SOC 2 for managed services organizations, such as those offering managed network, O/S, and application specific services, is a growing trend, ultimately requiring many organizations to become compliant with the AICPA Service Organization Control (SOC) reporting framework. It’s thus critically important to understand scope considerations for SOC 2 managed services reporting, along with other essential issues for ultimately ensuring an efficient and cost-effective assessment process. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance. As such, take note of the following critical points regarding SOC 2 managed services assessment reporting.
1. Properly define scope. Keep in mind that the SOC 2 framework allows service organizations to report on up to five (5) of the Trust Services Principles. Some organizations simply report on one, maybe a few, while others undertake assessments with all five of the TSP’s. What dictates how many of the TSPs are to be included for reporting are simply the services one is seeking to include within the scope of the assessment. This essentially comes down to your managed service offerings. From a minimum baseline perspective, expect to include the following TSP’s in a SOC 2 managed services assessment: (1). Security. (2). Availability. Together, these two (2) TSP’s encompass critical security measure applicable to a managed services entity.