What is SOC 2?
The requirements of System and Organization Control 2 are established by the American Institute of CPAs. SOC 2 defines criteria for managing customer data based on the five “Trust Service Principles”—security, availability, processing integrity, confidentiality and privacy.
A SOC 2 is a System and Organization Control 2 report. A SOC 2 report illustrate that service organizations receive and share with stakeholders to demonstrate that general IT controls are in place to secure the service provided.
SOC 2 is NOT a Certification
A SOC 2 is NOT a Certification but an audit report compiled by the Certified Public Accountants under the AICPA’s (American Institute of Certified Public Accountants). A CPA firm attests that controls are in place and either designed effectively.
SOC 2 Report Structure
- Independent auditor report
- Management’s Assertion
- Description of the system
- Auditor’s test of controls and result of tests
What is difference between SOC 2 Type1 Report and SOC 2 Type 2 Report?
A SOC 2 Type I report empahasize on the description of a service organization’s system, related control objectives, and the suitability of controls to achieve those objectives of a specific date and represents an auditor’s review and approval of your systems at that moment in time;
A SOC 2 Type II report shows not only that you understand the necessary security procedures with the addition of an assessment of the operating effectiveness of the controls to achieve the control objectives throughout a period of several months.