes with fixed pricing with no unexpected added costs. Additionally, we offer a managed service to conduct penetration testing on a continual basis.
This service can be delivered on-site or remotely using cutting-edge technology to maintain the security of our communications. Whichever method you opt for, quality service and hands-on expertise are provided.
Risk Crew helps you maintain compliance with a variety of support services including risk assessments, security testing and staff awareness training.
We think deeply, question assumptions, detect cause and effect and deliver measurable results. No one else does that. Our deliverables produce metrics you can use to monitor and manage real-world cyber risks.
Instil customer confidence and strenghten your information security posture with SOC 2 Compliance.
Get a mini-gap assessment and advice from an ISO 27001 expert. Schedule a call or online meeting.
Learn what is required to achieve your SOC 2 Report.
Learn how your organisation can begin to prepare for its first stage audit.
There are five Trust Services Principles, that comprise a SOC 2 report: Security, Availability, Processing Integrity, Confidentiality and Privacy.
An audit report is comprised of the auditor’s assessment of how well the organisation’s controls fit these principles.
SOC 1 involves the audit of a service provider’s accounting and financial controls. SOC 2 is an audit of a service provider’s information security controls. SOC 2 compliance is a minimal requirement when choosing a SaaS provider.
The SOC 2 reporting process can take anywhere from 6 to 12 months (on average) depending on the maturity of your controls. Find out how to estimate your organisation’s timeline to compliance in our blog post – How Long Does it Take to Get SOC 2 Compliance?
SOC 2 is often a contractual requirement for technology-based service providers, who process, transmit or store their customer’s information on cloud-based platforms.
This includes businesses that provide SaaS, cloud-based services or use the cloud to store individual customer information.
