The SOC 2 principles consist of the following five (5) criteria based provisions for which service organizations are to adhere to for purposes of Service Organization Control (SOC) 2 reporting in accordance with the AICPA standard:
- Security: That the system is protected against unauthorized access, both physically and logically.
- Availability: That the system is available for operation and use as committed or agreed.
- Processing Integrity: That System processing is complete, accurate, timely, and authorized.
- Confidentiality: That the information held by an organization is securely protected.
- Privacy: That personal information is protected.
What’s interesting to note about the SOC 2 principles are a number of important issues and considerations when undertaking SOC 2 reporting for your organization. Specifically, it’s critical to gain a strong understanding and overall awareness of the following issues relating to the SOC 2 principles.
1. SOC 2 Differs from SOC 1. SOC 2 compliance is geared directly towards the ever-growing number of technology oriented businesses looking for a comprehensive framework for validating a large number of security controls and best practices. Initially slow to catch on, SOC 2 has gained tremendous momentum in the marketplace. As for SOC 1, which uses the SSAE 16 professional standard, its focus is on service organizations exhibiting a nexus with financial reporting, such as trust and actuarial entities, TPA’s, etc.
2. SOC 2 is spreading rapidly, and for good reason. Today’s ever-growing information technology world has put SOC 2 compliance front and center when it comes to regulatory compliance reporting. Data centers, Software as a Service (SaaS) entities, managed service providers – the list goes on and on – they’re all being mandated to perform annual SOC 2 compliance assessments. With five (5) Trust Service Principles (TSP) to choose from, SOC 2 compliance is a perfect fit for any technology oriented service organization.
3. Policies and Procedures are a BIG part of the SOC 2 Principles. One of the biggest challenges for organization’s regarding SOC 2 compliance is that of information security policies and procedures – specifically – developing them and thus providing such documentation to the auditors. It’s often the biggest reason why delays and cost overruns can occur for SOC 2 compliance. It’s therefore important to obtain a high-quality set of security policies and procedures for helping ensure an efficient audit process. Try myinformationsecuritypolicy.com, which is highly recommended by NDNB.
4. Determining Scope for SOC 2 Compliance is Extremely Important. Ultimately, it means deciding which of the five (5) Trust Service Principles service organizations are going to include within the scope of the audit – one, a few, or possibly all five? A good rule of thumb is to at least start with two (2) of the most well-known TSP’s, and that’s “Security” and “Availability”. The reasoning is because – together – these two (2) TSP’s can validate many of the core information security and operational controls within an organization.