Service Organization Control (SOC) – created by the American Institute of Certified Public Accountants (AICPA) – are internal control reports which provide important information to users to evaluate the risks involved with an outsourced service provider.
An independent third-party performs a thorough examination of the service’s providers internal control policies and processes over a specified period of time. This independent review ensures that the organization meets the stringent requirements of AICPA.
The internal control policies and processes are guided by the five Trust Service Principles of SOC 2:
- Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems.
- Availability – Information and systems are available for operation and use.
- Process Integrity – System processing is complete, valid, accurate, timely and authorized.
- Confidentiality – Information designated as confidential is protected.
- Privacy – Personal information is collected, used, retained, disclosed and disposed of properly.
What is the difference between Type 1 and Type 2?
- Type 1 SOC 2 Report – Tests the design of a service organization’s controls, but not the operating effectiveness.
- Type 2 SOC 2 Report – Includes all the information in Type 1, but also supplies evidence as to how effective those procedures and controls were over a specified period.
Why is it important for your IT Service Provider to have SOC 2?
IT service providers have access to several critical systems and highly sensitive client data. They can also store sensitive details about clients’ infrastructure that can be very dangerous to businesses if it were to be exposed.
SOC 2 Type 2 compliance is a great standard for business owners and decision makers because it provides them with the peace of mind that the IT service provider they choose can deliver what it promises. A company who has performed the SOC 2 Type 2 attestation has proven that its system is designed to keep its client’s sensitive data secure over time.