Security.com

SOC 2 (System and Organization Controls 2)

By Robert Sheldon

What is SOC 2 (System and Organization Controls 2)?

SOC 2 (System and Organization Controls 2), pronounced "sock two," is a voluntary compliance standard for ensuring that service providers properly manage and protect the sensitive data in their care. SOC 2 offers a structure for auditing and reporting on the internal controls that an organization has put into place to ensure the security, availability, processing integrity, confidentiality and privacy of the data.

The SOC 2 standard was developed by the American Institute of Certified Public Accountants (AICPA). The standard defines a set of principles -- the Trust Services Principles -- that provide a foundation for evaluating an organization's internal controls. Each principle is associated with a set of criteria that specify what it takes for an organization to be in compliance with the standard, based on the organization's own stated objectives.

To achieve SOC 2 compliance, an organization must be audited by a third-party CPA firm that verifies whether the organization's controls meet the SOC 2 criteria. After completing the evaluation, the firm produces a comprehensive report about the audit's findings. Auditors can create two types of reports:

  1. SOC 2 Type 1. Evaluates how well an organization has designed and implemented its internal controls at a specific point in time. This is the simpler and quicker of the two report types.
  2. SOC 2 Type 2. Evaluates how well an organization has designed and implemented its internal controls and applied them over a period of time. This type of report is more complex and takes longer to produce but provides more assurance of the controls' effectiveness.

The auditor's report also indicates whether the organization has passed or failed the audit. If the organization passed, the auditor certifies that the organization has achieved SOC 2 compliance, specifying either Type 1 or Type 2. This compliance helps to assure clients, customers, partners and other interested parties that the organization can be trusted with their data, at least to the extent covered by the SOC 2 assurances.

What are the Trust Services Criteria?

At the heart of the SOC 2 standard is the Trust Services Criteria (TSC), an extensive set of criteria that expands on each Trust Services Principle. According to the AICPA: "The TSC are control criteria for use in attestation or consulting engagements to evaluate and report on controls over information and systems (a) across an entire entity; (b) at a subsidiary, division or operating unit level; (c) within a function relevant to the entity's operational, reporting or compliance objectives; or (d) for a particular type of information used by the entity."

AICPA classifies the TSC into five broad categories, which provide a structure for understanding the general nature of the underlying criteria:

The five categories provide a way for organizations to understand the scope of SOC 2 auditing and reporting and to get a sense of how auditors approach their evaluations. However, the actual organization of the TSC in the SOC 2 standard is far more complex.

The bulk of the standard is made up of the TSC, which are organized into 13 trust categories: five core categories, four supplemental categories and four specialty categories. Each category includes multiple Trust Services Principles, and each principle includes a set of related criteria.

For example, the first trust category is Control Environment (Trust ID CC1). The Common Criteria 1 (CC1) trust category contains five principles. The first principle, CC1.1, states that the "entity demonstrates a commitment to integrity and ethical values."

The CC1.1 principle includes five criteria, which are referred to as the points of focus. The first criterion is concerned with the overall tone: "The board of directors and management, at all levels, demonstrate through their directives, actions and behavior the importance of integrity and ethical values to support the functioning of the system of internal control."

The core and supplemental trust categories are numbered consecutively -- CC1 through CC9 -- and often grouped together:

The core trust categories include the first five in the list, and the supplemental categories include the last four. In addition to these categories, the SOC 2 standard defines four supplemental trust categories that focus specifically on availability, processing integrity, confidentiality and privacy.

See also: SOC 1 and SOC 3.

03 Aug 2023

All Rights Reserved, Copyright 2000 - 2024, TechTarget | Read our Privacy Statement