SOC2

SOC 2, formally known as Service Organization Control 2,  reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy. The standard for regulating these five issues was formed under the AICPA Trust Services Principles and Criteria. SOC 2 is divided into type 1 and type 2. 

SOC 2 TYPE I

 ________________________________________ 

SOC 2 Type I evaluates an organization's cybersecurity controls at a specific time. The goal is to determine whether internal controls are in place sufficiently and properly designed to provide the right protection for customer data. Type I audits and reports can be completed in a matter of weeks. 

 

SOC 2 TYP II

 ________________________________________ 

A SOC 2 Type II report examines how well the system and controls of a service organization have been operating for a specific period of time (usually 3-12 months). It examines operational activity to determine whether the systems are working as originally intended throughout the audit period. The time required for a Type II audit is typically between 3 and 6 months. 

 

SOC 2 TYP I vs. SOC 2 TYP II

 ________________________________________ 

Both types of SOC 2 report need to be performed by an audit firm.

When selecting a report, it is always crucial whether it is realistic to carry out a verification for the whole audit period or whether it is a first verification and compliance with all requirements is not ensured. If it is not possible to carry out a verification for the whole period (for example, controls have only recently been introduced) it is preferable to select Type I and then implement Type II. The second example is the implementation of the first SOC2 audit. Now, when the client already knows whether controls are in place and it is needed to confirm those before implementing Type II, a Type I report is prepared. A third option is to perform a completely default validation of the existence of controls, in which case we recommend clients to implement a preassessment of the compliance of internal controls with SOC2 requirements.

 

PROCESS 

 
STEP 1:

CHOOSE YOUR REPORT TYPE

Before you invite an auditor into your office, you need to decide first what type of SOC 2 report your service organization needs. Alternatively, an auditor can help you and suggest the most appropriate method for you.
$("#btn-1").click(function(){ $(".text-div-1").slideToggle({ "opacity" : "show", bottom: "100" }, 500); }); var cross1 = true; $(".close1").click(function(){ if(!cross1){ $(".text-div-1").slideToggle({ "opacity" : "show", bottom: "100" }, 500); cross1 = false; } }); $(".text-div-1").click(function(){ if(cross1){ $(".text-div-1").slideToggle({ "opacity" : "show", bottom: "100" }, 500); cross1 = true; } });
STEP 2

DEFINE THE AUDIT SCOPE

First, decide whether you will seek a SOC 2 audit at the company level or for a specific product/service. Next, decide what period of time you will require (the recommended length for Type II is at least 6 months). Finally, select from the five trusted service criteria for which you need to conduct an audit. You can select only few to start with and then add others. Certain industries have some criteria that are mandatory. For example, healthcare companies must meet the requirements of HIPAA, so choosing Privacy over Security should be the right choice. After selecting the period and criteria, you need to determine which information security controls and systems are relevant.

Then collect all documentation on these systems and controls. During the audit, the auditor will review this documentation along with your systems and controls to determine operational effectiveness. Some of the documents, you may need to provide, include:

¨

asset inventories, change management information, equipment maintenance records, system backup records, code of conduct and ethical policies, business continuity and incident response plans,...

It is also advisable to discuss all criteria with the auditor to ensure that they are chosen correctly.

$("#btn-2").click(function(){ $(".text-div-2").slideToggle({ "opacity" : "show", bottom: "100" }, 500); }); var cross2 = true; $(".close2").click(function(){ if(!cross2){ $(".text-div-2").slideToggle({ "opacity" : "show", bottom: "100" }, 500); cross2 = false; } }); $(".text-div-2").click(function(){ if(cross2){ $(".text-div-2").slideToggle({ "opacity" : "show", bottom: "100" }, 500); cross2 = true; } });
STEP 3

PERFORM A GAP ANALYSIS

Now when you have all your systems, controls, and documents in place, you need to compare where you stand with what SOC 2 compliance requires. This gap analysis allows you to identify any areas, where your system falls short in protecting customer data. That way you can create a remediation plan to bring them in line before your formal SOC 2 audit.

 

The auditor may also carry out a readiness assessment. During the readiness assessment, the audit company will perform its own gap analysis and provide you with some recommendations. These will also explain the requirements of the trust service criteria you have selected.

