SOC 2 Compliance

Many organisations face the requirement of having to meet SOC 2 for trading with US based organisations or in the North American marketplace. 

The ISACA/AICPA published User Guide for Report on Controls at a Service Organization Relevant to Security,Availability, Processing Integrity, Confidentiality or Privacy establishes a range of requirements for trust that are very similar to the management objectives of ISO27001. 

Extracting sufficient assurance and attestation evidence from your ISO27001 Information Security Management System is key to ensuring that you satisfy both requirements with an integrated solution. 

The Trust Services principles and criteria are organized into four broad areas:

 

  • Policies—The entity has defined and documented its policies relevant to the particular principle. (The term “policies” as used here refers to written statements that communicate management’s intent, objectives, requirements, responsibilities and standards for a particular subject.)

  • Communication—The entity has communicated its defined policies to responsible parties and authorized users of the system.

  • Procedures—The entity has placed procedures in operation to achieve its principles in accordance with its defined policies.

  • Monitoring—The entity monitors the system and takes action to maintain compliance with its defined policies.

 

The Trust Services introduce a list of criteria against which these four areas are evaluated to assess whether one or more of the following five principles, which were developed by AICPA and CICA for use by practitioners in the performance of trust services engagements, have been achieved:

 

  • Security—The system is protected against unauthorized access (both physical and logical)

  • Availability—The system is available for operation and use as committed or agreed

  • Processing integrity—System processing is complete, accurate, timely and authorized

  • Confidentiality—Information designated as confidential is protected as committed or agreed

  • Privacy—Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by AICPA and CICA.

StandardsUK can help establish sufficient integrity into your ISMS to meet the dual requirements of SOC 2 and ISO27001 certification.