Security & Compliance Blog

Stay informed on changing compliance regulations

Get A Fixed Fee Quote Today Request a Free Quote

AICPA Remote SOC 1 and SOC 2 Services in Montreal, Canada

AICPA Remote SOC 1 and SOC 2 Services in Montreal, Canada

In today's rapidly evolving business landscape, data security and compliance have become paramount concerns for organizations of all sizes and industries. Montreal, Canada, a thriving hub of business activity, is no exception. Many organizations in this vibrant city are turning to remote auditing services to achieve and maintain compliance with AICPA SOC 1 and SOC 2 standards. The NDB Alliance of Firms, a trusted leader in remote auditing, is here to explore the benefits of remote auditing and how it can empower organizations in Montreal to meet their compliance objectives efficiently and effectively.

The Significance of SOC 1 and SOC 2 Audits

Before diving into the world of remote auditing, let's understand the importance of SOC 1 and SOC 2 audits:

SOC 1 Audits (formerly SAS 70): These audits focus on controls over financial reporting. They are crucial for service organizations that provide services that impact their clients' financial statements. SOC 1 audits ensure the reliability and integrity of financial information.

SOC 2 Audits: These audits evaluate controls related to security, availability, processing integrity, confidentiality, and privacy of data. They are particularly important for service providers that handle sensitive customer data, such as cloud service providers and data centers.

The Rise of Remote Auditing

Traditionally, SOC 1 and SOC 2 audits involved in-person visits and on-site assessments. However, advancements in technology have paved the way for remote auditing, offering numerous advantages, especially in the context of Montreal's bustling business scene:

  1. Cost Efficiency: Remote auditing reduces the costs associated with travel, accommodation, and on-site visits, making compliance more affordable for organizations.
  2. Time Savings: Organizations can complete audits more quickly and efficiently without the need for lengthy on-site engagements, allowing them to focus on their core business activities.
  3. Minimal Disruption: Remote audits cause minimal disruption to daily operations, enabling businesses to maintain productivity while achieving compliance.
  4. Global Reach: Remote auditing allows organizations in Montreal to work with auditors from around the world, accessing specialized expertise without geographical limitations.
  5. Enhanced Security: Secure technology platforms and encrypted communication channels ensure the confidentiality and integrity of audit processes and data.

How Remote Auditing Works

Remote auditing leverages secure online platforms, document sharing, and video conferencing to facilitate audits from a distance. The process includes:

  • Document Exchange: Organizations securely share relevant documents and evidence with auditors electronically.
  • Virtual Meetings: Auditors and clients meet virtually to discuss controls, review documents, and address any questions or concerns.
  • Continuous Communication: Regular communication ensures a smooth audit process and timely resolution of any issues.

NDB - Leaders in SOC 2 Audits for Canadian Companies

In the bustling business environment of Montreal, compliance with AICPA SOC 1 and SOC 2 standards is non-negotiable. The NDB Alliance of Firms brings the power of remote auditing to organizations in Montreal, providing efficient, cost-effective, and secure compliance solutions. Embracing remote auditing not only saves time and resources but also empowers businesses to maintain data security and regulatory compliance with ease. As Montreal continues to thrive, remote auditing stands as a key enabler for organizations seeking to meet their compliance objectives in an ever-changing world.

  313 Hits

SOC 2 Risk Assessment – a Strict Requirement for SOC Reporting

SOC 2 Risk Assessment – a Strict Requirement for SOC Reporting 

Performing a risk assessment for SOC 2 compliance is an essential reporting requirement that must be undertaken. Any reputable CPA firm hired to perform a SOC 2 assessment will no doubt inform you of this requirement early on in the SOC 2 auditing process. With that said, here’s what you need to know about risk assessments in terms of SOC 2 reporting, compliments of NDB, one of North America’s leading providers of SOC 2 and other related compliance services.

Performing a Risk Assessment is a Strict Mandate for SOC 2 Compliance: From PCI DSS compliance to SOC 1 and SOC 2 audits, HITRUST, and more, performing a risk assessment is a must. When undertaking SOC 2 compliance with NDB, service organizations will receive a complimentary SOC 2 risk assessment program that’s quick and easy to complete, yet also comprehensive.

