Frequently Asked Questions
WHAT TYPES OF ORGANIZATIONS UNDERGO A SOC 2 EXAMINATION?
Many small and medium size companies that do not have an information security or compliance program elect to undergo a SOC 2 readiness and examination process. SOC 2 is widely recognized and contains many overlapping characteristics with other regulations including Sarbanes Oxley 404, HIPAA, GDPR, PCI and the FFIEC.
WHAT INDUSTRIES DOES SOC 2 APPLY?
SOC 2 can apply to companies across industries.
Organizations that undergo SOC readiness / examination procedures are service providers that perform functions on behalf of other companies including:
Cloud Service Providers (SaaS, IaaS, PaaS)
Data Centers (Co-location and Managed Hosting)
Collections & Third Party Billing
WHAT TRUST SERVICES CRITERIA (TSC) ARE REQUIRED? WHICH ONES ARE OPTIONAL?
A service organization must include the ‘Security’ Trust Services Criteria. Availability, Processing Integrity and Privacy are optional.
WHAT ARE THE OVERALL OBJECTIVES OF EACH OF THE TRUST SERVICE CRITERIA?
I’VE HEARD OF A TYPE 1 REPORT AND A TYPE 2 REPORT. IS THERE A DIFFERENCE?
Security. The system is protected against unauthorized access, use, or modification.
Availability. The system is available for operation and use as committed or agreed.
Processing Integrity. System processing is complete, valid, accurate, timely, and authorized.
Confidentiality. Information designated as confidential is protected as committed or agreed.
Privacy. Personal information is collected, used, retained, disclosed and disposed to meet the entity's commitments and system requirements.
IF I’VE NEVER UNDERGONE A SOC 2 EXAMINATION BEFORE. SHOULD I GO FOR A TYPE 1 REPORT OR TRY TO OBTAIN A TYPE 2?
IS SOC 1 (SSAE 18) THE SAME AS SOC 2?
Yes there is a difference.
A SOC 2 Type 1 report evaluates the design of organization’s controls at a point in time.
A SOC 2 Type 2 report evaluates the design and operating effectiveness of an organization’s controls over a period of time (usually 6 or 12 months).
Due to the rigorous requirements for SOC 2, which typically could lead to a shift in an organization’s internal business practices, most companies elect to achieve SOC 2 Type 1 compliance first and then choose SOC 2 Type 2 afterwards.
Controls within a SOC 1 / SSAE 18 are defined by management, and the audit is risk-based. This report is useful to demonstrate to auditors and user organizations that internal controls over financial reporting (ICFR) are designed / operating effectively.
Controls within a SOC 2 report are also defined by management, but the audit is criteria based, using SysTrust / WebTrust principles. This report is useful to demonstrate to a broad range of users (outside of user organizations) that controls over security, availability, processing integrity, confidentiality and/or privacy are designed / operating effectively.