FAQ: How does a company get SOC 2 certified?

FAQ: How does a company get SOC 2 certified?

SOC 2 is not a certification, it’s a third party attestation of the controls in place at your organization. Typically when a company is asking this question though the answer is you start by understanding your scope (the system, SOC 2 categories, etc.), performing a readiness assessment, and then undergoing either a Type 1 and/or Type 2 assessment by a CPA firm. You’ll end up with a detailed report stating the effectiveness of your controls, which, ultimately is what someone would refer to as being SOC 2 certified.

Additional FAQs

Are Representation Letters Required in SSAE 18?

Previously in SSAE-16 a Management Representation Letter was highly recommended and common practice, however, they were not explicitly required to be obtained except in certain existing subject matter sections. This

What are the costs of SOC 2?

There are a lot of factors that go into responding to this question. There are audit, consulting, software, internal resources, and other factors to consider which can easily grow from

What is covered in the Availability criteria?

The availability criteria addresses how you go about ensuring the in-scope data and systems stay online and recoverability should go awry.

SOC1 vs SOC2: Differences?

At a high-level, SOC1 is about financial controls, while SOC2 focuses on information security controls. They serve different end-user customers and stakeholders.

Can I fail a SOC 2 audit?

Yes, failure to meet the relevant Trust Service Criteria may result in a failed SOC 2 audit, requiring remediation. This is known as a Qualified Opinion when this happens.

We have a small company, how do we segregate Board of Directors from Management, and then, also the Internal Audit function?

Depending on the size of your Company, you could look to another small business owner in a similar situation or trusted advisor to sit on each others board’s and create

Get Our Emails

SOC Reporting Guide