SOC 2
Frequently Asked Questions
What types of organization undergo a SOC 2 examination?
Many small and medium size companies that do not have an information security or compliance program elect to undergo a SOC 2 readiness and examination process. SOC 2 is widely recognized and contains many overlapping characteristics with other regulations including ISO 27001, Sarbanes Oxley 404, HIPAA, GDPR, PCI and the FFIEC.
​
What industries does SOC 2 apply?
It is important to note that SOC 2 audits are not industry-specific, and any organization that handles sensitive data and information can benefit from undergoing a SOC 2 audit to demonstrate their commitment to security, confidentiality, processing integrity, availability and privacy.
Examples of organizations that undergo SOC readiness / examination procedures are service providers that perform functions on behalf of other companies including:
-
Cloud Service Providers (SaaS, IaaS, PaaS)
-
Data Centers (Co-location and Managed Hosting)
-
Collections & Third Party Billing
-
Cybersecurity Firms
-
Healthcare providers
-
FinTech companies
What Trust Services Criteria (TSC) are required? Which ones are optional?
A service organization must include the ‘Security’ Trust Services Criteria. Availability, Processing Integrity and Privacy are optional.
What is Trust Service Criteria (TSC)?
What is the difference between a SOC 2 Type 1 and SOC 2 Type 2 audit?
Security. The system is protected against unauthorized access, use, or modification.
Availability. The system is available for operation and use as committed or agreed.
Processing Integrity. System processing is complete, valid, accurate, timely, and authorized.
Confidentiality. Information designated as confidential is protected as committed or agreed.
Privacy. Personal information is collected, used, retained, disclosed and disposed to meet the entity's commitments and system requirements.
The main difference between a SOC 2 Type 1 audit and a SOC 2 Type 2 audit is the scope and duration of the audit.
​
A SOC 2 Type 1 audit evaluates the design and implementation of controls as of a specific date or point-in-time, and provides assurance that the controls are suitably designed to achieve the related control objectives.
​
In contrast, a SOC 2 Type 2 audit evaluates the design, implementation, and operating effectiveness of controls over a period of time, typically covering a period of six to twelve months.
If I've never undergone a SOC 2 examination before, should I go for a Type 1 report or try to obtain a Type 2?
Due to the rigorous requirements for SOC 2, which typically lead to a shift in an organization’s internal business practices, most companies elect to achieve SOC 2 Type 1 compliance first and then choose SOC 2 Type 2 afterwards.
Is SOC 1 (SSAE 18) the same as SOC 2?
No.
​
Controls within a SOC 1 / SSAE 18 are defined by management, and the audit is risk-based. This report is useful to demonstrate to auditors and user organizations that internal controls over financial reporting (ICFR) are designed / operating effectively.
Controls within a SOC 2 report are also defined by management, but the audit is criteria based, using SysTrust / WebTrust principles. This report is useful to demonstrate to a broad range of users (outside of user organizations) that controls over security, availability, processing integrity, confidentiality and/or privacy are designed / operating effectively.
Contact us to see how we can help you prepare for your SOC audit.