  866 Hits

SOC 1 SSAE 18 Readiness Assessment from NDB - Fixed Fees

Need to perform a SOC 1 SSAE 18 audit, but not sure where to begin? The very best – and first – place to start the audit process is with a SOC 1 SSAE 18 Scoping & Readiness Assessment. When performed correctly – by a competent CPA firm – the benefits are tremendous, indeed. NDB offers fixed-fee audits, and as part of the process, also includes an upfront SOC 1 SSAE 18 Scoping & Readiness Assessment as part of overall auditing lifecycle.

Benefits of a SOC 1 SSAE 18 Scoping & Readiness Assessment

Determine actual Scope of the Audit: The very first – and most important issue – to determine when embarking upon SOC 1 SSAE 18 compliance is determining the actual scope of the audit. Specifically, what’s the business process in scope? Remember, that it’s important to understand how your services impact financial reporting for clients, a concept known as ICFR.

After all, the core reason why a SOC 1 SSAE 18 audit is being performed - and not a SOC 2 audit – is because there’s a direct financial implication involved with your clients. Simply stated, how do you affect your client’s financial reporting. Bottom line – get to the heart of the issue regarding ICFR. A highly competent CPA firm, such as NDB – can help with this very important issue. To learn more, contact Christopher Nickel, CPA, at 1-800-277-5415, ext. 706, or email him directly at This email address is being protected from spambots. You need JavaScript enabled to view it. today. NDB offers a wide-range of regulatory compliance services and solutions for businesses all throughout North America and Europe.

  1552 Hits

Q: How to be SOC 2 Compliant?

Q: How to be SOC 2 Compliant?

Answer: Need to be SOC 2 compliant? Here is what you need to know about the growing need for businesses all throughout North America seeking to become SOC 2 compliant, courtesy of NDB, one of the country’s leading providers of SOC 1 and SOC 2 audit & assessment reports.

6 Easy Steps in Becoming SOC 2 Compliant

1. Choose an Experienced CPA Firm. There are a number of well-qualified CPA firms all throughout the country that specialize in SOC 2 compliance, so you should not have any problem obtaining multiple proposals from experienced firms. Note: If your production environment is in the cloud with Amazon AWS, Microsoft Azure, or even Google GCP, then it’s important to choose a firm with cloud auditing expertise.

2. Understand the Basics of SOC 2 Compliance. So, what is SOC 2? Is it an audit? A certification? A process? There’s quite a bit of miscommunication regarding what SOC 2 is and what it isn’t. With that said, let’s clear the air and give you the basics of SOC 2. Here’s what you need to know: (1). SOC 2 is a control framework developed by the American Institute of Certified Public Accountants. (2). Achieving SOC 2 compliance does not result in a certificate being issue. (3). SOC 2 is generally an annual requirement.

  1461 Hits

SOC 2 Trust Services Criteria – Introduction & Overview

SOC 2 Trust Services Criteria – Introduction & Overview

Let’s take a deep dive into the SOC 2 Trust Services Criteria and provide you with a clear and transparent understanding as you begin the process of becoming SOC 2 compliant. So, what exactly are the SOC 2 Trust Services Criteria? They are essentially criteria that form the very basis of a SOC 2 audit, relying heavily on information security and data privacy best practices. The following five (5) Trust Services Criteria that can be used when performing a SOC 2 audit.

  • Security
  • Availability
  • Confidentiality
  • Processing Integrity
  • Privacy

Simply stated, when you decide to embark on the road towards SOC 2 compliance, you and your SOC 2 auditor will ultimately determine which of the five (5) Trust Service Criteria will be included within the scope of the engagement. Let’s take a look at each of them:

Security: The SECURITY TSP is the most commonly assessed TSP, and for good reason; It essentially sets the basis for the entire audit. In fact, the vast majority of service organizations undertaking SOC 2 compliance opt for just the SECURITY TSP, and nothing else. This is generally the case as they begin to trek into the world of compliance. After a few years, it is common to find that additional TSP’s are added on as part of the overall audit scope. Ultimately, it depends on the needs of your customers and what they demand and expect in terms of compliance.

  1652 Hits

How Often Do You Have to Do a SOC 2 Report?

Q: How Often Do You Have to Do a SOC 2 Report?

Answer: Generally speaking, (and while there is no hard and fast rule), SOC 2 reports are required annually from service organizations as validation that their controls are operating as designed. The once a year rule has been the consensus in that if you conduct your initial SOC 2 audit in year 1, then approximately twelve months later, a service organization should provide yet another report on the operating effectiveness of their controls. It’s a yearly process, and why? That’s because intended users of a SOC 2 report (i.e., clients, prospects, etc.) will want to gain assurances of a service organization’s control environment on a yearly basis – at a minimum.

