SOC 2 criteria is often a phrase used in context when referring to Service Organization Control (SOC) 2 assessments being mandated on many of today’s technology oriented businesses. From software development companies to data centers, managed service providers – and others – SOC 2 compliance, and the understanding of what specifically is SOC 2 criteria – are front and center in today’s world of regulatory compliance. NDNB Accountants & Consultants, nationally recognized experts in SOC 2 reporting, provides the following introduction and overview to SOC 2 and the technical merits of SOC 2 criteria.
1. Understanding what SOC 2 is. SOC 2 is essentially a reporting component of the overall Service Organization Control (SOC) framework put forth by the AICPA that effectively replaced the old, antiquated, and often misused SAS 70 auditing standard. Simply stated, it’s an assessment of a service organization’s internal controls, one that focuses primarily on technology companies, such as data centers, managed service providers, Software as a Service (SaaS) entities, and many others. Because of the growth in technology, SOC 2 itself has seen tremendous visibility in recent years, and will continue to do so, perhaps even eclipsing its SOC 1 counterpart in terms of service organization reporting on controls.
2. The Trust Services Principles (TSP). What are the TSP’s, they’re essentially the following set of criteria based provisions for which service organizations are tested against for purposes of Service Organization Control (SOC) 2 reporting in accordance with the AICPA standard:
- Security: That the system is protected against unauthorized access, both physically and logically.
- Availability: That the system is available for operation and use as committed or agreed.
- Processing Integrity: That System processing is complete, accurate, timely, and authorized.
- Confidentiality: That the information held by an organization is securely protected.
- Privacy: That personal information is protected.
3. What are the mandates for SOC 2 “Criteria”? The criteria based provisions within the five (5) Trust Services Principles mandate that service organizations have in place various information security and operational specific procedures and processes. In fact, when you look at the core requirements of each of the TSP’s in regards to the criteria, they highlight the importance of having comprehensive processes and procedures in place for a broad range of activities.
4. Assessing Scope. Because there are five (5) Trust Services Principles – and their respective criteria – to choose from when undertaking SOC 2 compliance, it’s vitally important to have a strong understanding of scope. While the vast majority of service organizations can – and do – teat against the “Security” and “Availability” TSP’s, the additional three (3) TSP’s may be required within your scope. This greatly depends on client expectations, along with expert guidance from a high-quality CPA firm specializing in SOC 2 compliance, and that’s NDNB.
5. It’s an annual commitment. The world of regulatory compliance continues to expand and grow aggressively, forcing many service organizations to undertake SOC 2 assessments – and other compliance audits – on an annual basis. It’s therefore important to find a firm that can provide audit efficiencies by combining many of the redundancies within various compliance mandates, ultimately resulting in increased efficiencies and cost savings.