SOC 2 Compliance

SOC 2 Compliance Service

Expertise, framework, processes & documentation requisite for compliance

Request a Quote     Download the Service Overview

SOC 2 Certification

SOC 2 Audit requirements differ from other information security standards and frameworks as there is no minimum list of prescriptive controls established for compliance. Instead, the American Institute of Certified Public Accountants (AICPA) establishes general criteria that can be selected by an organisation to demonstrate they have controls in place to mitigate risks to the service they provide.

Consequently, there is no one right answer for how to address the established criteria. The auditor’s job is to confirm what trust service criteria should apply to the service and what is being done by the organisation to meet it.

In some cases, there are gaps and organisations must implement new controls or modify existing ones to satisfactorily meet the criteria. In other cases, existing controls may already be more than sufficient.

The service is designed to ensure your business not only meets the established criteria but provides clear and auditable proof of SOC 2 compliance for the audit with minimum impact to your business, operations and resources.

SOC 2 – Features and Components

The Risk Crew SOC 2 Service is comprised of the following five-step approach to help your organisation achieve compliance. This popular service results in a simple, transparent and easily demonstrable compliance framework for either SOC 2 Type 1 or 2 reports.

SOC-2-Service

Step 1

  • Review of Current Controls: First, Risk Crew will review the current controls you have implemented to ensure the security, availability confidentiality, processing integrity and privacy (known collectively as Trust Service Criteria or TSC).
  • Assessment of Controls: Controls are assessed for effectiveness and documented beside the applicable key performance indicators. The results indicate the quickest route to a successful audit.

Step 2

Based upon the above findings, Risk Crew shall then recommend the specific TSC to be validated in the audit and confirm this with you. At a minimum, SOC 2 reports must include the Security or Common Criteria — any other TSCs selected depend upon your business requirements.

 

The Trust Services Criteria are selected from the following:

 

  • Security: The system is protected against unauthorised access (both physical and logical). The system is protected from unauthorised access — both physical and logical. Examples of commonly examined SOC 2 security controls are logical access to infrastructure and vital systems such as source code repositories. Additionally, this could include password parameters, network devices configurations, firewalls and physical security controls that protect key infrastructure.
  • Availability: The system is accessible for operation and use as intended and agreed. The accessibility criteria require that the organisation have documented business continuity and disaster recovery plan and procedures. Additionally, it requires periodic backups and recovery tests.
  • Confidentiality: Information, which is designated as ‘Confidential’ is protected according to policy or agreement. Confidentiality criteria are often mistaken with privacy criteria. Most organisations have a requirement to protect Confidential information that is shared with them by other companies they do business with such as the protection of intellectual property.
  • Processing Integrity: System processing is complete, accurate, and authorised. Processing integrity is not involved within SOC 2 as often as the availability and confidentiality TSCs. Processing integrity is usually addressed in systems that process transaction such as payments.
  • Privacy: The privacy criteria should be considered when ‘personal information’ is processed, stored or transmitted by the system. It is imperative to note that the privacy criteria applies to personal information. This differs from the confidentiality criteria, which applies to other types of sensitive information.

Step 3

      • Identify Controls: Identify and document the policy reference that mandates the control, the applicable SOC 2 TSC, the actual control used to ensure the criteria is met, the control’s objective and key performance indicators and associated testing procedures used to verify the effectiveness of the control over time.
      • Mapping: By clearly depicting the relationship between policies and testing you will be able to provide clear evidence that SOC 2 TSCs are being met to your Auditor. Connecting the dots in this way simplifies and streamlines the Auditor’s work providing the essential data needed for the report.

Step 4

      • Assessment and Remediation: Where controls are insufficient or not present to demonstrate compliance to a selected TSC, Risk Crew shall recommend cost-effective remedial actions to ‘fill the gap’ and demonstrate compliance. We will also recommend controls that are most effective in the people, process or technology.
      • Recommendations: Risk Crew shall provide a recommended policy statement, the applicable TSC, a control, a control objective, KPI and testing procedures to be included in the map described above.

Step 5

Upon completion of the first four steps, Risk Crew shall conduct a workshop with your business’ stakeholders to ensure their understanding of the findings and SOC 2 compliance requirements. The workshop seeks to guide attendees through the steps required to obtain a favourable Type 1, SOC 2 Report.

SOC 2 Audit Framework

 

SOC 2 is a type of audit that ensures the organisation provides a safe and secure operating environment and appropriately manages data and the data of their clients. The audit focuses on the controls that the organisation has defined to properly govern the services it provides to its clients.

Developed and introduced by the AICPA, the SOC 2 audit focuses on the internal controls of a service organisation, using the five Trust Services Criteria (TSC), which are Security, Confidentiality, Processing Integrity, Availability and Privacy. Depending on the organisation, or the reason for performing a SOC 2 audit, it may use a few or all of the TSCs to define the scope of its audit.

There are two types of SOC 2 audits:

SOC 2 Type 1: This audit type describes the service organisation’s systems and whether their design of controls meets relevant trust criteria put into operation at a specific point in time.

SOC 2 Type 2: This audit type details the operational effectiveness of controls over a period of time. User organisations and their auditing team generally select six months for the time frame to evaluate.

SOC 2 Report Benefits

Achieving compliance with SOC 2 will provide the following benefits:

✓ Protect against security breaches

✓ Gain insight into your organisation’s risk and security posture

✓ Validate that your systems and networks are secure

✓ Get a competitive advantage over organisations without SOC 2

✓ Assure customers that controls are in place to help secure their data

✓ Accelerate certification to other frameworks such as ISO 27001

Why Choose Risk Crew

Risk Crew has two decades of hands-on skills and experience in successfully implementing cost-effective — security risk management compliance frameworks. All of our services come with our 100% satisfaction guarantee.

When you choose Risk Crew, you’re electing to work with qualified experts.

Affirm the security of your services with SOC 2.

Frequently Asked Questions

What is included in a SOC 2 audit report?

There are five Trust Services Principles, or criteria, that comprise a SOC 2 report: Security, Availability, Processing Integrity, Confidentiality and Privacy. An audit report is comprised of the auditor’s assessment of how well the organisation’s controls fit these Principles.

What is the difference between SOC 1 and SOC 2?

SOC 1 involves the audit of a service provider’s accounting and financial controls. SOC 2 is an audit of a service provider’s information security controls. SOC 2 compliance is a minimal requirement when choosing a SaaS provider.

How long does it take to get SOC 2 compliance?

The SOC 2 reporting process can take anywhere from 6 to 12 months (on average) depending on the maturity of your controls. Find out how to estimate your organisation’s timeline to compliance in our blog post – How Long Does it Take to Get SOC 2 Compliance.

Who needs a SOC 2 audit report?

SOC 2 is often a contractual requirement for technology-based service providers, who process, transmit or store their customer’s information on cloud-based platforms. This includes businesses that provide SaaS and other cloud-based services and additionally uses the cloud to store individual customer information.

Do You Need to Estimate Your SOC 2 Compliance Timeline?

Download SOC 2 tools that include a ‘typical’ timeline and SOC 2 Audit Preparation Checklist to help quickly assess your audit readiness.

Get Started with a Timeline & Checklist

Request a Quote to Begin Your SOC 2 Journey Today

Our SOC 2 experts will contact you to discuss your specific requirements