FAQ: What are the SOC 2 criteria?

FAQ: What are the SOC 2 criteria?

The five SOC 2 criteria are Security, Availability, Processing Integrity, Confidentiality, and Privacy.

  • Security:
    • Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.
  • Availability:
    • Information and systems are available for operation and use to meet the entity’s objectives.
  • Processing Integrity:
    • System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives (over the provision of services or the production, manufacturing, or distribution of goods)
  • Confidentiality:
    • Addresses the entity’s ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity’s control in accordance with management’s objectives.
  • Privacy:
    • Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.

Additional FAQs

What is SSAE 18 (formerly SSAE 16)?

A SOC 1 Type 1 report typically costs on average anywhere between $10,000 and $20,000 USD, without the readiness assessment project which most Organizations benefit from and can be an

What is a SOC 2?

The Service and Organization Controls 2 Report, formally known as a Service Organization Controls Report as of the most recent update to the SSAE 18 audit standard. A SOC 2 report

What is SSAE 18 (formerly SSAE 16)?

The SSAE 18 audit standard is a framework for reporting on an examination of controls at a service organization relevant to user entities’ internal control over financial reporting.

How does a company get SOC 2 certified?

SOC 2 is not a certification, it’s a third party attestation of the controls in place at your organization. Typically when a company is asking this question though the answer

Get Our Emails

SOC Reporting Guide