The SOC 2 Privacy Principle is one (1) of the five (5) Trust Services Principles (TSP) put forth by the American Institute of Certified Public Accountants (AICPA) within the SOC 2 reporting framework. In today’s growing world of regulatory compliance, much emphasis is now being placed on the “Privacy” principle, for which the AICPA defines as the principle that “…addresses the system’s collection, use, retention, disclosure, and disposal of personal information in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants…”.
Source: http://www.aicpa.org/
Many service organizations think that their actual privacy policy on one’s website suffices for such a mandate for the actual SOC 2 Privacy Principle. This is generally not true. Instead, the Privacy Principle should be looked upon as a collection of processes, procedures, legal documents, and other best practices for ensuring the safety and security of highly sensitive and confidential consumer data. Often known as Personally Identifiable Information (PII).
Therefore, meeting the rigors of the AICPA Privacy Principle should generally consist of the following:
SOC 2 compliance in Canada is growing larger each year as more and more Canadian companies are being asked for assurances of their internal control environments regarding services they provide to customers. From data centers to Software as a Service (SaaS) entities – and more – SOC 2 compliance in Canada is here to stay. With that said, take note of the following five (5) important elements regarding SOC 2, ranging from its background to pricing, and more.
1. Learn about the five (5) Trust Services Principles (TSP). The SOC 2 trust principles consist of the following:
- The security of a service organization's system.
- The availability of a service organization's system.
- The processing integrity of a service organization's system.
- The confidentiality of the information that the service organization's system processes or maintains for user entities.
- The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.
2. Changes are in place for SOC 2 compliance for Canada businesses. The SOC 2 Trust Principles are part of the AICPA Service Organization Control (SOC) framework, which allows for three (3) reporting options – SOC 1, SOC 2, and SOC 3. SOC 2 has quickly become the global “go to” assessment standard for technology service organizations in Canada, data centers, SaaS entities, software development organizations, and many other businesses, are an excellent for the SOC 2 framework.
And if you are curious as to the SOC 1 vs. SOC 2 debate, SOC 1 reporting “should” be used primarily for reporting on service organizations exhibiting a close affiliation with the concept known as “Internal Controls over Financial Reporting (ICFR). Think banks, trust departments, actuaries – companies that truly have financial implications within their internal controls. We at NDNB preface “should” because many service organizations are still being issued SOC 1 reports when they’re really a candidate for SOC 2 reporting. However, this is changing as more and more companies are becoming much more educated on the entire AICPA Service Organization Control (SOC) framework, thus starting to realize the true benefits of SOC 2 reporting over SOC 1 reporting.
Now, back to SOC 2! For reporting periods on or after December 15, 2014, SOC 2 will consist of the following general areas:
- Organization and management
- Communications
- Risk management and implementation of controls
- Monitoring of controls
- Logical and physical access controls
- System operations, and
- Change management
3. Operational and Technical Changes. One of the biggest – if not often the biggest – challenge for SOC 2 compliance is that of putting in place operational specific processes and procedures being requested by auditors. It means spending untold numbers of hours confirming such measures are in place and formalized such initiatives for ensuring compliance with the SOC 2 mandates. Companies are very good at what they do – or they wouldn’t be in business – but unfortunately also loathe the formality of compliance. Let NDNB help in formalizing your processes and procedures when it comes to SOC 2 compliance for Canada.
4. Defining Scope. Remember that there are five (5) Trust Services Principles – (1). Security. (2). Availability. (3). Processing Integrity. (4). Confidentiality, and (5). Privacy. Thus, as a service organization, you’ll need to decide which of the five – one, a few, or all of them – are to be included within the scope of your SOC 2 assessment. How to decide – by carefully understanding your specific business platform and balancing that with the reporting needs of intended users of the report. SOC 2 reports for Canadian Software as a Service (SaaS) entities, for example, most certainly include the TSP’s of “security” and “availability”, while a SOC 2 assessment for a healthcare company should assess against the “confidentiality” and “privacy” Trust Service Principles (TSP). Again, scoping and choosing the correct TSP’s are a big part of SOC 2 compliance for Canadian companies.
