5 common questions about SOC 2 compliance

Organisations that provide tech services and systems to third parties should be familiar with SOC (Service Organization Control) 2. 

The framework is designed to ensure that relevant organisations – Cloud computing providers, Software as a Service companies, etc. – process information securely. 

Service organisations are usually required to pass a SOC 2 audit in order to partner with or provide services to other companies. But what does that involve? And how do you know if you’re compliant? 

We answer these and other questions in this blog. 

1.What is a SOC 2 audit?

A SOC 2 audit provides an in-depth assessment of an organisation’s: 

  • Security; 
  • Availability; 
  • Processing integrity; 
  • Confidentiality; and/or 
  • Privacy controls. 

There are two types of SOC audits: 

  • Type 1: an audit conducted on a specified date. 
  • Type 2: an audit conducted over a specified period of time (usually at least six months). 

The results are collated in an audit report, which is designed to give clients, management and user entities an insight into the adequacy of the organisation’s security measures. 


2. What does a SOC 2 audit report contain?

The audit report is more than just a list of findings and a checklist of compliance requirements. SOC 2 allows plenty of room for interpretation, because every organisation will have its own requirements based on the way it operates. 

As such, the audit report should provide: 

  • An opinion letter; 
  • Management assertion; 
  • A detailed description of the system or service; 
  • Details of the selected trust services categories; 
  • Tests of controls and the results of testing; and 
  • Optional additional information. 

The report should also state whether the organisation complies with the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria). This is an industry-recognised, third-party assurance standard for auditing service organisations.  


3. What’s the difference between SOC 1 and SOC 2?

Depending on the service or system you provide, third parties might ask whether you’re SOC 1 or SOC 2 compliant. 

You might think that SOC 2 is an updated version of SOC 1, but they are actually two different frameworks. You might be required to complete one SOC audit or both. 

SOC 1 is less common, and applies when you host financial information that could affect third parties’ financial reporting. 

SOC 2 applies for all other types of sensitive information related to the third party. If you don’t host financial data, this is the only compliance audit you should complete. 

By contrast, if you only host financial information, you don’t need to complete SOC 2. 

Organisations that host both types of data will need to complete both compliance audits. 


4. What are the principles of SOC 2?

We referred to the SOC 2 principles earlier, but let’s take a deeper look. 

  • Security (also known as ‘common criteria’) 

“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.” 

  • Availability 

“Information and systems are available for operation and use to meet the entity’s objectives.” 

  • Processing integrity 

“Information and systems are available for operation and use to meet the entity’s objectives.” 

  • Confidentiality 

“Information designated as confidential is protected to meet the entity’s objectives.” 

  • Privacy controls 

“Personal information is collected, used, retained, disclosed and disposed [of] to meet the entity’s objectives.”


How do you know when you’re ready for a SOC 2 compliance audit?

The only way to be sure you’re ready for a SOC 2 compliance audit is to review your systems. You can get help doing that with our SOC 2 Audit Readiness Assessment and Remediation Service. 

One of our expert consultants will advise you on which audit or audits are right for your organisation, and give you all the information you need to pass. 

They’ll do this in two ways. The first is the SOC 2 Audit Readiness Assessment, which compares your organisation’s practices to the AICPA’s TSC, highlighting any requirements where you fall short. 

This is followed by the SOC 2 Remediation Service, which explains the corrective actions your organisation must take to ensure its security controls are sufficient. 

Want to know more? >> 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.