SOC 2 Compliance explained
SOC 2 compliance is a hot topic in today’s world of technology and cloud computing, and as such, service organizations should take note of 5 important items regarding this specific Service Organization Control (SOC) reporting framework.
Security: The system is protected, both logically and physically, against unauthorized access: The system is available for operation and use as committed or agreed to.
Availability: The system is available for operation and use as committed or agreed to.
Processing Integrity: System processing is complete, accurate, timely, and authorized.
Confidentiality: Information that is designated “confidential” is protected as committed or agreed.
Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the government regulatory and/or professional licensing authorities (i.e. American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).)
SOC 2 compliance is designed for the growing number of technology and cloud computing entities that are becoming common in the world of service organizations.
SOC 3, (much like SOC 2) utilizes the five (5) Trust Services Principles (TSP) as the general framework for conducting this type of engagement. While SOC 2 allows for reporting on any number of the TSPs, SOC 3 requires that all five (5) TSPs be included for issuing a report.