SOC 2 Compliance

Get the expertise and documentation you need for compliance success

What Is SOC 2 and How to be Compliant

SOC 2 (System and Organisation Controls 2) compliance is a widely recognised framework for assessing and reporting on the security, availability, processing integrity, confidentiality, and privacy of data within service organisations.

Its requirements differ from other information security standards and frameworks as there is no minimum list of prescriptive controls established for compliance.

Instead, the American Institute of Certified Public Accountants (AICPA) establishes general criteria that can be selected by your organisation to demonstrate that controls are in place to mitigate risks to the service you provide.

Types of SOC 2 Reports

SOC 2 TYPE 1

This audit type evaluates your organisation’s systems to determine if their control design aligns with the applicable trust criteria that were implemented at a specific moment in time.

SOC 2 TYPE 2

This audit type assesses the ongoing effectiveness of controls over a specified duration. Typically, user organisations and their auditing teams opt for a six-month timeframe for evaluation.

How Your Organisation Can Benefit From SOC 2 Certification

Enhance your global reputation and competitive advantage by following an internationally recognised standard

Avoid financial penalties and reputational damage associated with a data breach

Easily implement controls that help ensure compliance and accelerate certification to other frameworks (e.g IS0 27001)

Select an item to explore

Review of Current Controls: Our team of experts will review the current controls you have implemented to ensure the security, availability confidentiality, processing integrity, and privacy (known collectively as Trust Service Criteria or TSC) of your existing data assets.

Assessment of Controls: Controls are assessed for effectiveness and documented beside the applicable key performance indicators. The results will indicate the quickest route to a successful audit.

At a minimum, SOC 2 reports must include the Security or Common Criteria — any other TSCs selected will depend on your business requirements.

The Trust Services Criteria are selected from the following:

Security: This TSC ensures protection against unauthorised access, encompassing both physical and logical security. It examines aspects like logical access to critical infrastructure, such as source code repositories, and covers elements like password parameters, network device configurations, firewalls, and physical security measures safeguarding key infrastructure.
Availability: Here, the focus is on ensuring that the system is accessible and operational as intended and agreed upon. Compliance with availability criteria necessitates documented business continuity and disaster recovery plans and procedures. It also involves regular backups and recovery testing.
Confidentiality: This criterion safeguards information marked as ‘Confidential’ as per policy or agreement. It’s important to note that confidentiality criteria are distinct from privacy criteria. They apply to the protection of confidential data, including intellectual property and shared information from business partners.
Processing Integrity: This TSC ensures that system processing is complete, accurate, and authorised. Processing integrity isn’t as frequently addressed as availability and confidentiality TSCs and typically applies to systems involved in transaction processing, like payment systems.
Privacy: The privacy criteria come into play when handling ‘personal information’ within the system. It’s crucial to differentiate privacy criteria from confidentiality criteria, as the former is concerned with personal data, while the latter pertains to other types of sensitive information.

Once the TSC selection and Confirmation have been completed, we’ll work with your organisation to proceed with the following;

Mapping Controls: Document the policy reference, relevant SOC 2 Trust Services Criteria (TSC), the implemented control, its purpose, key performance metrics, and testing procedures to assess its ongoing effectiveness.
Provide Evidence: Clearly illustrate how policies relate to testing provide concrete evidence of SOC 2 TSC compliance, streamlining the Auditor’s work and supplying crucial report data.

Assessment and Remediation: Where controls are insufficient or not present to demonstrate compliance to a selected TSC, we’ll recommend cost-effective remedial actions to ‘fill the gap’ and demonstrate compliance. We’ll also recommend controls that are most effective in the people, process, or technology.

Upon completion of the first four steps, we’ll conduct a workshop with your business stakeholders to ensure their understanding of the findings and SOC 2 compliance requirements. The workshop seeks to guide attendees through the steps required to obtain a favourable Type 1, SOC 2 Report.

	Competitive and Transparent Pricing Our service comes with fixed pricing with no unexpected added costs. Additionally, we offer a managed service to conduct penetration testing on a continual basis.		On-going Support Risk Crew helps you maintain compliance with a variety of support services including risk assessments, security testing and staff awareness training.
	Flexible Delivery This service can be delivered on-site or remotely using cutting-edge technology to maintain the security of our communications. Whichever method you opt for, quality service and hands-on expertise are provided.		100% Satisfaction Guarantee We think deeply, question assumptions, detect cause and effect and deliver measurable results. No one else does that. Our deliverables produce metrics you can use to monitor and manage real-world cyber risks.

Our Certifications and Accreditations

FAQs

There are five Trust Services Principles, that comprise a SOC 2 report:Security, Availability, Processing Integrity, Confidentiality and Privacy.

An audit report is comprised of the auditor’s assessment of how well the organisation’s controls fit these principles.

SOC 1 involves the audit of a service provider’s accounting and financial controls. SOC 2 is an audit of a service provider’s information security controls. SOC 2 compliance is a minimal requirement when choosing a SaaS provider.

The SOC 2 reporting process can take anywhere from 6 to 12 months (on average) depending on the maturity of your controls. Find out how to estimate your organisation’s timeline to compliance in our blog post: How Long Does it Take to Get SOC 2 Compliance?

SOC 2 is often a contractual requirement for technology-based service providers, who process, transmit or store their customer’s information on cloud-based platforms.

This includes businesses that provide SaaS, cloud-based services or use the cloud to store individual customer information.

Ready to Start Preparing for Your SOC 2 Report?

Fill in the form and Nick will contact you within 24 hours.

Send a message

Contact details

Social media

SOC 2 Compliance

What Is SOC 2 and How to be Compliant

Types of SOC 2 Reports

How Your Organisation Can Benefit From SOC 2 Certification

Select an item to explore

Competitive and Transparent Pricing

On-going Support

Flexible Delivery

100% Satisfaction Guarantee

Our Certifications and Accreditations

FAQs

Access More SOC 2 Resources

Get a mini-gap assessment and advice from an ISO 27001 expert. Schedule a call or online meeting.

Learn what is required to achieve your SOC 2 Report.

Learn how your organisation can begin to prepare for its first stage audit.

Ready to Start Preparing for Your SOC 2 Report?

This service is crafted to not only guarantee your business’s adherence to the established criteria but also to furnish transparent and easily auditable evidence of SOC 2 compliance, all while minimising any disruption to your business, operations, and resource allocation.