SOC 2, developed by the American Institute of Certified Public Accountants (AICPA), provides security standards for your organisation’s information security controls.
These controls address how your organisation handles customer data – successful SOC 2 compliance allows you to prove to current and prospective clients that your business has stringent measures in place to secure their data.
What are the SOC 2 criteria?
SOC 2 addresses five trust services categories:
- Security, or common criteria
- Additional criteria for availability
- Additional criteria for processing integrity
- Additional criteria for confidentiality
- Additional criteria for privacy
You do not have to address all of the above categories. Security controls are most commonly required, but you may choose to address additional criteria in line with your organisation’s objectives.
What are the possible SOC 2 audit outcomes?
When your organisation is audited by a certified public accountant (CPA), there are three possible outcomes:
- Unmodified opinion: Your auditor identified no material inaccuracies or flaws in systems.
- Qualified opinion: Your auditor identified inaccuracies in system control descriptions, but they’re limited to specific areas.
- Adverse opinion: Your auditor discovered adequate evidence that there are material inaccuracies in your controls’ descriptions, and flaws in design and operational efficacy.
A successful SOC 2 audit proves that your organisation is compliant with the trust services categories you selected.
How do I prepare my organisation for a SOC 2 compliance audit?
Naturally, there’s a lot of preparation involved in ensuring your organisation is ready for a SOC 2 Type 2 audit. We’ve condensed the process into a handy SOC 2 compliance checklist you can use to measure your organisation’s SOC 2 preparedness.
If you need a version of our checklist to keep and update, you can also download the PDF:
Download the SOC 2 Compliance Checklist
SOC 2 compliance checklist
- Does your SOC 2 report need to address:
- Processing integrity
- Define organisational structure
- Designate authorised employees to develop and implement policies and procedures
- Establish working committees
- Implement background screening procedures
- Establish workforce conduct standards
- Ensure clients and employees understand their role in using your system or service
- Effectively communicate system changes to the appropriate personnel in a timely manner
- Define your organisation’s policies and procedures relevant to the selected Trust Services Criteria
- Undertake SOC 2 gap analysis
- Implement necessary policies and procedures identified by gap analysis
- Test and validate new policies and procedures
- Perform a risk assessment
- Identify potential threats to the system
- Analyse the significance of the risks associated with each threat
- Develop mitigation strategies for those risks
- Conduct regular fraud risk assessments
- Perform regular vendor management assessments
- Undertake annual policy and procedure review
- Implement physical and logical access controls
- Limit access to data, software, functions, and other IT resources to authorised personnel based on roles
- Restrict physical access to sensitive locations to authorised personnel only
- Implement an access control system
- Implement monitoring to identify intrusions
- Develop and test incident response procedure
- Update software, hardware, and infrastructure regularly as necessary
- Execute a change management process to address flaws in controls
- Establish and identify backup and recovery policies
- Establish and identify how are you addressing environmental risks
- Test and record your disaster recovery plan
- Ensure data is being processed, stored, and maintained accurately and in a timely manner
- Protect confidential information against unauthorised access, use, and disclosure
- Identify your documented data retention policy.
Be sure to bookmark the Hicomply blog for the latest ISMS and wider data security news and research. Alternatively, book a Hicomply demo today to find out how Hicomply can help secure your company’s vital information.