What is SOC 2?

SOC stands for System and Organisation Controls. The term SOC 2 refers to a report issued by an independent Certified Public Accountant (CPA is an American organisation) stating that an organisation’s data management practices meet a set of criteria issued by the AICPA.

The SOC framework is based on five main Trust Services Criteria (TSC):

1. Security
is the process protected against unauthorised access?

2. Availability
is the process generally functional?

3. Process integrity
is the data delivered to the client kept secure?

4. Confidentiality
can other persons access this data?

5. Privacy
is our personal data stored, and if so, how is this done?

Unlike more descriptive frameworks such as PCI DSS and ISO 27001, SOC 2 allows organisations to identify relevant controls and demonstrate how they meet each criterion. At the end of the process, you don’t get a certificate like ISO 27001; you get a valid report for one year.

However, almost every SOC 2 should include the Security or Shared Trust Services Criteria: control environment, communication and information, risk assessment, monitoring activities, control activities, logical and physical access controls, system operations, change management and risk mitigation.

Does my organisation need a SOC 2?

The SOC 2 Audit and Reporting service is available to any technology service provider or organisation that stores, processes or transmits customer data.

This includes managed service providers, banking and financial services, software as a service (SaaS) providers, data centres, cloud storage providers and other companies that store or collect data.

Being SOC 2 compliant demonstrates that your organisation has adopted a robust security programme to protect customer data in the cloud. SOC 2 reporting gives your organisation a competitive advantage, helping you win and close deals faster.

Contact us at sales@cfecert.co.uk about our SOC 2 Type 1 and Type 2 Audit and Training services.