6 Things to Know About SOC 2 Reports

(1). Start off with a Scoping & Readiness Assessment. It’s fundamentally important to perform an upfront scoping exercise for determining project scope, gaps that need to be corrected, third-parties that are going to be included in the audit, and much more.

(2). Remediation is Common, so don’t Be Alarmed. Very common, and it typically requires a thoughtful approach to remediating three (3) key areas. Remediating deficiencies in policies and procedures. Remediation deficiencies in terms of security tools and solutions. And remediating deficiencies in terms of operational issues. Together, these three areas can take time – no question about it – all the more reason for working with a proven, trusted firm with years of experience in helping service organizations all throughout the country, and that’s NDB.

(3). Documentation is Critically Important. Yes, it is. And when we speak about documentation, we’re talking about policies and procedures that need to be in place. Think access control, data backup, incident response, change management, and much more. Do you have policies and procedures in place for these areas – if not – you’ll need to start documenting them, and now. NDB offers a full-spectrum of policy templates – just another reason why service organizations turn to us time and time again.

Here's a short-list of information security policies and procedures you’ll need for becoming – and staying – SOC 2 compliant:

  • Access control policies and procedures
  • Data retention and disposal policies and procedures
  • Incident response policies and procedures
  • Change management policies and procedures
  • Contingency planning
  • Wireless Access
  • Usage policies

(4). Security Tools and Solutions will Need to be Acquired. The AICPA SOC framework is becoming more technical these days, meaning that a number of security tools and solutions are required for SOC 2 compliance. Think File Integrity Monitoring (FIM), Two-Factor Authentication (2FA), Vulnerability scanning, Data Loss Prevention (DLP) and more. This requires an investment in both time and money that many service organizations are unaware of until they begin the process.

  3495 Hits

How to Become SOC 2 Compliant?

Q: How to Become SOC 2 Compliant?

Answer: The process begins with what’s known as a SOC 2 Scoping & Readiness assessment, then culminates with the issuance of a SOC 2 Service Auditor’s Report. The readiness is the first step, and the audit report is the last step, so let’s fill in the blank and talk about all the steps in between on how to become SOC 2 compliant, courtesy of NDB, North America’s leading providers of SOC 2 compliance reports for service organizations.
Step-by-Step Process on How to Become SOC 2 Compliant.

1. Begin with a SOC 2 Scoping & Readiness Assessment: One of the most fundamentally important steps a service organization can take in becoming SOC 2 compliant is to begin with a SOC 2 Scoping & Readiness assessment. It’s not an additional cost that you have to incur, rather, an extremely beneficial and proactive pre-assessment process that helps identify control gaps, audit, scope, personnel participation, and so much more. Trying to become SOC 2 compliant with little or no preparation in the front-end is an actual recipe for disaster.

When performed by competent auditors, a SOC 2 Scoping & Readiness Assessment will ultimately save your organization both time and money in the long-run with SOC 2 compliance. To learn more, contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

2. Define the actual “Business Process”: As a service organization undergoing SOC 2 compliance, it’s important to identify what the actual business process is that’s going to be included in the scope of the SOC 2 audit. This is an important step because you’ll want to determine exactly what systems and related processes are going to be assessed and examined, thus mitigating any scope creep issues with the SOC 2 audit.

3. Choose the Relevant TSP’s: There are five (5) Trust Services Criteria to choose from – Security, Availability, Confidentiality, Processing Integrity, and Privacy. Each of them are unique, requiring a thoughtful analysis on which of the TSP’s you’ll want to include within the scope of your SOC 2 assessment. The vast majority of service organizations usually only choose the Security TSP, and that’s because it covers a large-range of critical I.T and operational issues and best practices.

  1674 Hits

Q: How Often are SOC 2 Reports Required?

Q: How Often are SOC 2 Reports Required?

A: We’re often asked “how often are SOC 2 reports required” and the best way to answer this is by giving you a little background on SOC 2 reporting. Generally speaking, service organizations will undergo an annual SOC 2 audit report, usually beginning with a SOC 2 Type 1 in the initial year, then followed up by subsequent SOC 2 Type 2 reports thereafter. With that said, it’s fairly easy to assume that SOC 2 reports are required annually, which again, is the generally accepted practice.

Any SOC 2 report older than a year in terms of reporting is often known as a “stale” report, meaning the assessment of controls is historically dated, giving the report only marginal – if any – use and applicability by the intended user. Here’s an example of how this plays out in the world of SOC 2 reporting.

