SYSTEM AND ORGANIZATION CONTROLS REPORT SOC-2
SOC 2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider.
SOC 2 reports are unique to each organization. In line with specific business practices, each designs its own controls to comply with one or more of the trust principles.
These internal reports provide you (along with regulators, business partners, suppliers, etc.) with important information about how your service provider manages data.
SOC 2 Certification
SOC 2 certification is issued by outside auditors. They assess the extent to which a vendor complies with one or more of the five trust principles based on the systems and processes in place.
​
Trust principles are broken down as follows:
Security:
The security principle refers to protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of software, and improper alteration or disclosure of information.
​
Availability:
The availability principle refers to the accessibility of the system, products or services as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system availability is set by both parties.
​
This principle does not address system functionality and usability, but does involve security-related criteria that may affect availability.
​
Processing Integrity:
The processing integrity principle addresses whether or not a system achieves its purpose (i.e., delivers the right data at the right price at the right time). Accordingly, data processing must be complete, valid, accurate, timely and authorized.
​
Confidentiality:
Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations. Examples may include data intended only for company personnel, as well as business plans, intellectual property, internal price lists and other types of sensitive financial information.
​
Privacy:
The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of personal information in conformity with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP).
Personal identifiable information (PII) refers to details that can distinguish an individual (e.g., name, address, Social Security number). Some personal data related to health, race, sexuality and religion is also considered sensitive and generally requires an extra level of protection. Controls must be put in place to protect all PII from unauthorized access.
SOC 2 Audit Readiness Assessment and Remediation Service
We are well prepared to help any organisation prepare for a SOC 2 audit.
​
Readiness assessment:
We assess your state of SOC 2 preparedness by evaluating the type of service you offer, the trust services categories applicable to that service and the security controls relevant to the delivery of the service. Among other things, we will examine and analyse your processes and procedures, system setting configuration files, screenshots, signed memos, and organisational structure.
​
Remediation:
Once the shortfalls have been identified we can help you remediate them. We can help with audit scoping, compiling the system or service description, risk assessment, control selection, defining control effectiveness measurements and metrics , or integrating your SOC 2 requirements into your ISO 27001-compliant ISMS (information security management system).
​
Testing and Reporting:
The SOC 2 report structure is similar to a SOC 1 report structure and consists of:
​
-
The Opinion Letter
-
Management’s Assertion
-
Description of the System
-
Description of Tests of Controls and Results of Testing
-
Other Information
We can assist with the full SOC audit process, from conducting a readiness assessment and advising on the necessary remediation measures through to testing and reporting.