SOC 2
What Is SOC 2?
SOC 2 is a security framework that specifies how organisations should protect customer data from unauthorised access, security incidents, and other vulnerabilities.
The American Institute of Certified Public Accountants (AICPA) developed SOC 2 around five Trust Services Criteria.
These Trust Services Criteria are the basic elements of your cybersecurity posture.
They include organisation controls, risk assessment, risk mitigation, risk management, and change management.
SOC 2 Reports
Unlike PCI DSS, which has very rigid requirements, SOC 2 reports are unique to each organisation. In line with specific business practices, each designs its own controls to comply with one or more of the trust principles.
Security is the only TSC required for every SOC 2 audit although most organisations also include Availability and Confidentiality.
Additional criteria are optional based on the services you provide to your customers.
The Five Trust Services Criteria
How is my system protected against attacks?
Information and systems must be protected against unauthorised access and unauthorised disclosure, including potentially compromising damage to systems. Information (or data) should be protected during its collection or creation, use, processing, transmission, and storage.
How do we decide when to make data from the system available?
Data and systems should be available for operation and use. Your systems must include controls to support accessibility for operation, monitoring, and maintenance.
Does the system work the way it needs to?
System processing (particularly of customer data) must be complete, valid, accurate, timely, and authorised to meet the entity’s objectives.
When information must be shared, what keeps the exchange secure?
The organisation should protect information designated as confidential (i.e. any sensitive information).
How do we ensure the system keeps private information safe?
When personal information is collected, used, retained, disclosed, and disposed of, it must be in accordance with relevant regulations and policies.
Benefits Of SOC 2 Attestation Report
Type I & Type II
Type I
Type I describes an organisations systems and whether their design is suitable to meet relevant trust principles. An auditor examines the design of the SOC 2 framework and creates a set of agreed controls to assess against by examining the description of security and compliance controls and reviewing evidence around controls.
In summary, a SOC 2 Type I tests security control and process design for a point in time, whereas a SOC 2 Type II tests actual security controls and processes operating effectiveness over a period of time. During this period of time, the customer must operate without deviation from the required SOC 2 controls and processes – evidence collection does not start to occur until the end of this assessment period.
Type II
Type II details the operational effectiveness of those systems and provides greater assurance to customers and partners than a SOC 2 Type I. This is because the auditor attests to the continued effectiveness of internal governance, controls, and processes over a period of time (rather than a point in time). For clarification, in a SOC 2 Type II audit, an auditor will request populations and samples as evidence stemming from the entire assessment window.
Please complete the form below to find out more.
What Our Clients Say
“CyberWhite have been a pleasure to deal with by repeatedly demonstrating their professionalism and technical knowledge throughout the procurement process and execution of our project. From initially exploring our goals to a consultant working with us on-site and remotely, we’ve enjoyed a positive experience that has ultimately benefited our organisation and helped to improve our Cyber Security posture.”
“I would like to say a thousand “thank you’s” to CyberWhite after rescuing us from the commercial disaster we faced after being subjected to a very sophisticated fraud. Without the timely involvement and expertise from CyberWhite, we would undoubtedly have faced catastrophic consequences including a significant financial loss and possibly a forced closure of the business. We will always remember the kindness and professional approach taken by the CyberWhite team. They were able to successfully recover the critical data which was the life blood of our business. This expertise has allowed us to continue trading and provided us with the additional benefits of ensuring that we are more cyber risk aware and we now have a security partner to support us.”
“As an Operator of Essential Services, PX Group comply with advice provided by recognised security bodies such as NCSC. The advice is relevant to all organisations who provide infrastructure or support to the UK’s critical national infrastructure. PX Group engaged CyberWhite to undertake Third Party Security Audits (aligned to ISO28000:2007) against key suppliers who had access to information assets within the PX Group domain. CyberWhite created a comprehensive audit document set and supported this with interviews and visits in order to validate responses. The output from CyberWhite was comprehensive and provided security assurance to PX Groups stakeholders and interested parties that the key suppliers had a focus on security and understood and could demonstrate best practices in relation to the handling of PX Groups information assets. This process has been invaluable in validating what we believed and providing a platform from which we will continue to assess, review and benchmark all parties in our information supply chain.”
