The SOC 2 principles consist of the following five (5) criteria based provisions for which service organizations are to adhere to for purposes of Service Organization Control (SOC) 2 reporting in accordance with the AICPA standard:
- Security: That the system is protected against unauthorized access, both physically and logically.
- Availability: That the system is available for operation and use as committed or agreed.
- Processing Integrity: That System processing is complete, accurate, timely, and authorized.
- Confidentiality: That the information held by an organization is securely protected.
- Privacy: That personal information is protected.
What’s interesting to note about the SOC 2 principles are a number of important issues and considerations when undertaking SOC 2 reporting for your organization. Specifically, it’s critical to gain a strong understanding and overall awareness of the following issues relating to the SOC 2 principles.
1. SOC 2 Differs from SOC 1. SOC 2 compliance is geared directly towards the ever-growing number of technology oriented businesses looking for a comprehensive framework for validating a large number of security controls and best practices. Initially slow to catch on, SOC 2 has gained tremendous momentum in the marketplace. As for SOC 1, which uses the SSAE 16 professional standard, its focus is on service organizations exhibiting a nexus with financial reporting, such as trust and actuarial entities, TPA’s, etc.
2. SOC 2 is spreading rapidly, and for good reason. Today’s ever-growing information technology world has put SOC 2 compliance front and center when it comes to regulatory compliance reporting. Data centers, Software as a Service (SaaS) entities, managed service providers – the list goes on and on – they’re all being mandated to perform annual SOC 2 compliance assessments. With five (5) Trust Service Principles (TSP) to choose from, SOC 2 compliance is a perfect fit for any technology oriented service organization.
3. Policies and Procedures are a BIG part of the SOC 2 Principles. One of the biggest challenges for organization’s regarding SOC 2 compliance is that of information security policies and procedures – specifically – developing them and thus providing such documentation to the auditors. It’s often the biggest reason why delays and cost overruns can occur for SOC 2 compliance. It’s therefore important to obtain a high-quality set of security policies and procedures for helping ensure an efficient audit process. Try myinformationsecuritypolicy.com, which is highly recommended by NDNB.
4. Determining Scope for SOC 2 Compliance is Extremely Important. Ultimately, it means deciding which of the five (5) Trust Service Principles service organizations are going to include within the scope of the audit – one, a few, or possibly all five? A good rule of thumb is to at least start with two (2) of the most well-known TSP’s, and that’s “Security” and “Availability”. The reasoning is because – together – these two (2) TSP’s can validate many of the core information security and operational controls within an organization.
5. Obtain a Fixed Fee for SOC 2 Compliance. SOC 2 pricing can vary greatly between different CPA firms, all the more reason to obtain a fixed fee for the entire engagement. Call and speak with Chris Nickell, CPA, today at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about NDNB’s fixed fee pricing for SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, and many other regulatory compliance reporting services. Learn more about NDNB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
