The Service and Organization Controls 2 Report, formally known as a Service Organization Controls Report as of the most recent update to the SSAE 18 audit standard. A SOC 2 report can cover the design (type 1 report) or operating effectiveness (type 2 report) of controls around a Company’s system over any number of categories, including, Security, Availability, Confidentiality, Processing Integrity, and/or Privacy.
See our more detailed SOC 2 Report page for more information.
SOC 2 is not a certification, it’s a third party attestation of the controls in place at your organization. Typically when a company is asking this question though the answer
As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.)
Previously in SSAE-16 a Management Representation Letter was highly recommended and common practice, however, they were not explicitly required to be obtained except in certain existing subject matter sections. This
The five SOC 2 criteria are Security, Availability, Processing Integrity, Confidentiality, and Privacy.
The availability criteria addresses how you go about ensuring the in-scope data and systems stay online and recoverability should go awry.
Organizations that handle financial transactions, especially those impacting external financial statements, are good examples of those who need SOC1 audits.
SOC Reporting Guide