Here's an Example of How Often a SOC 2 Report is Required

Let’s say you are Software as a Service (SaaS) provider in need of a SOC 2 report for your growing client base. You then engage with an auditing firm to determine scope, pricing, and also the actual assessment period for the SOC 2 audit. If you’re new to the SOC 2 auditing process, you’ll probably start with a scoping & readiness assessment, followed by a SOC 2 Type 1 audit, then a SOC 2 Type 2 audit. Let’s assume the following dates: You completed your SOC 2 Type 1 on June 30, 2019, and you then moved forward with a SOC 2 Type 2 audit report for an assessment period that covered July 1, 2019 – December 31, 2019.

  2778 Hits

Charles Denyer and Former Vice President Dick Cheney - Jackson Hole, Wyoming

From the final days of Watergate to the great financial crisis of 2008, Dick Cheney has been front-and-center in many of America’s most significant and consequential political events since the 1970's. Cheney’s political resume is nothing short of legendary – youngest Chief of Staff to ever serve a President of the United States, Wyoming’s lone Congressman for a decade, Secretary of Defense under the first President Bush, and the 46th Vice President of the United States under George W. Bush from 2001 to 2009.Dick Cheney Charles Denyer

  2210 Hits

Denver SOC 2 Type 1 and Type 2 Audits – Denver, Colorado – Boulder, Fort Collins, Golden

NDB offers comprehensive SOC 2 compliance assessments for businesses all throughout Colorado and the Rockies, from Denver to Boulder, Fort Collins, Golden, Colorado Springs, and all other geographic regions in Wyoming and Montana. The regulatory compliance landscape has shifted dramatically in recent years, requiring many businesses in and around Colorado to become SOC 2 compliant on an annual basis.

As for high-quality auditing services, fixed-fee pricing, and a household name that’s truly second-to-none, look no further than the experts at NDB. We’ve been on the frontlines of regulatory compliance for years, issuing SOC 2 reports all throughout North America for companies of all sizes and industries. From startups to multi-national organizations, NDB has the bandwidth and expertise for helping Colorado businesses succeed in today’s demanding world of regulatory compliance.

We are the SOC 2 Experts for Colorado Businesses – Fixed-Fee Pricing

Many businesses throughout the Denver area will no doubt have to undertake annual SOC 2 compliance – an assessment process that’s often looked upon as expensive, time-consuming and demanding – but not with the auditing experts at NDB. The key to SOC 2 auditing success is understanding many of the critical facets that constitute a successful audit, so take note of the following essential elements for helping your business when it comes to SOC 2 compliance:

  1538 Hits

SOC 1 SSAE 18 Type 2 Audits – Denver, Colorado, Boulder, Fort Collins

NDB offers SOC 1 SSAE 18 Type 2 reporting for service organizations all throughout the state of Colorado, including Denver, Boulder, Fort Collins, and other surrounding areas. As leaders in today’s complex compliance world we all live in, NDB provides competitively priced, fixed fee assessments for all services offered, which includes SOC 1 and SOC 2 reporting, and more. With technology companies littered throughout the state of Colorado, the high-tech boom is back – and here to stay – but with that also comes massive regulatory compliance mandates, such as SOC 1 SSAE 18, SOC 2, and more.

Important SOC 1 Considerations for Colorado Businesses

While most technology companies in the Denver areas “should” be opting for the more technically correct SOC 2 compliance, you’ll still find the likes of data centers and other tech-driven companies undergoing annual SOC 1 SSAE 18 assessments – which is still somewhat acceptable – though the shift to SOC 2 assessments is gaining tremendous momentum for technology businesses. With that said, here’s what Colorado services organizations need to know about SOC 1 SSAE 18 Type 2 compliance:

SOC 1 and SOC 2: As just briefly discussed, work with your auditor, communicate with your clients – and also have discussions internally as to what’s the best audit, then move forward accordingly. The more you discuss your needs with all relevant parties and stakeholders, the more clarity you’ll have as to which report – SOC 1 or SOC 2 – is the better fit.

Test Period: A SOC 1 SSAE 18 Type 2 assessment encompasses testing procedures over a defined test period – usually six (6) months – but there are circumstances where it can be a shorter test period, and even a longer one also. This ultimately depends on your reporting needs and client expectations.

  1459 Hits

SOC 2 for Startups - What you Need to Know NOW for SOC 2 Type 1 and Type 2 Compliance

Here is what you need to know about SOC 2 for Startups, provided by NDNB. 

