"Without a standard there is no logical
basis for making a decision or taking action."
Joseph M. Juran
A SOC 2 Report (System and Organization Controls Report) is based on the Trust Services Criteria (TSP Section 100) that are relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy of a service organization as created by the AICPA (American Institute of Certified Public Accountants).
There are two types of SOC 2 reports:
- Type I reflects your standing on a specific date.
- Type II reflects your standing over a pre-defined period of time, most commonly 12 months.
WHO NEEDS SOC 2?
A SOC 2 Report will provide assurance over outsourced services that are relevant to service organizations. The report includes a detailed description of the service auditor’s test of controls and results.
Cloud, hosting, colocation, network administration, or any other type of third-party services could be required to certify against SOC 2.
The two major reasons for conducting a SOC 2 engagement include:
- A SOC 2 report is required by the company that use your services as a third-party vendor.
- A SOC 2 report will attest to your commitment to security and will demonstrate that your practices are adequate to anyone who is concerned about one or more of the Trust Services Criteria.
TALK TO US
The Seven Security Group team for SOC 2 engagements consists of information security professionals (CISA, CISSP, CEH) and Certified Public Accountants (CPA) with the aim to meet all quality auditing and reporting requirements of the specific professional standards established by the AICPA.
Seven Security Group will assist you throughout the entire SOC 2 engagement in order to perform all activities related to preparation, remediation and testing. As a final step, the SOC 2 report will be made avaitable to you.
Our involvement in a typical SOC 2 project would usually consist of the following activities:
- Conduct a preliminary assessment (gap analysis) and find possible issues.
- Put together the required service descriptions.
- Provide guidance on producing a good management attestation.
- Select the proper mix of controls to fulfill requirements.
- Conduct tests and produce a report.
- Communicate the report and get approval from your management.
- Produce the formal SOC 2 Report.