What Is SOC 2 and How to be Compliant

SOC 2 (System and Organisation Controls 2) compliance is a widely recognised framework for assessing and reporting on the security, availability, processing integrity, confidentiality, and privacy of data within service organisations.

Its requirements differ from other information security standards and frameworks as there is no minimum list of prescriptive controls established for compliance.

Instead, the American Institute of Certified Public Accountants (AICPA) establishes general criteria that can be selected by your organisation to demonstrate that controls are in place to mitigate risks to the service you provide.

Get a Quote
Cyber Essentials Certification

Types of SOC 2 Reports

SOC 2 TYPE 1

This audit type evaluates your organisation’s systems to determine if their control design aligns with the applicable trust criteria that were implemented at a specific moment in time.

SOC 2 TYPE 2

This audit type assesses the ongoing effectiveness of controls over a specified duration. Typically, user organisations and their auditing teams opt for a six-month timeframe for evaluation.

How Your Organisation Can Benefit From SOC 2 Certification

Risk Crew’s Step-by-Step Process to Get You Compliant

This service is crafted to not only guarantee your business’s adherence to the established criteria but also to furnish transparent and easily auditable evidence of SOC 2 compliance, all while minimising any disruption to your business, operations, and resource allocation.

  • Review of Current Controls: Our team of experts will review the current controls you have implemented to ensure the security, availability confidentiality, processing integrity, and privacy (known collectively as Trust Service Criteria or TSC) of your existing data assets.
  • Assessment of Controls: Controls are assessed for effectiveness and documented beside the applicable key performance indicators. The results will indicate the quickest route to a successful audit.

At a minimum, SOC 2 reports must include the Security or Common Criteria — any other TSCs selected will depend on your business requirements.

The Trust Services Criteria are selected from the following:

  • Security: This TSC ensures protection against unauthorised access, encompassing both physical and logical security. It examines aspects like logical access to critical infrastructure, such as source code repositories, and covers elements like password parameters, network device configurations, firewalls, and physical security measures safeguarding key infrastructure.

  • Availability: Here, the focus is on ensuring that the system is accessible and operational as intended and agreed upon. Compliance with availability criteria necessitates documented business continuity and disaster recovery plans and procedures. It also involves regular backups and recovery testing.

  • Confidentiality: This criterion safeguards information marked as ‘Confidential’ as per policy or agreement. It’s important to note that confidentiality criteria are distinct from privacy criteria. They apply to the protection of confidential data, including intellectual property and shared information from business partners.

  • Processing Integrity: This TSC ensures that system processing is complete, accurate, and authorised. Processing integrity isn’t as frequently addressed as availability and confidentiality TSCs and typically applies to systems involved in transaction processing, like payment systems.

  • Privacy: The privacy criteria come into play when handling ‘personal information’ within the system. It’s crucial to differentiate privacy criteria from confidentiality criteria, as the former is concerned with personal data, while the latter pertains to other types of sensitive information.

Once the TSC selection and Confirmation have been completed, we’ll work with your organisation to proceed with the following;

  • Mapping Controls: Document the policy reference, relevant SOC 2 Trust Services Criteria (TSC), the implemented control, its purpose, key performance metrics, and testing procedures to assess its ongoing effectiveness.
  • Provide Evidence: Clearly illustrate how policies relate to testing provide concrete evidence of SOC 2 TSC compliance, streamlining the Auditor’s work and supplying crucial report data.

Assessment and Remediation: Where controls are insufficient or not present to demonstrate compliance to a selected TSC, we’ll recommend cost-effective remedial actions to ‘fill the gap’ and demonstrate compliance. We’ll also recommend controls that are most effective in the people, process, or technology.

Upon completion of the first four steps, we’ll conduct a workshop with your business stakeholders to ensure their understanding of the findings and SOC 2 compliance requirements. The workshop seeks to guide attendees through the steps required to obtain a favourable Type 1, SOC 2 Report.

We Don’t Sell Products, We Sell Results.

✓ Competitive and Transparent Pricing

Our service comes with fixed pricing with no unexpected added costs. Additionally, we offer a managed service to conduct penetration testing on a continual basis.

✓ Flexible Delivery

This service can be delivered on-site or remotely using cutting-edge technology to maintain the security of our communications. Whichever method you opt for, quality service and hands-on expertise are provided.

✓ On-going Support

Risk Crew helps you maintain compliance with a variety of support services including risk assessments, security testing and staff awareness training.

✓ 100% Satisfaction Guarantee

We think deeply, question assumptions, detect cause and effect and deliver measurable results. No one else does that. Our deliverables produce metrics you can use to monitor and manage real-world cyber risks.

Our Certifications and Accreditations

Speak With a Consultant Today

Instil customer confidence and strenghten your information security posture with SOC 2 Compliance.

Access More SOC 2 Resources

add_task

SOC 2 Compliance Discovery Session

Get a mini-gap assessment and advice from an ISO 27001 expert. Schedule a call or online meeting.

inventory

SOC 2 Compliance Checklist and Timeline 

Learn what is required to achieve your SOC 2 Report.

auto_stories

How To Prepare for SOC 2 Audit: Webinar

Learn how your organisation can begin to prepare for its first stage audit.

Frequently Asked Questions

What is included in a SOC 2 audit report?

There are five Trust Services Principles, that comprise a SOC 2 report: Security, Availability, Processing Integrity, Confidentiality and Privacy.

An audit report is comprised of the auditor’s assessment of how well the organisation’s controls fit these principles.

What is the difference between SOC 1 and SOC 2?

SOC 1 involves the audit of a service provider’s accounting and financial controls. SOC 2 is an audit of a service provider’s information security controls. SOC 2 compliance is a minimal requirement when choosing a SaaS provider.

How long does it take to get SOC 2 compliance?

The SOC 2 reporting process can take anywhere from 6 to 12 months (on average) depending on the maturity of your controls. Find out how to estimate your organisation’s timeline to compliance in our blog post – How Long Does it Take to Get SOC 2 Compliance?

Who needs a SOC 2 audit report?

SOC 2 is often a contractual requirement for technology-based service providers, who process, transmit or store their customer’s information on cloud-based platforms.

This includes businesses that provide SaaS, cloud-based services or use the cloud to store individual customer information.