The SOC 2 report focuses on a business’s non-financial reporting controls as they Trust Service Criteria.
The American Institute of Certified Public Accountants (AICPA) is the entity that has written the framework. The SOC 2 framework includes five key sections,
forming a set of criteria called the Trust Services Principles:
When engaging in a SOC 2 project, a company will need to choose along with their auditor, the criteria that will be covered in the report.
It's not mandatory to cover all 5 principles, but Security will always be part of the scope.
SOC concerns the internal controls in place at the third-party service organization.
SOC 1, SOC 2, and SOC 3 certifications all require a service organization to display controls regulating their interaction with clients and client data:
There are two options a company can choose when defining the Scope of Work:
In most cases, SOC 2 Type II compliance is the most desired compliance for cloud-based companies. The process assures the customers that the company has best-in-class safeguards and procedures in place to ensure the security of their information.
It's a journey that will take the security strategy of a tech company to the next level, and at the same time prepare the ground for collaborating with enterprises.
Go back to the SOC 2 Academy and start learning all you need to know!