SYSTEM AND ORGANIZATIONAL CONTROL (SOC) COMPLIANCE

SOC 2 (System and Organizational Control) is an auditing process focused on businesses ability to properly implement and maintain oversight over proper security procedures. The American Institute of Certified Public Accountants (AICPA) developed SOC 2 to outline a basic structure for security measures but allows flexibility based on the business’s needs. For any business that handles client data it is becoming increasingly more important to achieve and maintain SOC 2 compliance to show you have adequate security measures and controls in place.

SOC 2 Type 2

Should I be SOC 2 Type 1 or SOC 2 Type 2 certified?

For most organizations looking to achieve SOC compliance for the first time, SOC 2 Type 1 should be the goal, however, the ultimate goal is to become Type 2 certified.

So, what are the differences?

  • SOC 2 Type 1 - A type 1 report covers security controls based on a specific point in time, for example, as of December 31st.
  • SOC 2 Type 2 - A type 2 expands on the length of time from a specific point in time to a period of time, for example, a 6-month period.

What are the main components of SOC 2 compliance?

To become SOC 2 Type 1 or Type 2 compliant, it is absolutely critical that you have each of the five Trust Services Criteria (TSC) in place to mitigate your security risk.

These criteria are:

  • Security: The effectiveness of policies and procedures governing the way organizations protect themselves against unauthorized access and respond to security breaches resulting in unauthorized disclosure of information will be periodically evaluated.
  • Availability: Information and systems must be available for operation and use to meet the entity’s objectives.
  • Confidentiality: Information designated as confidential must be sufficiently protected from unauthorized access to meet organizational effectiveness.
  • Processing Integrity: System processing should be complete, valid, accurate, timely, and authorized to meet organizational objectives.
  • Privacy: Personal, identifiable information must be collected, used, disclosed, and disposed of in a secure manner.

Soc2-Diagram-FINAL

Charles IT Can Help by Utilizing Our Three Step Process!

img-Step1-Gap-Assessment

Step 1: Gap Assessment

Before your business attempts to go through a SOC 2 audit, there is a step you should take to ensure you don't have any surprises in your audit report and potentially fail the audit. This important step is called a Gap Assessment, this assessment will determine the “gaps” or holes in your business’s security posture and show you what you need to do to fill those gaps.

Charles IT wants to help make sure you are compliant so that you can show your clients that take data secure seriously. Whether you are looking to achieve a Type 1 or Type 2 certification, a Gap Assessment should be performed so there are no surprises come audit time. Let us assess the gaps in your cybersecurity posture and devise a plan to remediate them so you can be on your way to a SOC 2 certification.

Step 2: SOC 2 Services

img-Step2-CMMC-Services

Our Security Services Include:

Step 3: SOC 2 Audit Assistance

certificate2

Attempting to go through a SOC 2 audit whether it is a Type 1 or Type 2 can be a daunting task and navigating exactly what the auditors are looking for to prove your stance can be stressful. Do not stress the process and let Charles IT help you through it, Charles IT can recommend SOC 2 auditors to help get the process rolling and then act on your behalf to produce the evidence needed to display your security posture and effectiveness of controls. Do not let this process take you away from doing what you do best, running your business. Let Charles IT step in and help you on the path to SOC 2 certification!

Want to be more productive? Our new Office 365 eBook will introduce a host of new features you can use to supercharge your business.Read it now
+