 SOC 2 For Start Ups 2019

When it comes to SOC 2 for startups, NDNB has helped hundreds of businesses throughout the last decade. We have a proven process that works, saving you both time and money in today’s growing world of regulatory compliance reporting. To learn more about SOC 2 for startups, contact Christopher Nickell, CPA at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

  1580 Hits

SOC 1 vs. SOC 2 | AICPA | Understanding the Key Differences & Similarities and What You Need to Know

Thanks largely in part to the launch of the American Institute of Certified Public Accountants' (AICPA) SOC framework, the SOC 1 vs. SOC 2 discussion is well under way.

SOC stands for "System and Organization Controls", which allows qualified practitioners (i.e., licensed and registered Certified Public Accountants) to issue SOC 1, SOC 2, and/or SOC 3 reports.

After the SSAE 16 standard (which is used for issuing SOC 1 reports, and has been replaced with SSAE 18) effectively replaced the longstanding SAS 70 auditing standard for reporting periods ending on or after June 15, 2011, there has been much debate regarding SOC 1 vs. SOC 2 – specifically, when are they applicable, what is the respective scope for each, and what similarities or differences do they each share.

System and Organization Control (SOC 1) reports are to be conducted in accordance with Statement on Standards for Attestation Engagements No. 18 (SSAE 18). This AICPA attestation standard was intended not only to replace SAS 70 and SSAE 16, but also to reincorporate the auditing process with the concept of internal controls over financial reporting, or ICFR.

The SOC framework places elevated importance on the ICFR component for service organization reporting, thus advocating service organizations to opt for SOC 1 if the organization has a true nexus with ICFR, such as those in the financial services industry.

  1999 Hits

SSAE 18 and Payroll and Check Processing Companies | Type 1 and Type 2 Reporting

SSAE 18 Type 1 and Type 2 reporting for payroll providers and check processing companies have a close relationship indeed. Many organizations outsource these material functions to service organizations that provide traditional payroll processing (including the entire lifecycle of the processing platform itself), printing and mailing of hard-copy checks, and multiple other critical services.

If you are a payroll and/or check processing company, or any other type of service organization providing critical services to the payroll industry as a whole, then SSAE 18 Type 1 and Type 2 reporting should be on your radar.

  1721 Hits

The Importance of SOC 2 Compliance Audits in Today’s Digitally Driven Economy

Information technology has created tremendous efficiencies and cost-savings for businesses all throughout the globe, many of which were seemingly not even thought to be possible in the last decade. Organizations everywhere are now even more nimble & proactive in critical decision-making processes than ever before. But with such big rewards also come incredibly large challenges, many relating to the safety and security of highly sensitive client data.

Today’s business platforms rely heavily on cloud-based services and platforms, ranging from the well-known Software as a Service (SaaS) offerings to Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and many other hybrid cloud models. While different in terms of offerings and functionality, all cloud platforms rely on critical services and related policies, procedures, and processes for ensuring their confidentiality, integrity, and availability (CIA).

Currently, the most widely recognized security assessment performed on cloud based businesses is the American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) 2 audit. What makes SOC 2 such a well-known and highly respected auditing platform, one that’s embraced by thousands of companies around the world?

  1504 Hits

SOC 2 Audit Checklist for Amazon AWS Environments

Use our SOC 2 audit checklist if you’re using Amazon’s AWS cloud services and need to become SOC 2 compliant each year. With the migration to the cloud happening at record pace, tens of thousands of businesses are now being required to become SOC 2 compliant each year, and NDNB offers a proven process that’s efficient and comprehensive. Here’s what you need to know – and what you need to do – for ensuring your SOC 2 audit is a success.

1. Begin with a SOC 2 Scoping & Readiness Assessment:  Understanding scope and the what business processes are to be included within your SOC 2 audit is essential, and also for mitigating any type of scope creep issues. Because you’re hosting your services (i.e., your production environment) in AWS, it luckily means there are a number of benefits to be had with your SOC 2 audit. First, a large number of the physical security controls are covered by AWS themselves as their private data centers store your virtual server instances.

Second, AWS has a fair number of audit & compliance, and control tools & solutions that are easy to “spin up” in any environment, further helping alleviate compliance reporting requirements (more on this in point #3 below!)