5. It’s an Annual Commitment. If you’re being asked to become SOC 2 compliance by a customer, regulatory body, or any other significant entity, then welcome to the world of regulatory compliance. More specifically, get used to the SOC 2 compliance mandate on an annual basis, which means you should seek out a qualified and reputable CPA firm who can provide a 3 or 5 year fixed fee proposal. From Vancouver to St. Catharines – and many other locations throughout Canada – NDNB has a well-established track record of providing high-quality, fixed fee regulatory compliance audits, so contact us today.
Call Christopher Nickell, CPA, today at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it., to learn more about NDNB SOC 2 Canada service, along with our numerous other regulatory compliance offerings, such as SOC 1 and SOC 3 assessments, PCI DSS compliance, HIPAA compliance, and much more.
SOC 2 Type 2 reporting & compliance is a growing trend in today’s world of never ending regulations and industry specific mandates. With the pronouncement of the Service Organization Control (SOC) framework, which consists of SOC 1, SOC 2, and SOC 3 reporting, the SOC 2 standard has become the de facto reporting platform for technology oriented organizations, and for good reason. From managed services providers to data analytics entities, managed service providers – just to name a select few – SOC 2 Type 2 reporting & compliance is here to stay. With that said, it’s important to gain a strong understanding of the following critical elements regarding SOC 2 Type 2 reporting & compliance.
The SOC 2 trust principles are criteria based provisions consisting of what’s essentially known as the Trust Services Principles (TSP), which are the following:
- The security of a service organization's system.
- The availability of a service organization's system.
- The processing integrity of a service organization's system.
- The confidentiality of the information that the service organization's system processes or maintains for user entities.
- The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.
Furthermore, SOC 2 reporting & compliance is technically part of the AICPA Service Organization Control (SOC) framework, which allows for three (3) reporting options – SOC 1, SOC 2, and SOC 3. Please also note that the SOC 2 Trust Principles, which have been revised for reporting periods on or after December 15, 2014, will consist of the following seven areas:
The SOC 2 standard, which is part of the AICPA Service Organization Control (SOC) reporting framework for service organizations regarding one's internal control environment, has become an increasingly well-known audit assessment. Launched to help replace the aging and often misused SAS 70 auditing standard, the SOC 2 standard is now the de facto auditing framework for technology oriented service organizations - data centers, managed services providers, software development entities, and many others. With that said, here's what you need to know about the SOC 2 standard, provided by NDNB Accountants & Consultants, a nationally recognized IR CPA firm offering fixed fee engagements.
1. SOC Framework. The SOC 2 standard is a subset of the AICPA Service Organization Control (SOC) framework, a consortium of assessments that consists of SOC 1, SOC 2, and SOC 3. It was a move by the AICPA to fundamentally restructure and change the way service organizations undertake auditing of their internal control environments. Gone is a one-size fits all approach (i.e., SAS 70), as service organizations now have three (3) options to choose from.
2. SOC 2 Standard and Technology. The vast majority of organizations undertaking SOC 2 assessments are technology oriented, those just discussed above (data centers, etc.) and that's because the SOC 2 standard – and it's supporting framework – is designed for such organizations. The SOC 2 Standard utilizes what's known as the "Trust Services Principles" for assessing a service organization, and these TSP's are heavily weighted toward information security best practices.
The SOC 2 trust principles are criteria based provisions consisting of what’s technically known as the Trust Services Principles (TSP), which consist of the following:
- The security of a service organization's system.
- The availability of a service organization's system.
- The processing integrity of a service organization's system.
- The confidentiality of the information that the service organization's system processes or maintains for user entities.
- The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities.
Additionally, the SOC 2 Trust Principles are part of the AICPA Service Organization Control (SOC) framework, which allows for three (3) reporting options – SOC 1, SOC 2, and SOC 3. SOC 2 has quickly become the de facto assessment standard for technology oriented service organizations – and rightfully so – as data centers, SaaS entities, software development organizations, and many other businesses, are an ideal fit for the SOC 2 framework. The SOC 2 Trust Principles, which have been revised for reporting periods on or after December 15, 2014, now are structured in the following manner (7 general areas):
The SOC 2 Security Principle is one of the five (5) Trust Services Principles (TSP) that are utilized when conducting SOC 2 assessments on today’s growing list of technology driven service organizations. It’s also become the most widely known of all the TSP’s, as it provides a solid baseline when assessing companies for SOC 2 compliance. As for the TSP’s themselves, look upon them as a set of broad based provisions consisting of prescriptive criteria for a large number of information security and operational best practices.