Service Organization Control (SOC) 2 definition

SOC 2 or Service Organization Control 2 is an auditing process that ensures a company’s service providers are securely managing the company’s data to protect the interests of the organization as well as the privacy of customers.

SOC 2, developed by the American Institute of CPAs (AICPA), provides a definition for managing customer data. Managing customer data is based on five trust service criteria, such as security, availability, processing integrity, confidentiality, and privacy. These five principles serve as the criteria for maintaining strong information security. Maintaining robust information security allows companies and organizations to adopt practices and processes that are appropriate to their own objectives and operations.

Contents

Service Organization Control (SOC) 2 definition

What Is A SOC 2 Used For?

SOC 2 is used to assure a company’s customers and clients that the infrastructure, tools, and processes exist to protect their information from internal and external unauthorized access.

A SOC 2-compliant company means several things. Firstly, a SOC 2-compliant company or organization has sufficient knowledge about the framework of normal operations. By knowing what normal operations look like, companies and organizations can monitor malicious or unrecognized activities, document system configuration changes, and monitor user access levels.

Secondly, a SOC 2-compliant company has the tools to identify risks. By recognizing threats, companies and organizations can alert the relevant parties to evaluate the threat and take the right action for the protection of data and systems against unauthorized usage or access.

Lastly, a SOC 2-compliant company has the appropriate information about security incidents. By having relevant information, companies and organizations can recognize the scope of the problem, remediate systems or processes as necessary, and restore data and process integrity.

View Pricing

Who Can Certify SOC 2?

External auditors can certify SOC 2. SOC 2 is certified by external auditors working under a trusted registered public accounting firm. These auditors assess whether a company complies with one or more of the five trust service criteria based on the processes and systems in place. The external auditors review the IT infrastructure, internal controls, security protocols, and recovery processes.

Who Performs A SOC 2 Audit?

A SOC 2 audit is performed by independent Certified Public Accountants (CPA) or CPA organizations. CPAs should comply with all the current updates to each type of SOC 2 audit. The updates to each type of SOC 2 audit are established by the American Institute of Certified Public Accountants (AICPA). The AICPA requires that CPAs have the technical expertise, training, and certification to perform SOC 2 audits.

What Are SOC 2 Requirements?

SOC 2 requirements are based on the five trust service criteria, such as security, availability, processing integrity, confidentiality, and privacy.

The first trust service criterion is security. Security is the protection of information and systems from illegal access. Protection can be achieved through the usage of IT security infrastructures, such as firewalls, two-factor authentication, and other ways of keeping data secured from unauthorized access.

The second trust service criterion is availability. Availability is ensuring that infrastructure, software, or information is maintained. Aside from ensuring maintenance, it also checks for controls for operation, monitoring, and maintenance. Availability also measures the company’s or organization’s ability to maintain slightly acceptable network performance levels and assess and minimize potential threats from the outside.

The third trust service criterion is processing integrity. Processing integrity makes sure that systems perform in the way they are intended to. Systems are also ensured to be free from error, delay, omission, and illegal or inadvertent manipulation through processing integrity. Processing integrity ensures that processing operations work and also are authorized, complete, and precise.

The next trust service criterion is confidentiality. Confidentiality focuses on the ability of the company or organization to protect data that is restricted and only available to a specified set of persons or entities. This data includes client information intended for company personnel, sensitive company information like business plans or intellectual property, or other data that is required by law, regulations, contracts, or agreements to be protected.

Another trust service criterion is privacy. Privacy is the ability of the company or organization to safeguard personally identifiable information (PII) from illegal access. PII includes sensitive information, such as name, Social Security Number (SSN), ID numbers, addresses, medical records, and other identifiers.

What Is The SOC 2 Compliance Checklist?

The SOC 2 compliance checklist is used by companies and organizations to plan and prepare for successful SOC 2 compliance. The first action on the SOC 2 compliance checklist is to determine the objective of the SOC 2 report. Identifying the objectives of why SOC 2 compliance is important serves as guidelines and target goals for companies and organizations. 

The second action on the SOC 2 compliance checklist is to identify the type of SOC 2 report needed by the company or organization. Companies and organizations can choose between SOC 2 Type 1 or SOC Type 2. The SOC 2 Type 1 is a good starting point for companies or organizations that are beginning to be SOC 2 compliant. On the other hand, SOC 2 Type 2 is more comprehensive and insightful than Type 1, so it is a good add-on, especially if vendors and customers request it.

The next action on the SOC 2 compliance checklist is to define the scope of the audit. The scope of the audit is essential for companies and organizations to show a good grasp of the data security requirements as well as to streamline the process by removing inapplicable trust service criteria for them. The scope of the audit is defined by choosing the right trust service criteria that apply to their business, considering the type of data that they store or transmit.

The next action on the SOC 2 compliance checklist is to conduct an internal risk assessment. An internal risk assessment involves identifying the risks that are related to growth, location, or information security best practices. After identifying the risks, the scope of those risks is documented from identified threats and vulnerabilities. The documentation contains the impact of each risk and the countermeasures to minimize them.

The next action on the SOC 2 compliance checklist is to perform gap analysis and remediation. A gap analysis is important to understand which policies, procedures, and controls that are already in place and operationalized. Remediation of the gaps with improved or new controls includes modifications of workflows, the introduction of employing training modules, and the creation of new control documentation.

The next action on the SOC 2 compliance checklist is to implement stage-appropriate controls. Stage-appropriate controls involve the alignment of controls based on the chosen trust service criteria. The internal controls for each criterion under the chosen trust service criteria are deployed through policies that establish what is expected and procedures to implement those policies.

The next action on the SOC 2 compliance checklist is to undergo a readiness assessment. A readiness assessment is undertaken with an independent auditor to check if the company or organization meets the minimum SOC 2 compliance checklist requirements to undergo a full audit.

The next action on the SOC 2 compliance checklist is to complete the SOC 2 audit. The SOC 2 audit is done by an authorized independent certified auditor who will generate the SOC 2 report.

The last action on the SOC 2 compliance checklist is to establish continuous monitoring practices. Continuous monitoring practices are needed to strengthen SOC 2 compliance, as SOC 2 audits happen every year.

View Pricing

How Many SOC 2 controls are there?

There are a variety of SOC 2 controls that companies and organizations are implementing based on the trust service criteria applicable to them. The five trust service criteria have a total of 64 individual criteria, wherein internal controls are deployed for each individual criterion. The common IT general controls are the following:

  • Control Environment
  • Communication and Information
  • Risk Assessment
  • Monitoring Activities
  • Control Activities
  • Logical and Physical Access Controls
  • System Operations
  • Change Management
  • Risk Mitigation

Is SOC 2 Only For Cloud?

Yes, SOC 2 is specifically designed for companies or organizations that store customer data in the cloud. Companies and organizations are assessed by SOC 2 to determine whether they manage their customer's data safely and effectively within the cloud. The effectiveness and strength of the company’s or organization’s data protection are evident in the SOC 2 report.

iSoftpull credit reporting agency blue logoinfo@isoftpull.com760-579-6171
Technology
Credit ReportsIntegration SuiteCredit WebformsCredit IntelligenceCredit ScoresIdentity Risk SuiteIncome Analysis Suite
Industries
MortgageBusiness & Personal LoansHealth & DentalHome ImprovementOnline Lenders & Brokers
Automotive, ATVs & RVs
Resources
Case StudiesPodcastBlogReviewsDownloadsiSoftpull Resource Center
Company
AboutCareersContactPricingTerms & Conditions
iSoftpull® 2023 © All rights reserved.  
FICO and FICO® Scores are registered trademarks of Fair Isaac Corporation