$("#btn-3").click(function(){ $(".text-div-3").slideToggle({ "opacity" : "show", bottom: "100" }, 500); }); var cross3 = true; $(".close3").click(function(){ if(!cross3){ $(".text-div-3").slideToggle({ "opacity" : "show", bottom: "100" }, 500); cross3 = false; } }); $(".text-div-3").click(function(){ if(cross3){ $(".text-div-3").slideToggle({ "opacity" : "show", bottom: "100" }, 500); cross3 = true; } });
STEP 4

COMPLETE THE READINESS ASSESSMENT

In preparation, a SOC auditor may provide you with answers on any questions or concerns you may have.

$("#btn-4").click(function(){ $(".text-div-4").slideToggle({ "opacity" : "show", bottom: "100" }, 500); }); var cross4 = true; $(".close4").click(function(){ if(!cross4){ $(".text-div-4").slideToggle({ "opacity" : "show", bottom: "100" }, 500); cross4 = false; } }); $(".text-div-4").click(function(){ if(cross4){ $(".text-div-4").slideToggle({ "opacity" : "show", bottom: "100" }, 500); cross4 = true; } }); $("#img-1").hover(function(){ $(this).attr("src", function(index, attr){ return attr.replace("/getattachment/Services/Audit-Assurance/Overovani-tretich-stran-(TPA)/SOC1/1_osa.png.aspx?lang=cs-CZ", "/getattachment/Services/Audit-Assurance/Overovani-tretich-stran-(TPA)/SOC1/osa_1.png.aspx?lang=cs-CZ"); }); }, function(){ $(this).attr("src", function(index, attr){ return attr.replace("/getattachment/Services/Audit-Assurance/Overovani-tretich-stran-(TPA)/SOC1/osa_1.png.aspx?lang=cs-CZ", "/getattachment/Services/Audit-Assurance/Overovani-tretich-stran-(TPA)/SOC1/1_osa.png.aspx?lang=cs-CZ"); }); }); $("#img-2").hover(function(){ $(this).attr("src", function(index, attr){ return attr.replace("/getattachment/Services/Audit-Assurance/Overovani-tretich-stran-(TPA)/SOC1/2_osa.png.aspx?lang=cs-CZ", "/getattachment/Services/Audit-Assurance/Overovani-tretich-stran-(TPA)/SOC1/osa_2.png.aspx?lang=cs-CZ"); }); }, function(){ $(this).attr("src", function(index, attr){ return attr.replace("/getattachment/Services/Audit-Assurance/Overovani-tretich-stran-(TPA)/SOC1/osa_2.png.aspx?lang=cs-CZ", "/getattachment/Services/Audit-Assurance/Overovani-tretich-stran-(TPA)/SOC1/2_osa.png.aspx?lang=cs-CZ"); }); }); $("#img-3").hover(function(){ $(this).attr("src", function(index, attr){ return attr.replace("/getattachment/Services/Audit-Assurance/Overovani-tretich-stran-(TPA)/SOC1/3_osa.png.aspx?lang=cs-CZ", "/getattachment/Services/Audit-Assurance/Overovani-tretich-stran-(TPA)/SOC1/3_osa.png.aspx?lang=cs-CZ"); }); }, function(){ $(this).attr("src", function(index, attr){ return attr.replace("/getattachment/Services/Audit-Assurance/Overovani-tretich-stran-(TPA)/SOC1/3_osa.png.aspx?lang=cs-CZ", "/getattachment/Services/Audit-Assurance/Overovani-tretich-stran-(TPA)/SOC1/3_osa.png.aspx?lang=cs-CZ"); }); }); $("#img-4").hover(function(){ $(this).attr("src", function(index, attr){ return attr.replace("/getattachment/Services/Audit-Assurance/Overovani-tretich-stran-(TPA)/SOC1/4_osa.png.aspx?lang=cs-CZ", "/getattachment/Services/Audit-Assurance/Overovani-tretich-stran-(TPA)/SOC1/osa_4.png.aspx?lang=cs-CZ"); }); }, function(){ $(this).attr("src", function(index, attr){ return attr.replace("/getattachment/Services/Audit-Assurance/Overovani-tretich-stran-(TPA)/SOC1/osa_4.png.aspx?lang=cs-CZ", "/getattachment/Services/Audit-Assurance/Overovani-tretich-stran-(TPA)/SOC1/4_osa.png.aspx?lang=cs-CZ"); }); });
 

CRITERIA

The SOC is based on the five criteria for trust services (Trust Services Principles) as defined by the American Institute of Certified Public Accountants (AICPA).

These trusted service criteria are essential elements of cybersecurity. They include organisational controls, risk assessment, risk mitigation, risk management and change management.

THE FIVE CRITERIA FOR TRUSTED SERVICES ARE: