FAQ: What are the SOC 2 criteria?

FAQ: What are the SOC 2 criteria?

The five SOC 2 criteria are Security, Availability, Processing Integrity, Confidentiality, and Privacy.

  • Security:
    • Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.
  • Availability:
    • Information and systems are available for operation and use to meet the entity’s objectives.
  • Processing Integrity:
    • System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives (over the provision of services or the production, manufacturing, or distribution of goods)
  • Confidentiality:
    • Addresses the entity’s ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity’s control in accordance with management’s objectives.
  • Privacy:
    • Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.

Additional FAQs

How does a company get SOC 2 certified?

SOC 2 is not a certification, it’s a third party attestation of the controls in place at your organization. Typically when a company is asking this question though the answer

What is SSAE 18 (formerly SSAE 16)?

The SSAE 18 audit standard is a framework for reporting on an examination of controls at a service organization relevant to user entities’ internal control over financial reporting.

Get Our Emails

SOC Reporting Guide