SOC stands for Service Organizational Control. There are three types of SOC reports, but we’ll focus on the second one, which is “designed for the growing number of technology and cloud computing entities that are becoming very common in the world of service organizations” according to ssae16.org. There are two types of SOC 2 reports: SOC 2 Type I and SOC 2 Type II.
The main difference between Type I and Type II Reports is the length of time they cover. Type I is a ‘snapshot’ or point of time report. It is used to determine if an organization has the right controls in place. The Type II report determines the effectiveness of those controls over a period of time, typically 6 months or longer. Type I is a great starting point for those new to reporting on controls.
SOC 2 reports on a business’s non-financial reporting controls and is based upon 5 Trust Principles; security, availability, processing integrity, confidentiality, and privacy of a system
Here is a high-level overview of the Trust Principles:
Security - The system is protected against unauthorized access, both physical and logical
Availability - The system is available for operation and use as committed or agreed
Processing Integrity - System processing is complete, accurate, timely, and authorized
Confidentiality - Information designated as confidential is protected as committed or agreed
Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity's privacy notice and with the criteria set forth in Generally Accepted Privacy Principles (GAPP)
A SOC 2 report is designed for used by stakeholders such as customers, directors, suppliers etc. A SOC 2 report should not be used for marketing purposes. It is intended for specific parties – internal employees and people who have an adequate understanding of the criteria.
Do I Need a SOC 2 Report?
By now, you may be asking, do I actually need a SOC 2 report? Presenting your datacenter hosting providers SOC 2 Type II certificate is no longer enough. If you are a company that handles or processes sensitive data, then yes. A SOC 2 report is a good way to demonstrate to your customers and clients that you have been verified by an independent third party to reliably protect sensitive data. With the continual rise of data breaches, customers are increasingly asking for SOC 2 reports as verification of your ability to protect their data. A SOC 2 report also provides a competitive advantage against other vendors who may not be able to demonstrate their ability to reliably protect data. SOC 2 demonstrates your commitment to having a mature and well-established security program.
It’s easy to get confused about which report type to choose, and which Trust Principle should be assessed. We’re here to help! Contact us today to discuss how to become SOC 2 certified.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.