All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

What is SOC-2?

Developed by the American Institute of CPAs (AICPA), SOC-2 is a set of information security compliance controls relevant to security, availability, processing integrity, confidentiality and privacy.

The SOC-2 framework was designed to help service organisations build customer trust and confidence through a report completed by an independent Certified Public Accountant (CPA).

Here, Hicomply explains SOC-2, the different types of reports and controls, and why compliance will benefit your business.

Read More

What is SOC-2, and why is it important?

SOC-2, which stands for Systems and Organization Controls 2, was created by the AICPA in 2010. SOC-2 is a security framework that specifies how your business should protect your customer data from unauthorised access, breaches, data leaks, and other security vulnerabilities.

Put simply, SOC-2 offers guidance for third-party service providers that store customer data on the cloud. This guidance allows your business to evaluate, monitor, and optimise your security protocols so this data is less at risk of a compromise. By implementing SOC-2, your business establishes trust between service providers and customers.

What are the benefits of SOC-2?

SOC-2 strengthens your business security protocols, helping to avoid difficult system vulnerabilities that can lead to costly data leaks and breaches.

However, that’s not all – there are also a wealth of benefits for your business in the long run when you become SOC-2 compliant. These include, but aren’t limited to, the following:

  • Staying ahead of your competitors: Stakeholders increasingly value security compliance when partnering with organisations, and SOC-2 compliance displays your business’s dedication to protecting customer data.
  • Protects your brand's reputation: A breach can be detrimental to a business’s reputation, so by avoiding a breach through strengthened security, your business can avoid these consequences.
  • Achieving other certifications: By adhering to the SOC-2 controls, policies, and procedures, your business will also meet the compliance standards of other security certifications.

How do SOC-2 audits work?

In industries that are highly regulated, it’s key to work with suppliers that can prove that they can secure sensitive data – and manage it carefully! In line with these requirements, SOC-2 reports can offer prospective customers an overview of the organisation being considered as a supplier, including its supplier management processes, the risk management procedures it has in place and any regulatory oversight. The reports are categorised into two types:

  • SOC-2 Type 1 – This is a report that outlines the suitability of the controls to the organisation’s system at a specific point in time. The report gives potential customers and prospective customers confidence that their data is safe.
  • SOC-2 Type 2 – Unlike SOC-2 Type 1, this report covers a longer period, usually six to twelve months. It covers the efficiency of the organisation’s controls to accomplish control objectives over a specific timeframe and describes what the organisation is actually doing to protect its customer data.

Often, stakeholders, users and customers require detailed information about controls relevant to an organisation’s system security, availability and processing integrity. This assures relevant parties of the organisation’s data processing and information confidentiality and privacy. Stakeholders here include:

  • The organisation’s management;
  • Parties charged with governance of the service organisation;
  • Customers;
  • Regulators;
  • Business partners;
  • Third-party suppliers.

What is SOC-2 compliance?

The SOC-2 controls fall under the following primary categories:

Additional criteria include:

  • A1. Additional criteria for availability.
  • C1. Additional criteria for confidentiality.
  • PI1. Additional criteria for processing integrity.
  • P1-P8. Additional criteria for privacy.

What is SOC-2 Control Guidance?

Control

Guidance

CC1. Control environment

Controls CC1.1-CC1.5.4. require the organisation to demonstrate a commitment to integrity and ethical values.

Example control: The employee handbook must include the organisation’s conduct, ethics and confidentiality requirements.

CC2. Communication and information

Controls CC2.1-CC2.3.11. require that the organisation attains or produces and uses relevant, quality information to assist the operation of internal control.

Example control: The security standards policy should be available to all personnel with system configuration responsibilities.

CC3. Risk assessment

Controls CC3.1-CC3.4.5. require that the organisation specifies objectives with adequate transparency to allow the detection and assessment of risks relating to its outlined objectives.

Example control: The organisation’s risk assessment procedure must include the analysis of possible threats and susceptibilities resulting from suppliers providing goods and services, as well as threats and vulnerabilities from any other entities with access to the organisation’s information systems.

CC4. Monitoring activities

Controls CC4.1-CC4.2.3 require that the organisation develops and undertakes continuing or individual assessments to determine whether the elements of internal control are present and functioning.

Example control: Continuous assessments are built into organisational procedures and are altered in line with changing conditions.

CC5. Control activities

Controls CC5.1-CC5.3.6. require the organisation to select and develop control actions that contribute to the alleviation of risks and the success of objectives to satisfactory standards.

Example control: The organisation must undertake control activities in a timely manner, as defined by the policies and procedures.

CC6. Logical and physical access controls

Controls CC6.1-CC6.8.5 require that the organisation protects safeguarded information assets by applying the following to meet the organisation’s security goals:

  • Access security software;
  • Infrastructure;
  • Architectures.

Example control: The organisation uses physical barriers, visitor logging, a security alarm, and video surveillance to monitor and restrict access to its office and resources within the office.

CC7. System operations

Controls CC7.1-CC.7.5.6. require that the organisation uses detection and monitoring procedures to pinpoint the following in order to meet its objectives:

  • Changes to configurations that result in new weaknesses;
  • Susceptibilities to newly discovered weaknesses.

Example control: The organisation must develop, document, and implement an incident response plan.

CC8. Change management

Controls CC8.1-8.1.15. require that the organisation implements changes to the following to meet its SOC-2 objectives:

  • Infrastructure;
  • Data;
  • Software;
  • Procedures.

This includes authorising, configuring, documenting, testing, approving and implementing these changes.

Example control: The organisation must develop and implement official change management practices.

CC9. Risk mitigation

Controls CC9.1-CC9.2.12. require the organisation to identify, select and develop risk mitigation actions for any risks arising from possible business disruptions.

Example control: The organisation must acquire and review service level agreements (SLAs) from all critical third-party service providers.

Achieving SOC-2 Compliance with Hicomply

Looking to achieve successful SOC-2 reports? The Hicomply platform will guide you through preparing for SOC-2 Type 2 reports. It will prepare your organisation for an independent service assessor’s report on your service organisation’s system relevant to security, availability, confidentiality, processing integrity and privacy, as well as the suitability of design and operating effectiveness of your controls for a fixed period.

The Hicomply SOC-2 framework will allow you to be audit-ready and, as such, guide you to conform to the TSP Section 100 Principles and Criteria and criteria for security and confidentiality throughout the period. Once your independent Service Assessors’ Report is created, you can upload it into Hicomply.

Ready to become SOC-2 compliant quickly and easily? Book your demo to learn more about compliance as you work!