Spotlight on SOC 2
SOC 2 demonstrates your company’s commitment to handling your customer’s data appropriately, with respect to any or all of the IT domains related to Security, Availability, Confidentiality, Processing Integrity, and/or Privacy. It provides an in-depth overview of your system, shows the depth of auditor testing, and shows the results.
SOC 2 Questions and Answers
How is the scope determined?
First define, and then trace, the data
- What customer data do you need to protect?
- Where does that data get stored, or moved to?
- What systems have the ability to provide access to it, or can alter it?
- What are potential attack surfaces, and what are the systems that control them?
What kind of information is examined by the auditor?
- Your company's risk assessment
- Policies related to the SOC 2 domains in scope
- Evidence of your policies in action (aka controls)
What is the expected timing?
- There is no calendar-based requirement
- The timing can coincide with other audits (ISO, SOC 1, PCI)
- Generally repeated around the same time every year
What do most people wish they had known going into it for the first time?
- The scope can be narrowed to a single product or set of products
- The auditor cannot and does not establish your controls, but does have to agree with them
- The report is organized around Trust Services Criteria (TSC) that must be met
- The TSCs are risk-mitigation objectives related to common risks for each in-scope domain
- There is no “required” set of controls. There are, however, common ways that most businesses meet certain TSCs
- The level and depth of controls needed must be responsive to your public commitments and requirements related to each in-scope domain
- A “SOC 2+” can add in a relevant related framework to the scope of the report (i.e. HIPAA)
Ready to get started?
Let’s talk about how Modern Assurance can simplify your next SOC or compliance audit.
Email Us