SOC 2 compliance for data centers has become a common reporting platform due to the five (5) Trust Services Principles used for SOC 2 reporting, many of which are ideally suited for reporting on today's growing number of technology oriented service providers. With Software as a Service (SaaS) and on demand technology offerings growing larger every year, data centers are quickly becoming the main provider of core network infrastructure supporting such platforms.
From critical network layer protection – such as firewall, web filtering, and IDS services, along with managed O/S and managed application offerings – data centers are front and center in today's growing world of technology services. As such, heavy regulatory compliance burdens are continued to be placed on such facilities, with traditional assurance reporting being the historical SAS 70 auditing standard, along with the current AICPA SSAE 18 standard.
SOC 2 Compliance for Data Centers is Growing - Learn Why
But a shift has occurred, one that started in 2012 with more and more data centers and managed services providers opting for SOC 2 reporting, either in conjunction with SOC 1 SSAE 18 reporting, or simply requesting only SOC 2 compliance alone. Why – because all parties involved in third-party assurance reporting (i.e., auditors, clients, intended users of such reports, regulators, etc.) have become more informed, educated, and aware of the benefits of the SOC 2 framework and the five (5) Trust Services Principles.
It means clients and other interested parties utilizing data center services will continue the push for requesting SOC 2 reporting – and that's good for the industry – as the SOC 2 framework is an excellent platform for testing and validating critical areas within a data center's daily operational practices. With that said, take note of the following critical points when relating to SOC 2 compliance for Data Centers, brought to you by NDNB Accountants & Consultants, national providers of SOC compliance and numerous other assessment services.
1. Which Trust Services Principles (TSP) to use? There are five (5) Trust Services Principles that can be technically used for SOC 2 reporting, yet for data centers – at a minimum – the"security" and "availability" TSP's should be included as they highlight essential controls and best practices used by such entities.
2. Audit efficiencies. PCI, HIPAA, GLBA compliance, and other audit and assessment mandates can all be efficiently combined when conducting testing for SOC 2 compliance. The main reason is that a large number of operational and security controls and related criteria tested for SOC 2 compliance can effectively be used for evidence for many of today's growing audit mandates. We call it audit efficiency, and it's a practice NDNB has been perfecting for many years. Talk to Christopher Nickell, CPA at NDNB, to learn more. He can be reached at 1-800-277-5415, ext. 706 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it..
3. SOC 2 compliance is flexible and adaptable. Though the Trust Services Principles put forth specific language regarding each such "principle" and the related "criteria", it still allows for a fair amount of flexibility as to what suffices for meeting the intent, rigor and spirit of the underlying framework. It's prescriptive in nature, yet still flexible and adaptable, making it an excellent choice for reporting on today's complex technology service providers. From data centers to Software as a Service (SaaS) entities, SOC 2 is becoming a familiar face, and for very good reasons. More specifically, it means SOC 2 is an excellent framework for reporting on basic data center "ping, power and pipe" controls, to those relating to managed services, such as managed O/S and managed applications.
4. Scoping is critical. For SOC 2 compliance for data centers, it comes down to which of the five (5) Trust Services Principles (TSP) are you looking to report on – one, a few, or possibly even all five (5). This is highly dependent on the services offered, from traditional ping, power, and pipe to fully managed services, such as managed O/S and managed applications. Furthermore, it also depends on what your clients are requesting – if they themselves even truly know – all the more reason to discuss SOC 2 compliance for data centers with an experienced, IR CPA firm that's well-versed on SOC 2 issues. Call Chris Nickell today at 1-800-277-5415, ext. 706 or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about SOC 2 compliance for data centers.