Compliance White Papers

Taking the hassle out of staying compliant

Get A Fixed Fee Quote Today Request a Free Quote

The SOC 2 Security Principle is one of the five (5) Trust Services Principles (TSP) that are utilized when conducting SOC 2 assessments on today’s growing list of technology driven service organizations.  It’s also become the most widely known of all the TSP’s, as it provides a solid baseline when assessing companies for SOC 2 compliance. As for the TSP’s themselves, look upon them as a set of broad based provisions consisting of prescriptive criteria for a large number of information security and operational best practices. 

SOC 2 criteria is often a phrase used in context when referring to Service Organization Control (SOC) 2 assessments being mandated on many of today’s technology oriented businesses. From software development companies to data centers, managed service providers – and others – SOC 2 compliance, and the understanding of what specifically is SOC 2 criteria – are front and center in today’s world of regulatory compliance. NDNB Accountants & Consultants, nationally recognized experts in SOC 2 reporting, provides the following introduction and overview to SOC 2 and the technical merits of SOC 2 criteria. 

1.            Understanding what SOC 2 is. SOC 2 is essentially a reporting component of the overall Service Organization Control (SOC) framework put forth by the AICPA that effectively replaced the old, antiquated, and often misused SAS 70 auditing standard.  Simply stated, it’s an assessment of a service organization’s internal controls, one that focuses primarily on technology companies, such as data centers, managed service providers, Software as a Service (SaaS) entities, and many others. Because of the growth in technology, SOC 2 itself has seen tremendous visibility in recent years, and will continue to do so, perhaps even eclipsing its SOC 1 counterpart in terms of service organization reporting on controls.

The SOC 2 requirements for many businesses today include reporting on a large number of operational and information security policies, procedures, and processes within one's organization. Today's growing compliance mandates are forcing many technology oriented service organizations to become SOC 2 compliant on an annual basis. With that said, it's vitally important to learn about essential topics regarding SOC 2, such as the following five things every service organization needs to know:

1. Learn about the five (5) Trust Services Principles (TSP). What are the Trust Services Principles, they are a set of criteria based provisions that form the core of the SOC 2 requirements, and they consist of the following:

  • Security: That the system is protected against unauthorized access, both physically and logically.
  • Availability: That the system is available for operation and use as committed or agreed.
  • Processing Integrity: That System processing is complete, accurate, timely, and authorized.
  • Confidentiality: That the information held by an organization is securely protected.
  • Privacy: That personal information is protected.

Simply stated, the TSP's require that organizations have in place documented information security and operational policies, procedures, and processes in place for ensuring compliance.

The SOC 2 principles consist of the following five (5) criteria based provisions for which service organizations are to adhere to for purposes of Service Organization Control (SOC) 2 reporting in accordance with the AICPA standard:

  • Security: That the system is protected against unauthorized access, both physically and logically.
  • Availability: That the system is available for operation and use as committed or agreed.
  • Processing Integrity: That System processing is complete, accurate, timely, and authorized.
  • Confidentiality: That the information held by an organization is securely protected.
  • Privacy: That personal information is protected.

What’s interesting to note about the SOC 2 principles are a number of important issues and considerations when undertaking SOC 2 reporting for your organization. Specifically, it’s critical to gain a strong understanding and overall awareness of the following issues relating to the SOC 2 principles.

1.            SOC 2 Differs from SOC 1.  SOC 2 compliance is geared directly towards the ever-growing number of technology oriented businesses looking for a comprehensive framework for validating a large number of security controls and best practices. Initially slow to catch on, SOC 2 has gained tremendous momentum in the marketplace.  As for SOC 1, which uses the SSAE 16 professional standard, its focus is on service organizations exhibiting a nexus with financial reporting, such as trust and actuarial entities, TPA’s, etc.

Gain a strong SOC 2 overview today from NDNB Accountants & Consultants, nationally recognized providers of regulatory compliance audits and assessments, including SOC 1, SOC 2, and SOC 3 compliance, along with PCI, HIPAA, FISMA, ISO, and many other industry mandates. Want to learn more about the AICPA Service Organization Control (SOC) framework, then take note of the following points regarding SOC 2 assessments.

1.            SOC 1 vs. SOC 2. It’s important to understand the technical differences between SOC 1 and SOC 2. SOC 1 utilizes the AICPA SSAE 16 professional standard for issuing such reports, while SOC 2 uses the little-known AT 101 professional standard.  Furthermore, SOC 1 is generally geared towards service organizations exhibiting a true “nexus” with internal controls relating to financial reporting, while SOC 2 is for technology oriented service organizations.  They are quite different, no question about it, so understanding these technical differences, and many others, is crucial.

A SOC 2 readiness assessment is essential for almost any service organization new to the AICPA Service Organization Control (SOC) framework.  Add to the fact of the important scope considerations and policy documentation requirements for these types of assessments, a SOC 2 readiness assessment becomes a very proactive and necessary element for auditing success.   Though SOC 2 can be “technically” looked upon as being prescriptive in nature – after all – the Trust Services Principles (TSP) do lay out exactly the criteria a service organization should have in place, it’s still highly subjective as to what auditors expect to ask for. 

Additionally, from a scope perspective, it’s also important to note that there are five (5) Trust Services Principles, thus deciding on which of the five – a few or all of them – to include for reporting is also critical.  All the more reason for engaging with an experienced CPA firm for purposes of undertaking a SOC 2 readiness assessment.  

The Many Benefits of a SOC 2 Readiness Assessment

Furthermore, a SOC 2 readiness assessment helps determine one of the most important reporting requirements of the Service Organization Control (SOC) framework – what formalized processes and procedures and other supporting initiatives need to be in place. That’s right, processes and procedures, from an information security and operational perspective, are a large part of SOC 2 compliance, all the more reason for undertaking a SOC 2 readiness assessment.  More specifically, essentially all of the five (5) TSP’s require comprehensive processes and procedures to be in place.

NDNB, a nationally recognized CPA firm with years of regulatory compliance experience, has assissted numerous clients in putting in place information security and operational specific processes and procedures, those needed for helping ensure compliance with the SOC 2 reporting framework.  Interestingly, the entire SOC framework, including SOC 1 and SOC 3, is also highly depended on having documented information security and operational processes and procedures in place – it’s a big, and often overlooked component of regulatory compliance, so please keep that in mind.

SOC 2 is Surpassing SOC 1 in Adoption and Use

SOC 2 compliance is continuing to gain immense traction as more and more technology oriented service organizations adopt it as the primary framework for reporting on controls, possibly even outpacing the much more well-known SOC 1 SSAE 18 standard.  For this reason, it’s critically important gain a strong technical and operational understanding of SOC 2, which begins with a SOC 2 readiness assessment by a nationally recognized, IR CPA firm that specializes in regulatory compliance, and that’s NDNB. 

With competitive fixed fees and high-quality audit services, NDNB is the right choice for any organization’s regulatory compliance needs.  Call Christopher G. Nickell, CPA, today at 1-800-277-5415, ext. 706 or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about NDNB’s SOC 2 readiness assessment fixed fee pricing, along with our competitive pricing for all your SOC reporting needs, along with PCI DSS, HIPAA and other regulatory compliance mandates.

Since 2006, NDNB has been setting the standard for security & compliance regulations