What is Systems and Organizations Controls 2 (SOC 2)?
SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data.
SOC 2 is not a prescriptive list of controls, tools, or processes. Rather, it cites the criteria required to maintain robust information security, allowing each company to adopt the practices and processes relevant to their own objectives and operations.
What are the Trust Services Pinciples of SOC 2
SOC 2 certification is issued by outside auditors. They assess the extent to which a vendor complies with one or more of the five trust principles based on the systems and processes in place.
The five trust services criteria are detailed below:
- Security refers to the protection of information and systems from unauthorized access. This may be through the use of IT security infrastructures such as firewalls, two-factor authentication, and other measures to keep your data safe from unauthorized access.
- Availability is whether the infrastructure, software, or information is maintained and has controls for operation, monitoring, and maintenance. This criteria also gauges whether your company maintains minimal acceptable network performance levels and assesses and mitigates potential external threats.
- Processing integrity ensures that systems perform their functions as intended and are free from error, delay, omission, and unauthorized or inadvertent manipulation. This means that data processing operations work as they should and are authorized, complete, and accurate.
- Confidentiality addresses the company’s ability to protect data that should be restricted to a specified set of persons or organizations. This includes client data intended only for company personnel, confidential company information such as business plans or intellectual property, or any other information required to be protected by law, regulations, contracts, or agreements.
- Privacy criteria speaks to an organization’s ability to safeguard personally identifiable information from unauthorized access. This information generally takes the form of name, social security, or address information or other identifiers such as race, ethnicity, or health information.
Types of SOC 2 Reports
There are two types of SOC reports:
- Type I describes a vendor’s systems and whether their design is suitable to meet relevant trust principles.
- Type II details the operational effectiveness of those systems.
Who Does SOC 2 Apply To?
SOC 2 applies to any technology service provider or SaaS company that handles or stores customer data. Third-party vendors, other partners, or support organizations that those firms work with should also maintain SOC 2 compliance to ensure the integrity of their data systems and safeguards.