The guide covers the factors required to achieve SOC 2 Certification and Compliance. User Entities – i.e., companies that are using your service – want to know you’re proactively taking care of their needs.
What is SOC 2?
AICPA’s Trust Service Criteria SOC 2 is part of the AICPA’s Service Organization Controls standards based on the. The SOC 2 Report was first published in 2011. It follows the same format. However, the AICPA’s Assurance Services Executive Committee listed a different set of criteria to be measured for SOC 2 Compliance. The ‘SOC 2 Report on Controls at a Service Organization’ creates a baseline of information safety at a service provider. SOC 2 reports will provide proof of compliance for your organization. You can think of the User Entity’s needs as the risks they’re exposed to while they are using your service.
The 5 Trust Principles of SOC 2 Certification
The Trust Service Criteria are defined as principles. Each of the five tenets relates to the control and safety of user information. You should keep in mind that a control – such as a software module – could satisfy one or more of the required principles.
Security
The company should be able to show that their system is protected from unauthorized access. They should also prevent unauthorized disclosure and limit any damage that could influence the availability, integrity, confidentiality, and privacy of the information.
Availability
The system should have controls in place to ensure it’s available as needed by the User Entity.
Processing Integrity
Data and information processing should be checked whether they are complete, valid, accurate, timeously executed and authorized.
Confidentiality
Information that is designated as confidential should be protected according to the User Entity’s needs.
Privacy
The organization should address the User Entity’s needs when they collect, use, retain, disclose and dispose of Personal Information.
Establishing a SOC 2 Compliance Framework
The company’s risk assessment determines the framework for SOC 2 Compliance. Risks are determined by the services offered.
The assessment of risk should include six steps.
1. Identify products and services that fall under the scope of the SOC 2 Report. Assess the service process to identify the risks of the User Entity. Connect the Trust Services with the User Entity risks. Map the Trust Services to the Control Criteria.
5. Find gaps in the control criteria where Trust Principles exist but are not addressed.
6. Map internal user controls to the gaps.
The Scope of SOC 2 Reports
Unlike strict PCI Requirements, it is not required for service providers to cover all 5 Trust Principles in a SOC 2 report. When deciding which TSPs will be in the report, it is important to take care. Care should be taken when deciding on which of the TSPs will be in the report.
For services that are outsourced, the supplier will have to show adequate controls are in place at their company’s site as part of your report.
Business Processes for the Trust Principle Assessment
The four main areas that are covered during the assessment of the company’s TSP Controls are:
Business Policies
Written policies that are relevant to the Trust Principles.
Communicating the System
The company has disclosed its policies to stakeholders and the responsible entities. This includes the users of the system.
Control Procedures
The company has procedures that will achieve the principles set out in the policies.
System Monitoring:
The company monitors the system and takes action to ensure compliance with the policies.
SOC 1 vs. SOC 2 Reports
Two types of SOC reports can be prepared. Your company’s report needs will depend on the User Entity. The Type 1 Report is a snapshot of the current state of the system. The Type 1 Report will contain a description, written statements by the management, designed controls and the Service Auditor’s opinion. The Type 2 Report includes the same items as the Type 1 Report, but also the results of tests on the controls. The SOC 2 reporting format
The report has four sections. Each section covers aspects of the system design, implementation, including whether it is complete and adequate.
Directors Call the System
The description of the system covers details about the services the company offers. The infrastructure used to process data (hardware and software) is listed. Boundaries that relate to these tasks should be recorded.
Additional items to keep in mind as part of the system description:
The system description identifies the Trust Service Principles that should be covered. This enables you to map your Control Criteria to them and measure how effective your system is.
Management Provides a Written Assertion
This section contains the assertions made by management regarding the controls they’ve chosen to use. This is an opportunity to explain each of your methods and the controls that serve the Trust Services Criteria.
If the privacy principle forms part of the report, proof of compliance with the commitments stated in the privacy practice must be shown.
If a subservice is used for any portion of your system, this section should include:
Details on how information is provided or received from the service provider.
Controls at the service provider that deals with the handling, processing, maintenance, and storage of information.
Trust Principles that are excluded from the report should be listed along with the reasons why they are not covered.
Design and Operational Effectiveness Details
Section 3 of the SOC 2 Report contains a list of the controls that were designed.
If you are preparing a Type 1 Report, list the designed controls that meet the TSP criteria. In a Type 2 report, the results of each test should be included. The auditor’s opinion will be based on:
Whether the description of the system was fair.
- If the controls work as they should (for a Type 2 Report this is done over a period of time).
- If the description presents how the system was designed and built.
It doesn’t leave out or distort information regarding the system.
The company complies with its privacy practices.
As part their opinion, the Service Auditor, You will have to see if your control works as described and make sure there are no other risks that stop you from reaching your TSP.
Expressed Opinion by Service Auditor
The Auditor’s opinion will be based on:
Whether the description of the system was fair.
If the controls work as they are supposed to (for a Type 2 Report this is done over a period of time).
- If the description presents how the system was designed and built.
- It doesn’t leave out or distorts information regarding the system.
- The company complies with its privacy practices (if it was part of the scope).
- As part of their opinion, the Service Auditor will list deviations and areas that lack control in the system.
- Remember – SOC 2 Certification Creates Trust
When you achieve SOC 2 Compliance and Certification, it will inspire and grow trust in your organization. User Entities may ask for a SOC 2 Report, and they will specify their TSP needs in the request. SOC 2 Certification will inspire and grow trust in your organization.
About The Author