2. Leverage AWS’ SOC Reports for Scope Reduction: For the CPA firm you hired to perform your SOC 2 audit, they’ll ask for you to obtain a copy of AWS’ most current SOC 2 report, and for a very obvious reason – scope reduction. A large number of the controls you’ll need for SOC 2 compliance are actually covered by AWS’ report. From physical and environmental controls – and more – leveraging AWS’ SOC 2 report is a must. Scope reduction = price reduction, something a well-versed SOC 2 auditor can explain to you. To learn more, contact CPA Christopher Nickell at 1-800-277-5415, ext. 706 today.

3. Identity and Utilize AWS’s Security and Compliance Tools: Familiar with CloudWatch and CloudTrail? CloudWatch logs reports on application logs, while CloudTrail Logs details on specific information on what occurred in your AWS account. These are just a few examples of the many tools that AWS has available for your growing security, governance, and regulatory compliance needs.

  4073 Hits

SOC 2 Audit Assessments & Reporting – Texas (Dallas, Houston, Austin) - Fixed Fees

NDNB provides comprehensive SOC 2 audit and compliance assessment services & SOC reporting for businesses in Dallas, Houston, Austin, and other surrounding locations in Texas. With increased regulatory requirements being placed on businesses all throughout North America – and the globe – now’s the time to talk to the experts at NDNB. We offer fixed-fee pricing and high-quality audit services, so contact Chris Nickell at 1-800-277-5415, ext. 706 to learn more about NDNB’s SOC 2 assessments for Texas businesses, or email Chris directly at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

Comprehensive SOC 2 Services for Texas Businesses – Fixed Fees

Services offered by NDNB for businesses located in Dallas, Houston, Austin, and other surrounding locations in Texas include the following:

SOC 2 Scoping & Readiness Assessments: One of the most fundamentally important activities to be performed during the SOC 2 audit process is beginning with a scoping & readiness assessment; an invaluable function for helping service organizations adequately determine project scope, areas requiring remediation (i.e., policies and procedures, technical changes/modifications, etc.), assessing personnel needs, physical locations to visit, and more.

  1579 Hits

SOC 2 HIPAA Compliance & SOC 2 Audits

NDB offers fixed-fee SOC 2 HIPAA audit reports & assessments consisting of SOC 2 Type 1 and SOC 2 Type 2 audits for organizations seeking compliance with the Health Insurance Portability and Accountability Act (HIPAA). Ensuring the safety and security of Protected Health Information (PHI), Personally Identifiable Information (PII), and other forms of highly confidential consumer/patient data is now more important than ever.

Additionally, many of today’s main healthcare exchanges and large insurance carriers are requesting SOC 2 HIPAA reports from their downstream providers, which consist of thousands of organizations offering various healthcare related services.

  1983 Hits

SOC 2 Audit Process from A to Z for Compliance

Looking to learn about the SOC 2 audit process from beginning to end? A simple, yet comprehensive and easy-to-understand process on what it takes to become SOC 2 compliant for your organization? NDNB, one of North America’s leading providers of SOC 1 and SOC 2 audits offers the following A to Z explanation of the SOC 2 audit process.

Step 1: Understand Exactly what SOC 2 is.

Ask any number of professionals what SOC 2 is and you’ll probably get quite a few different answers. Some answers we hear are the following:

  • It’s an audit
  • It’s a certification
  • It’s a best practice for operations and information security
  • It’s a checklist that can be quickly completed

In simple terms – as simple as we can make it – System and Organization Controls (SOC) 2 is a comprehensive reporting framework put forth by the American Institute of Certified Public Accountants (AICPA) in which independent, third-party auditors (i.e., CPA’s) perform an assessment and subsequent testing of controls relating to the Trust Services Criteria of Security, Availability, Processing Integrity, Confidentiality and/or Privacy.

  1754 Hits

SOC 2 for Startups – A Simple, Straightforward Approach to Compliance

SOC 2 for startups is an interesting topic as one would think that a small, relatively non-complex environment would be easy for obtaining SOC 2 (or even SSAE 18 SOC 1) compliance. Well, yes and no. Don’t you hate the political in the middle answer! Truth be told, the yes part of the answer is that working with a small group of professionals, generally located in one physical location, can make SOC 2 for startups easy going. The no part of the answer is that startups generally lack any type of real and meaningful policies, procedures, and processes. Change control processes? Probably not in place. Documented incident response procedures? Probably not well documented! Security awareness training? Hmm, nope, not being done! Get the picture. That’s the yes and no.

  4204 Hits
Since 2006, NDNB has been setting the standard for security & compliance regulations