Professional Documents
Culture Documents
com
www.risklane.com
STEP-BY-STEP GUIDE
SOC 2
SOC 2 COMPLIANCE ................................................................................................................................... 3
TRUST SERVICES CRITERIA .......................................................................................................................... 4
PHASE 1. SCOPE DEFINITION ...................................................................................................................... 5
PHASE 2. IMPLEMENTATION ...................................................................................................................... 7
PHASE 3. THE AUDIT ................................................................................................................................... 2
KEY BENEFITS............................................................................................................................................ 10
INTRODUCING RISKLANE .......................................................................................................................... 11
SOC 2 focuses on a business’s non-financial reporting controls as they relate to Security, Availability,
Processing Integrity, Confidentiality, and Privacy. These principles are outlined in the Trust Services Criteria.
Each of the criteria has defined requirements (Points of Focus) which must be met and implemented within
the organisation to demonstrate adherence to the criteria.
SOC 2 reports are modular, implying that reports can cover one
SOCmore
or 2 is of
a Service Organization
the principles, Controlon(SOC)
depending the report
needs which
and provides assurance over outsourced
processes. A audit
requirements performed
of a services in accordance
organisation. with
The only SOC 2that
criteria is widely
is recognized, because it represents an
mandatory for SOC 2 is the Security criteria. These criteria are
in-depth audit of a service organization’s control activities, which include controls over internal control,
also referred
security, risk to as the common
management, andcriteria.
relatedAdditional
processes.criteria
SOC 2canreports are drafted in accordance with the
be included within the scope of a SOC 2 reporting.
Trust Services Criteria.
PHASE 3
The chosen criteria are implemented within the organisation and
SOC 2 AUDIT
outlined in the SOC 2 report by following the points of focus and
PROCEDURES
additional criteria as outlined in the COSO 2013 (risk
management) framework and the Trust Services Criteria.
Hereafter the SOC 2 report is audited by independent audit
firms.
The only mandatory criteria is the Security (Common) criteria, as previously outlined. More
often, the applicability of the Availability, Confidentiality, Processing Integrity, and Privacy
criteria are considered based on the services provided, and in conjunction with key clients and
SOC 2 experts. When an organisation chooses to include criteria, all associated requirements
and points of focus must be considered and implemented when applicable. Key characteristics
per criteria are outlined below.
Information and systems are Availability refers to controls that Information that is considered
CONFIDENTIALITY
protected from unauthorised AVAILABILITY
demonstrate that systems remain confidential is protected to meet
access, unauthorised disclosure of operational and perform to meet AVAILABILITY
the objectives of the entity.
information, and damage to established business objectives Confidentiality requires companies
CONFIDENTIALITY AVAILABILITY
systems that could compromise and service level agreements. to demonstrate their ability to
AVAILABILITY
the availability, integrity, Information and systems are safeguard confidential information
CONFIDENTIALITY
confidentiality and privacy of availableAVAILABILITY
for operation and use to throughout its lifecycle, including
information or systems and impair achieve the entity's purpose. AVAILABILITY
its collection, processing and
the entity's ability to accomplish disposal.
PRIVACY
its purpose.
PROCESSING INTEGRITY
AVAILABILITY
AVAILABILITY
AVAILABILITY
AVAILABILITY
INTEGRITY
Availability and business
continuity controls are
implemented to guarantee
INTEGRITY
The SOC 2 report should contain an
scope section that note the key
The scope of a SOC 2 report relates to components of the scope.
the (non-financial) controls within a
service organisation relevant to It is required to include details about the
Security, Availability, Processing type(s) of services provided and also the
Integrity, Confidentiality and/or Infrastructure, Software, People, Policies
Privacy, which are defined in the Trust and Procedures, and Data relevant to
Service Criteria. those services.
For a Software as a Service (SaaS) provider their scope is typically their software application(s)
accessible to their clients. This includes all the data held in the software application(s), the
infrastructure that hosts it, and the people and procedures that support it. The sub-service providers
and complementary user entity control areas give further details regarding the scope in other sections
of the report by defining the boundaries of the scope within the report.
