Are you a cloud computing, SaaS, PaaS or IaaS provider and need to perform annual SOC 2 compliance audits & assessments for your clients for ensuring security best practices are being met and adhered to? If so, then take note of the following SOC 2 checklist for compliance for cloud computing & SaaS providers and vendors, courtesy of NDB Accountants & Consultants, LLP (NDB), North America’s leading provider of SSAE 16 SOC 1, SOC 2, HIPAA, and PCI DSS assessments:
1. Understand What SOC 2 is and what it isn’t. SOC 2 is NOT an ISO 27000 series audit, nor is it an ITIL assessment, or some other misconceived notion. Rather, the SOC 2 assessment consists of the Trust Services Principles (TSP) framework for evaluating a service organization’s internal controls against the prescribed set of “Common Criteria” found within the actual TSP’s. Thus, SOC 2 assessments cover a wide-range of controls when being assessed, such as operational, technical, and information security controls. Because of this, the SOC 2 framework also allows for a high degrees of customization, even to the point of including other frameworks to be assessed on (more on this in points 3 and 4).
2. Know the differences between SSAE 16 SOC 1 and SOC 2. Cloud computing & SaaS providers and vendors should generally not be performing SSAE 16 SOC 1 assessments as such reporting is restricted to service organizations performing services that could impact their clients’ financials. The SOC 2 standard is highly geared towards technology companies, and also allows for the incorporation of other frameworks into the SOC 2 report itself. While we still see many technology companies performing annual SSAE 16 SOC 1 compliance – the likes of data centers, managed services vendors, and others – this is changing, with more and more businesses opting for SOC 2 compliance, and rightfully so.