What is SOC 2?
The System and Organization Controls (SOC) 2 Report will be performed in accordance with AT-C 205 and based upon the Trust Services Criteria, with the ability to test and report on the design (Type I) and operating (Type II) effectiveness of a service organization’s controls (just like SOC 1). The SOC 2 report focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1 which is focused on the financial reporting controls.
Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. SOC 2 was put in place to address demands in the marketplace for assurance over non-financial controls to prevent SOC 1 from being misused just like SAS 70 was.
What are the Trust Services Criteria?
The Trust Service Criteria, which SOC 2 is based upon, are modeled around four broad areas: Policies, Communications, Procedures, and Monitoring. Each of the criteria have corresponding points of focus, which should be met to demonstrate adherence to the overall criteria and produce an unqualified opinion (no significant exceptions found during your audit). One benefit to the trust services criteria is that the requirements are predefined, making it easier for business owners to know what compliance needs are required of them and for users of the report to read and assess the adequacy.
Changes to SOC 2
The standard has evolved over the years to optimize and enhance the framework’s layout, controls, flexibility, and usefulness as well as to align it with COSO to further facilitate their use in an entity-wide engagement. The most recent updates to SOC 2 occurred in 2022 and are not required for adoption, but intended to help better support the 2017 criteria in:
- an environment of ever-changing technologies, threats and vulnerabilities, and other matters that may create additional risks to organizations.
- addressing changing legal and regulatory requirements and related cultural expectations regarding privacy.
- addressing data management (for example, data storage, backup, and retention), particularly when related to confidentiality.
- differentiating which points of focus related to privacy may apply only to an organization that is a data controller or only to an organization that is a data processor, as defined in the glossary. (Although this distinction is intended to assist management and the practitioner in identifying situations in which certain points of focus may be particularly relevant, the specific facts and circumstances of the organization’s operations should be considered when identifying and applying points of focus in a trust services engagement.)
SOC 2 Change Timeline
Further, beyond attesting to the SOC 2 Criteria and Categories, there are mappings to other relevant frameworks that can be included and addressed within a SOC 2 report to make it more flexible and useful to Organizations. Click the following link to learn more about the SOC2+ Additional Subject Matter and how it can be leveraged to reduce overall compliance costs and efforts.
Did you know? A business isn’t required to address all the principles, the reviews can be limited only to the principles that are relevant to the outsourced service being performed. Some example industries that might have a need for a SOC 2 include: SaaS Providers, Data Center/ Colocations, Document Production, and Data Analytics providers.