Service Organization Control 2 (SOC2)

Information security threats remain a significant concern for all organizations, including those which outsource essential business operations to third-party service providers such as SaaS or cloud-computing vendors. But why is that? Well, it’s due to mishandling sensitive data, which ultimately makes enterprises vulnerable to cybercrimes, such as malware, extortion, and data theft. 

What is SOC2 Compliance?

SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. The standard is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy.

FAQs

  • What does SOC2 stand for?

    Soc 2, pronounced “sock two” and more formally known as Service Organization Control 2, reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy.

  • What is a SOC2 report? How do I review a SOC report?

    A SOC 2 audit report provides detailed information and assurance about a service organisation’s security, availability, processing integrity, confidentiality and privacy controls, based on their compliance with the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria).

  • What are the differences between SOC2 and SOC1?

    SOC 2 reports: The SOC 1 addresses internal control relevant to a service organization’s client’s financial statements. The SOC 2 report addresses a service organization’s controls that are relevant to its operations and compliance, as outlined by the AICPA’s Trust Services Criteria (TSC)

  • What is User Access Review?

    User access reviews (sometimes referred to as “access certification” or “access recertification”) are a periodic audit of existing access rights in your organization meant to remove unnecessary or outdated permissions, which are a risk to both cybersecurity and compliance.

  • How do I do a SOC2 access review?

    Best Practices for Reviewing User Access:

    • Create and keep an access management policy up to date. 
    • Establish a formal access review procedure. 
    • Implement role-based access control (RBAC) .
    • Implement the principle of least privilege. 
    • Provide temporary access instead of permanent access. 
    • Involve employees and management.