All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base
Company Security and customers first
About News Partners Careers Contact
Hicomply I
Hicomply app
Solutions Get a demo

Developed by the American Institute of CPAs (AICPA), SOC 2 is a set of information security compliance controls relevant to security, availability, processing integrity, confidentiality and privacy. The SOC 2 framework was designed to help service organisations build customer trust and confidence by way of a report completed by an independent Certified Public Accountant (CPA).

What is SOC 2?

In industries that are highly regulated, it’s key to work with suppliers that can prove that they can secure sensitive data - and manage it carefully! In line with these requirements, SOC 2 reports can offer prospective customers oversight of the organisation being considered as a supplier, including its supplier management processes, the risk management procedures it has in place and any regulatory oversight. The reports are categorised in two types:

  • SOC 2 Type 1 – this is a report that outlines the suitability of the controls to the organisation’s system, undertaken at a specific point in time. The report gives potential customers and prospective customers the confidence that their data is safe.
  • SOC 2 Type 2 – unlike SOC 2 Type 1, this report covers a longer period of time, usually six to twelve months. A SOC 2 Type 2 report covers the efficacy of the organisation’s controls to accomplish control objectives over the course of a specific timeframe and describes what an organisation is actually doing to protect its customer data.

Often, stakeholders, users and customers require detailed information about controls relevant to an organisation’s system security, availability and processing integrity. This assures relevant parties of the organisation’s data processing and information confidentiality and privacy. Stakeholders here include:

  • The organisation’s management;
  • Parties charged with governance of the service organisation;
  • Customers;
  • Regulators;
  • Business partners;
  • Third-party suppliers.

SOC 2 Compliance

The controls for SOC 2 fall under the following primary categories:

Additional criteria include:

  • A1. Additional criteria for availability;
  • C1. Additional criteria for confidentiality;
  • PI1. Additional criteria for processing integrity;
  • P1-P8. Additional criteria for privacy.

SOC 2 Control Guidance

Control

Guidance

CC1. Control environment

Controls CC1.1-CC1.5.4. require the organisation to demonstrate a commitment to integrity and ethical values.

Example control: The employee handbook must include the organisation’s conduct, ethics and confidentiality requirements.

CC2. Communication and information

Controls CC2.1-CC2.3.11. require that the organisation attains or produces and uses relevant, quality information to assist the operation of internal control.

Example control: The security standards policy should be available to all personnel with system configuration responsibilities.

CC3. Risk assessment

Controls CC3.1-CC3.4.5. require that the organisation specifies objectives with adequate transparency to allow the detection and assessment of risks relating to its outlined objectives.

Example control: The organisation’s risk assessment procedure must include the analysis of possible threats and susceptibilities resulting from suppliers providing goods and services, as well as threats and vulnerabilities from any other entities with access to the organisation’s information systems.

CC4. Monitoring activities

Controls CC4.1-CC4.2.3 require that the organisation develops and undertakes continuing or individual assessments to determine whether the elements of internal control are present and functioning.

Example control: Continuous assessments are built into organisational procedures and are altered in line with changing conditions.

CC5. Control activities

Controls CC5.1-CC5.3.6. require the organisation to select and develop control actions that contribute to the alleviation of risks and the success of objectives to satisfactory standards.

Example control: The organisation must undertake control activities in a timely manner, as defined by the policies and procedures.

CC6. Logical and physical access controls

Controls CC6.1-CC6.8.5 require that the organisation protects safeguarded information assets by applying:

  • Access security software;
  • Infrastructure;
  • Architectures.

To meet the organisation’s security goals.

Example control: The organisation uses physical barriers, visitor logging, a security alarm, and video surveillance to monitor and restrict access to its office and resources within the office.

CC7. System operations

Controls CC7.1-CC.7.5.6. require that the organisation uses detection and monitoring procedures to pinpoint:

  • Changes to configurations that result in new weaknesses;
  • Susceptibilities to newly discovered weaknesses.

In order to meet its objectives.

Example control: The organisation must develop, document, and implement an incident response plan.

CC8. Change management

Controls CC8.1-8.1.15. require that the organisation implements changes to:

  • Infrastructure;
  • Data;
  • Software;
  • Procedures.

To meet its SOC 2 objectives. This includes authorising, configuring, documenting, testing, approving and implementing these changes.

Example control: The organization must develop and implement official change management practices.

CC9. Risk mitigation

Controls CC9.1-CC9.2.12. require the organisation to identify, select and develop risk mitigation actions for any risks arising as a result of possible business disruptions.

Example control: The organisation must acquire and review service level agreements (SLAs) from all critical third-party service providers.

Achieving SOC 2 Compliance With Hicomply

Looking to achieve successful SOC 2 reports? The Hicomply platform will guide you through preparing for SOC 2 Type 2 reports. It will get your organisation ready for an independent service assessor’s report on your service organisation’s system relevant to security, availability, confidentiality, processing integrity and privacy, as well as the suitability of design and operating effectiveness of your controls for a fixed period.

The Hicomply SOC 2 framework will allow you to be audit ready - and as such, be guided to conform to the TSP Section 100 Principles and Criteria and criteria for security and confidentiality throughout the period.

Once your independent Service Assessors’ Report is created, you can then upload that report into Hicomply.

Ready to become SOC 2 compliant quickly and easily?

Book your demo.