SOC 2 Compliance by the AICPA

Developed by the American Institute of CPAs (AICPA), SOC 2 remains the most popular cyber security auditing standard embraced by industry today. SOC 2 demonstrates to customers that you take cyber security and privacy seriously. Its universal applicability has fueled its popularity amongst service providers that process data in the cloud. With the right SOC 2 Report in hand, customers can be assured that the companies they work with are doing everything they can to protect their data from compromise.

Unlike other cyber security and privacy standards, which have very rigid requirements, SOC 2 reports are unique to each organization. In line with specific business practices, each designs its own controls to comply with one or more of the trust service criteria. Ensuring a cost effective balance between business needs and SOC 2 requirements is a true art form. 38North consultants are masters of striking the right balance for your organization based on years of supporting SOC 2 engagements for a multitude of clients across every industry. Trust Us to Get You There.

Contact Us Now

What is SOC 2 Compliance?

SOC, which stands for System and Organizational Controls, is a framework developed by the American Institute of Certified Public Accountants (AICPA) for the purpose of providing regular, independent attestation of the controls that a company has implemented to mitigate information-related risk.

In a SOC 2 audit, you describe the policies, procedures, and systems you have in place to protect information across five categories called Trust Services Criteria. Your independent auditor evaluates the evidence you supply for the controls in each category, and when completed you receive your official SOC 2 report that you can share with customers and business partners to assure them that their data will be handled securely.

Types of SOC 2 Reports

There are two types of SOC reports:

Type I describes a vendor’s systems and whether their design is suitable to meet relevant trust principles. In a type I report, the auditor will attest to the design of controls at a single point in time.

Type II details the operational effectiveness of those systems. In a type II report, the auditor will attest to both the design and the operating effectiveness of those controls over a period of time, typically between 6-12 months.

SOC 2 Trust Services Criteria

Understanding SOC 2 compliance begins with understanding the Trust Services Criteria. SOC 2 defines criteria for managing customer data based on five criteria: security, availability, processing integrity, confidentiality and privacy. Choosing which criteria to pursue should be based on the nature of your service offerings, customer expectations, market demands and competitive landscape. Trust 38North to ensure just the right amount of services and criteria are selected while allowing you to maximize your competitive advantage.

Trust service criteria are broken down as follows:

Mandatory

Security

The security criteria (now referred to as the Common Criteria) refers to protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of software, and improper alteration or disclosure of information.

Optional

Availability

The availability criteria refers to the accessibility of the system, products or services as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system availability is set by both parties.

Optional

Confidentiality

Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations.

Optional

Processing Integrity

The processing integrity criteria addresses whether or not a system achieves its purpose (i.e., delivers the right data at the right price at the right time). Accordingly, data processing must be complete, valid, accurate, timely and authorized.

Optional

Privacy

The privacy criteria addresses the system’s collection, use, retention, disclosure and disposal of personal information in conformity with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP).

SOC 2 Benefits

Demonstrates that customer data in the cloud is adequately protected
Allows customers to quickly evaluate security protections
Promotes competitive advantage enabling greater sales

Assures customers that you operate services in the cloud in a secure manner
Protect reputation by helping prevent data breaches and infiltrations
Streamlines regulatory oversight and compliance

38North SOC 2 Services

No matter your industry, every organization can use the eye of an experienced team to speed up the SOC2 audit process. From getting ahead of the full audit and guiding post-assessment remediation and implementation, trust us to help you protect your customers.

SOC 2 Gap Analysis

This is perfect for organizations new to SOC 2 that don’t know where to begin. Our SOC 2 gap analysis educates you on the process while examining your information security and privacy programs to see how they stack up against SOC 2 requirements. We also determine the cost to attain SOC 2 compliance, identify risks and challenges and help you focus on the most critical action items.

SOC 2 Remediation Support

Once you have an unbiased view of your compliance posture, you need to plan, develop and implement remedial measures. These measures may include implementing new technologies, policies, plans and procedures or training.

Obtain SOC 2 Compliance with 38North

Book an initial SOC 2 compliance conversation with one of our global security experts today, and we’ll show you how SOC 2 compliance can help open new markets and provide industry-leading assurance.

Contact Us

Name(Required)

First Name Last Name

Company Name

Email Address

Phone Number

Message

(Please do not provide additional PII in this box)

Email

This field is for validation purposes and should be left unchanged.