FAQ: What are the SOC 2 criteria?

FAQ: What are the SOC 2 criteria?

The five SOC 2 criteria are Security, Availability, Processing Integrity, Confidentiality, and Privacy.

  • Security:
    • Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.
  • Availability:
    • Information and systems are available for operation and use to meet the entity’s objectives.
  • Processing Integrity:
    • System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives (over the provision of services or the production, manufacturing, or distribution of goods)
  • Confidentiality:
    • Addresses the entity’s ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity’s control in accordance with management’s objectives.
  • Privacy:
    • Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.

Additional FAQs

SOC1 vs SOC2: Differences?

At a high-level, SOC1 is about financial controls, while SOC2 focuses on information security controls. They serve different end-user customers and stakeholders.

What is SSAE 18 (formerly SSAE 16)?

The SSAE 18 audit standard is a framework for reporting on an examination of controls at a service organization relevant to user entities’ internal control over financial reporting.

We have a SOC 2. How much effort is GDPR?

Assuming your Company is subject to GDPR, the level of effort depends a lot on the maturity of Organizational and Privacy controls. The Organizational will be mostly met by implementation

Get Our Emails

SOC Reporting Guide