In the end the scope of an SOC 2 report is up to management to define. The controls focus on the
service organisation’s operations and services provided to customers. Besides the fact that the scope
must be clearly defined and disclosed in the report, there is some flexibility. Eventually, the
responsibility for ensuring the report meets the requirements of its end-users lies with management.
For a Software as a Service (SaaS) provider their scope is typically their software application(s)
accessible to their clients. This includes all the data held in it, the infrastructure that hosts it, and the
people and procedures that support it. The sub-service providers and complementary user entity
control areas give further details regarding the scope in other sections of the report by defining the
boundaries of the scope within the report.
In the end the scope of an SOC 2 report is up to management to define. The controls focused on the
service organisation’s operations that are substantial to the organisation’s non-financial statements
must be included in the scope. Besides the fact that the scope must be clearly defined and disclosed in
SOC 2 PROVIDES A COMPETITIVE REFINEMENT OF RISK MANAGEMENT, TO
ADVANTAGE BY DISTINGUISHING GAINING CONFIDENCE IN MARKETS BY
SERVICE ORGANISATIONS FROM THEIR TRANSPARENCY OF THE CONTROL
COMPETITORS. FRAMEWORK.
SOC 2 REPORT
Personal approach
PRE-AUDIT
Professional results
After the preparation of the report, a pre-audit or 'walkthrough' is
carried-out in Phase 5. During the pre-audit the control measures
will be tested, and possible problem areas will be identified prior
to the final audit. During this phase, the organisation will provide
the documentation and evidence required.
REDRESSING
LEAD TIME
In general, the processing time of the first four phases will be
between six to eight weeks, depending on the commitment and
availability of employees. The required availability of employees is
expected to be one to two days per week during that period.
VALUE ADD
CHOOSING FOR PEOPLE
Our approach is focused on
delivering quality throughout the VALUE ADD Choosing for Certicus means
entire process and is subject to CHOOSING
choosing FOR PEOPLE
for people. Our team is
our quality standards. fully committed to providing you
VALUE ADD
with the highest quality pro-active
CHOOSING FOR PEOPLE
service.
Our approach is focused on
RECOGNISED VALUE ADD
PROVIDING TRUST SAFES TIME
delivering quality throughout the CHOOSING FOR PEOPLE
EFFICIENT
entire APPROACH
process and is subject to Choosing
FUTUREfor Risklane
PROOF means
SOC 2 is widely recognized, Provides confirmations
our quality standards. VALUE ADDthat third-
EXTENSIVE EXPERIENCE Safes time by
choosing foranswering partners
people. Our team is
because it represents an in-depth party assurance on security, CHOOSING FOR PEOPLE
and
fullycustomers
committedefficiently,
to providingandyou
EFFICIENT
audit APPROACH
of a service organization’s availability, confidentiality, limits FUTURE
the need forPROOF
answering IT-
with the highest quality pro-active
control activities.
Our approach is focused on VALUE
EXTENSIVE ADD
EXPERIENCE
processing integrity, and privacy questionnaires.
service.
delivering quality throughout the CHOOSING FOR PEOPLE
criteria are met.
EFFICIENT APPROACH FUTURE PROOF
entire process and is subject to
VALUE
EXTENSIVE ADD
EXPERIENCE
our quality standards. Choosing for Certicus means
CHOOSING FOR PEOPLE
EFFICIENT APPROACH choosing for people.
FUTURE PROOF Our team is
VALUE
EXTENSIVE ADD
EXPERIENCE fully committed to providing you
InCHOOSING
our
with opinion
the effective
FOR
highest project
PEOPLE
quality pro-active
EFFICIENT APPROACH FUTURE
management, our PROOF
experience and
service.
VALUE
EXTENSIVE ADD
EXPERIENCE professionalism are the basis for
CHOOSING FOR PEOPLE
Implementing SOC 2 requires effective planning, leadership
involvement, thorough analysis of processes and reliable resources
and project management.
Risklane originates from a ‘Big Four’ audit firm and also choosing for a personal approach. In our
is founded in 2004. The result of our background is opinion, effective project management, our
involvement, thorough
communication framework, weanalysis
can respond of processes andwe
on this approach reliable
will informresources
you on the relevant
quickly to your requirements. Choosing Risklane changes in laws, regulations and other important
and project management.
implies selecting a professional organisation, but developments.