For starters, SOC refers to Service Organization Controls. These are comprised of a series of standards designed to help measure how well a given service organization controls its information. The purpose of these standards is to provide confidence and peace of mind for organizations when they partner with third parties. A SOC organization will have been audited by an independent certified public accountant who determined the firm has the appropriate SOC safeguards and procedures in place.
SOC 2 concerns the internal controls in place at the third-party service organization. For a company to receive SOC 2 certification, it must have sufficient policies and strategies that satisfactorily protect the client’s data.
The key distinction between SOC 1 and SOC 2 is the latter is designed for more advanced IT service providers. These can include IT managed service providers, cloud computing vendors, data centers, Software-as-a-Service companies and more.
The SOC 2 framework includes five key sections, forming a set of criteria called the Trust Services Principles. These include:
1. The security of the service provider’s system.
2. The processing integrity of this system.
3. The availability of this system.
4. The privacy of personal information that the service provider collects, retains, uses, discloses and disposes of for user entities.
5. The confidentiality of the information that the service provider’s system processes or maintains for user entities.
SOC 2 type II
Just like SOC 1, SOC 2 reports come in two forms. Type I reports concern policies and procedures that were placed in operation at a specific moment in time. Type II reports, on the other hand, concern policies and procedures over a period of at least – systems must be evaluated for a minimum of six months. This generally makes SOC 2 type II reports more comprehensive and useful than type I reports when considering a possible service provider’s credentials.
A company that has achieved SOC 2 type II certification has therefore proven that its system is designed to keep its clients’ sensitive data secure. When it comes to working with the cloud and related IT services, such performance and reliability is absolutely essential and increasing required by regulators, examiners and auditors.