Today is a great day for abbreviations, don’t you think? Great, let’s go. System and Organization Controls (SOC), introduced by the American Institute of Certified Public Accountants (AICPA), is the name of one of the more common compliance requirements that (tech) companies should meet today based on the Trust Services Criteria (TSC). Are you still following?
SOC 2 is not a prescriptive list of controls, tools or processes. Rather, it cites the criteria required to maintain robust information security, allowing each company to adopt the practices and processes relevant to their own objectives and operations.
Both SOC 2 and ISO – remember that one? – are internationally recognised standards that involve an indepedent audit by a third party. The difference is that SOC 2 is primarily used in the US and that it does not result in a certification, but in an attestation report. Through that report, a CPA licensed firm validates that general internal controls related to information systems are in place to secure the service you provide to your customers.
The Trust Services Criteria
As mentioned before, the requirements are based on five TSC. These criteria are security, availability, processing integrity, confidentiality and privacy. Check them out:
- Security refers to the protection of information and systems from unauthorised access.
- Availability is whether the infrastructure, software or information is maintained and has controls for operation, monitoring, and maintenance.
- Processing integrity ensures that systems perform their functions as intended and are free from error, delay, omission and unauthorised or inadvertent manipulation.
- Confidentiality addresses the company’s ability to protect data that should be restricted to a specified set of persons or organisations.
- Privacy criteria speaks to an organisation’s ability to safeguard personally identifiable information from unauthorised access.
Who does SOC 2 apply to?
SOC 2 applies to any technology service provider or SaaS company that handles or stores customer data. Third-party vendors, other partners or support organisations that those organisations work with, should also maintain SOC 2 compliance to ensure the integrity of their data systems and safeguards.
Why should they? Well, besides SOC 2 being a great rhyme word, it’s an incredible way for organisations to show customers and other stakeholders that they care about securing their data. The rigorous compliance requirements, which are put to the test in the on-site audit, namely ensure that sensitive information is being handled responsibly. This is likely to give organisations a competitive advantage, since being SOC 2 compliant assures others that they have the infrastructure, tools and processes to protect their information from unauthorised access.
What is also noteworthy, is that organisations (that implement the necessary controls) are less likely to suffer data breaches or violate users’ privacy. This protects them from negative effects, such as regulatory action and financial or reputational damage. Win-win, right?
To sum up the above, in practice, being SOC 2 compliant demonstrates that your organisation maintains a high level of information security. This has a lot of advantages versus not a single disadvantage, which is a great way to close this case. SOC 2, who? SOC 2, woohoo!