Please fill out this form to download your file




What Is SOC 2?

SOC 2 is a security framework that specifies how organisations should protect customer data from unauthorised access, security incidents, and other vulnerabilities.

The American Institute of Certified Public Accountants (AICPA) developed SOC 2 around five Trust Services Criteria.

These Trust Services Criteria are the basic elements of your cybersecurity posture.
They include organisation controls, risk assessment, risk mitigation, risk management, and change management.

SOC 2 Reports

Unlike PCI DSS, which has very rigid requirements, SOC 2 reports are unique to each organisation. In line with specific business practices, each designs its own controls to comply with one or more of the trust principles.

Security is the only TSC required for every SOC 2 audit although most organisations also include Availability and Confidentiality.

Additional criteria are optional based on the services you provide to your customers.


Contact Us

The Five Trust Services Criteria

How is my system protected against attacks?

Information and systems must be protected against unauthorised access and unauthorised disclosure, including potentially compromising damage to systems. Information (or data) should be protected during its collection or creation, use, processing, transmission, and storage.

How do we decide when to make data from the system available?

Data and systems should be available for operation and use. Your systems must include controls to support accessibility for operation, monitoring, and maintenance.

Does the system work the way it needs to?

System processing (particularly of customer data) must be complete, valid, accurate, timely, and authorised to meet the entity’s objectives.

When information must be shared, what keeps the exchange secure?
The organisation should protect information designated as confidential (i.e. any sensitive information).

How do we ensure the system keeps private information safe?

When personal information is collected, used, retained, disclosed, and disposed of, it must be in accordance with relevant regulations and policies.

Benefits Of SOC 2 Attestation Report

Speed up the sales cycle by eliminating security and compliance as sales objections.
Easier to sell upmarket by gaining the trust of larger companies.
Build new and existing customer confidence and satisfy their SOC 2 requests.
A third-party opinion that your security controls are in place and are effective can help in winning deals against your competition as well as retaining customers.
The report assures legal and risk departments that your service is secure.
Builds a strong compliance and security foundation. Creates a culture of cybersecurity and compliance. Creates a framework for managing security risks across the organisation.
Improve enterprise cybersecurity and builds security into your company’s operations as important, clearly defined processes.
Improves company-wide security awareness with defined responsibilities and practices.
Gain a competitive go-to-market advantage and win deals against non-SOC 2 audited competition.
Increase investor, partner, and customer confidence and accelerate technical due diligence by a potential buyer or investor.
Increase staff productivity by reducing time spent on vendor questionnaires.
Satisfy regulatory needs (although SOC 2 itself is not a regulatory requirement, it does overlap with several regulation-based frameworks such as PCI DSS)

Type I & Type II

Type I

Type I describes an organisations systems and whether their design is suitable to meet relevant trust principles. An auditor examines the design of the SOC 2 framework and creates a set of agreed controls to assess against by examining the description of security and compliance controls and reviewing evidence around controls.

In summary, a SOC 2 Type I tests security control and process design for a point in time, whereas a SOC 2 Type II tests actual security controls and processes operating effectiveness over a period of time. During this period of time, the customer must operate without deviation from the required SOC 2 controls and processes – evidence collection does not start to occur until the end of this assessment period.

Type II

Type II details the operational effectiveness of those systems and provides greater assurance to customers and partners than a SOC 2 Type I. This is because the auditor attests to the continued effectiveness of internal governance, controls, and processes over a period of time (rather than a point in time). For clarification, in a SOC 2 Type II audit, an auditor will request populations and samples as evidence stemming from the entire assessment window.

Please complete the form below to find out more.

Contact Us

    Contact Form Image

    What Our Clients Say

    “CyberWhite have been a pleasure to deal with by repeatedly demonstrating their professionalism and technical knowledge throughout the procurement process and execution of our project. From initially exploring our goals to a consultant working with us on-site and remotely, we’ve enjoyed a positive experience that has ultimately benefited our organisation and helped to improve our Cyber Security posture.”

    Read More
    Head of Network and Infrastructure

    View our video Testimonial from Clear Links by Gerard Norris, Central Operations Manager

    Gerard Norris, Central Operations Manager

    View our video Testimonial from Hays Travel by Ken Campling, Group Finance Director

    Ken Campling, Group Finance Director

    “I would like to say a thousand “thank you’s” to CyberWhite after rescuing us from the commercial disaster we faced after being subjected to a very sophisticated fraud. Without the timely involvement and expertise from CyberWhite, we would undoubtedly have faced catastrophic consequences including a significant financial loss and possibly a forced closure of the business. We will always remember the kindness and professional approach taken by the CyberWhite team. They were able to successfully recover the critical data which was the life blood of our business. This expertise has allowed us to continue trading and provided us with the additional benefits of ensuring that we are more cyber risk aware and we now have a security partner to support us.”

    Read More
    Jon Moore, Director

    Our video Testimonial from Mental Health Concern (NHS) by Lawrence Thompson, Head of IT

    Lawrence Thompson, Head of IT

    “As an Operator of Essential Services, PX Group comply with advice provided by recognised security bodies such as NCSC. The advice is relevant to all organisations who provide infrastructure or support to the UK’s critical national infrastructure. PX Group engaged CyberWhite to undertake Third Party Security Audits (aligned to ISO28000:2007) against key suppliers who had access to information assets within the PX Group domain. CyberWhite created a comprehensive audit document set and supported this with interviews and visits in order to validate responses. The output from CyberWhite was comprehensive and provided security assurance to PX Groups stakeholders and interested parties that the key suppliers had a focus on security and understood and could demonstrate best practices in relation to the handling of PX Groups information assets. This process has been invaluable in validating what we believed and providing a platform from which we will continue to assess, review and benchmark all parties in our information supply chain.”

    Read More
    Lee Farrow, ICT Network & Security Specialist