Developed by the American Institute of CPAs (AICPA), SOC 2 is a set of information security compliance controls relevant to security, availability, processing integrity, confidentiality and privacy. The SOC 2 framework was designed to help service organisations build customer trust and confidence by way of a report completed by an independent Certified Public Accountant (CPA).
What is SOC 2?
In industries that are highly regulated, it’s key to work with suppliers that can prove that they can secure sensitive data - and manage it carefully! In line with these requirements, SOC 2 reports can offer prospective customers oversight of the organisation being considered as a supplier, including its supplier management processes, the risk management procedures it has in place and any regulatory oversight. The reports are categorised in two types:
- SOC 2 Type 1 – this is a report that outlines the suitability of the controls to the organisation’s system, undertaken at a specific point in time. The report gives potential customers and prospective customers the confidence that their data is safe.
- SOC 2 Type 2 – unlike SOC 2 Type 1, this report covers a longer period of time, usually six to twelve months. A SOC 2 Type 2 report covers the efficacy of the organisation’s controls to accomplish control objectives over the course of a specific timeframe and describes what an organisation is actually doing to protect its customer data.
Often, stakeholders, users and customers require detailed information about controls relevant to an organisation’s system security, availability and processing integrity. This assures relevant parties of the organisation’s data processing and information confidentiality and privacy. Stakeholders here include:
- The organisation’s management;
- Parties charged with governance of the service organisation;
- Business partners;
- Third-party suppliers.
SOC 2 Compliance
The controls for SOC 2 fall under the following primary categories:
- CC1. Control environment;
- CC2. Communication and information;
- CC3. Risk assessment;
- CC4. Monitoring activities;
- CC5. Control activities
- CC6. Logical and physical access controls;
- CC7. System operations;
- CC8. Change management;
- CC9. Risk mitigation.
Additional criteria include:
- A1. Additional criteria for availability;
- C1. Additional criteria for confidentiality;
- PI1. Additional criteria for processing integrity;
- P1-P8. Additional criteria for privacy.
SOC 2 Control Guidance
CC1. Control environment
Controls CC1.1-CC1.5.4. require the organisation to demonstrate a commitment to integrity and ethical values.
Example control: The employee handbook must include the organisation’s conduct, ethics and confidentiality requirements.
CC2. Communication and information
Controls CC2.1-CC2.3.11. require that the organisation attains or produces and uses relevant, quality information to assist the operation of internal control.
Example control: The security standards policy should be available to all personnel with system configuration responsibilities.
CC3. Risk assessment
Controls CC3.1-CC3.4.5. require that the organisation specifies objectives with adequate transparency to allow the detection and assessment of risks relating to its outlined objectives.
Example control: The organisation’s risk assessment procedure must include the analysis of possible threats and susceptibilities resulting from suppliers providing goods and services, as well as threats and vulnerabilities from any other entities with access to the organisation’s information systems.
CC4. Monitoring activities
Controls CC4.1-CC4.2.3 require that the organisation develops and undertakes continuing or individual assessments to determine whether the elements of internal control are present and functioning.
Example control: Continuous assessments are built into organisational procedures and are altered in line with changing conditions.
CC5. Control activities
Controls CC5.1-CC5.3.6. require the organisation to select and develop control actions that contribute to the alleviation of risks and the success of objectives to satisfactory standards.
Example control: The organisation must undertake control activities in a timely manner, as defined by the policies and procedures.
CC6. Logical and physical access controls
Controls CC6.1-CC6.8.5 require that the organisation protects safeguarded information assets by applying:
To meet the organisation’s security goals.
Example control: The organisation uses physical barriers, visitor logging, a security alarm, and video surveillance to monitor and restrict access to its office and resources within the office.
CC7. System operations
Controls CC7.1-CC.7.5.6. require that the organisation uses detection and monitoring procedures to pinpoint:
In order to meet its objectives.
Example control: The organisation must develop, document, and implement an incident response plan.
CC8. Change management
Controls CC8.1-8.1.15. require that the organisation implements changes to:
To meet its SOC 2 objectives. This includes authorising, configuring, documenting, testing, approving and implementing these changes.
Example control: The organization must develop and implement official change management practices.
CC9. Risk mitigation
Controls CC9.1-CC9.2.12. require the organisation to identify, select and develop risk mitigation actions for any risks arising as a result of possible business disruptions.
Example control: The organisation must acquire and review service level agreements (SLAs) from all critical third-party service providers.
Achieving SOC 2 Compliance With Hicomply
Looking to achieve successful SOC 2 reports? The Hicomply platform will guide you through preparing for SOC 2 Type 2 reports. It will get your organisation ready for an independent service assessor’s report on your service organisation’s system relevant to security, availability, confidentiality, processing integrity and privacy, as well as the suitability of design and operating effectiveness of your controls for a fixed period.
The Hicomply SOC 2 framework will allow you to be audit ready - and as such, be guided to conform to the TSP Section 100 Principles and Criteria and criteria for security and confidentiality throughout the period.
Once your independent Service Assessors’ Report is created, you can then upload that report into Hicomply.
Ready to become SOC 2 compliant quickly and easily?