SOC 2 Report
SOC 2 Report – Trust Services Criteria. The SOC 2 report focuses on a business's non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 18 which is focused on the financial reporting controls.
The Trust Service Criteria, which SOC 2 is based upon, are designed around four broad areas: Policies, Communications, Procedures, and Monitoring. Each of the criteria have corresponding points of focus, which should be met to demonstrate adherence to the
overall criteria and produce an unqualified opinion (no significant
exceptions found during your audit). One benefit to the trust services
criteria are that the requirements are predefined, making it easier for
business owners to know what compliance needs are required of them
and for users of the report to read and assess the adequacy.
Several criteria are defined for each principle available for a SOC 2 report.
The Security principle is the basic principle (common criteria). The number
of criteria (61*) is different for each principle:
-
Security: 33 criteria
-
Confidentiality: 2 additional criteria
-
Availability: 3 additional criteria
-
Processing Integrity: 5 additional criteria
-
Privacy: 18 additional criteria
*Several criteria related to the alignment with COSO principles.
Two new SOC reports have been published recently. SOC for Cybersecurity and SOC for Vendor Supply Chains. Those two new reports are not related to SOC 2 principles and criteria.
How is SOC 2 Type 2 Different than Type 1?
SOC 2 reports come in two flavours―Type 1 and Type 2. A description of the difference between the two is as follows:
SOC 2 Type 1 Report is a report on a service organization’s system and the suitability of the design of controls. The Type I report looks at a point in time or an “as of” date at the system and how the organization describes the system and controls in place around the system.
SOC 2 Type 2 Report is similar to the Type 1 report, except that the controls are described and evaluated for a minimum of six months to see if they are functioning as defined by management.
The different part of a SOC 2 report:
Part 1: Auditor's opinion
Part 2: Management's assertion
Part 3: Management's description
Part 4: Pages limited to the auditor (Type 2 only)
Part 5: Criteria, controls, and auditor's conclusion
Part 6: Pages limited to the organization. The auditor expresses no opinion on this part.
Unify multiple compliance standards with a SOC 2 report
Today's reality is that a variety of IT compliance standards exist, and sometimes, an organization has several different compliance standards to respect. This obligation can become an unbearable financial burden for small businesses.
The advantage of a SOC 2 report and its five principles is that it is possible to unify several standards. For example, HITRUST and CSA standards may be incorporated into a SOC 2 report following agreements with the two associations in question. For other compliance standards, there is nothing to prevent an organization from putting in place controls that meet several different compliance standards.
We look forward to discussing this with your organization.
Yucca IT Consulting can help you
We can assist you throughout your preparation process for the SOC 2 compliance program. From the gap analysis to a final, personalized and, ready-to-audit SOC 2 report. With the help of your in-house pilot, a realistic timetable will be documented and accepted by your management.