5 trust services criteria of a SOC 2 report:
Accorp trust services criteria define five criteria for soc2. depending on their operating models, each organization must formulate its own security controls to comply with the five trust principles.
5. processing integrity
Security is the trust service category generally required for every soc2 audit. Security, information, and system are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affects the entity’s ability to meet its objectives.
The Security category encompasses the defense of information at every stage. Security controls are implemented to stop unauthorized access, unapproved disclosure, or harm to systems that could jeopardize other areas beyond the Security category. Security controls usually comprise a broad array of risk-reducing solutions, like endpoint protection and network monitoring tools that stop or recognize unapproved activity. We also consider entity-level and control environment topics to ensure the necessary controls are in place to manage organization security.
The availability criteria determine whether your employees and clients can rely on your information and whether systems are available for operation and use to meet the entity’s objectives. The Availability Category covers controls that ensure systems remain operational and perform to meet established business objectives and service level agreements. Availability does not establish a minimum acceptable performance level, but it does address whether systems come with controls to support and maintain system operation, such as performance monitoring, adequate data backups, and disaster recovery plans. Consider availability if your customers have concerns about downtime, including Service Level Agreements. The client also has to be able to access and change their private data if necessary, as well as a responsibility to disclose any breaches that occur. This criterion aligns with new privacy regulations, such as the GDPR and the CCPA. Therefore, if you are considering getting a SOC 2 audit and want this control to be included, it will help you comply with additional regulations. As a result, it is the most commonly selected optional criterion.
The Confidentiality Criteria evaluate an organization’s ability to protect confidential information. This is done by limiting its access, storage, and use. It can help an organization define which individuals can access what data and how it can be shared. This ensures that only authorized people can view sensitive information, like legal documents or intellectual property .confidentiality refers to your organization’s controls and procedures.
1. Your organization’s capability to keep information classified as confidential and safe from its gathering/production until its final decision and eradication.
2. Confidentiality conditions may be present in laws and regulations or in contracts and agreements comprising promises made to clients or others.
3. Confidentiality is distinct from the privacy rules in that privacy applies solely to personal information, while confidentiality applies to many different categories of delicate information.
Privacy protects personally identifiable information, that which can identify a specific individual.
The privacy objectives of the company are as follows:
1. To notify data subjects about objectives related to privacy.
2. To provide data subjects with choices regarding the collection, use, retention, disclosure, and disposal of personal information.
3. To collect personal information to meet its privacy objective.
4. TO use, retain, and dispose of personal information in a way that meets its privacy objective.
5. To provide data subjects with access to their personal information for review and correction.
Personal information is gathered, used, kept, disclosed, and destroyed by the promises in the entity’s privacy notice and with the standards laid out in typically accepted privacy principles.
5. Processing Integrity
The Processing Integrity Category ensures that data is processed predictably, without accidental or unexplained errors. Processing integrity is usually only addressed at an entity’s system or functional level because of the number of systems used by an entity.
Consider including Processing Integrity if your customers carry out critical operational tasks on your systems, such as financial or data processing.
According to the AICPA, all data processing activities must be accurate, valid, timely, authorized, and complete. Quality assurance ensures that the system achieves its purpose and aids processing integrity.
There are three levels of soc audit for services organization –
1. SOC 1 audits – SOC 1 audits are associated with an organization’s ICFR (internal control over financial reporting). They follow the ISAE (International Standard for Assurance Engagements) 3402 or SSAE (Statement on Standards for Attestation Engagements) assurance standards.
2. SOC 2 audits – SOC 2 audits analyze service organizations’ security, availability, processing integrity, confidentiality, and privacy controls against the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria), which is in alignment with SSAE 18. A SOC 2 report is commonly used for present or future clients.
In the United Kingdom, SOC 2 audits can also be carried out against ISAE 3000. The AICPA document provides more information about using the ISAEs for SOC 2 examinations.
3. SOC 3 audits – Audits are like SOC 2 audits, but their reports are concise and designed for a general audience.
Who can perform a SOC 2 audit –
A SOC audit in the US can only be conducted by an independent Certified Public Accountant (CPA) or accountancy organization.
SOC auditors are regulated by the AICPA and must follow specific professional standards and guidelines for planning, executing, and supervising audit procedures. AICPA members must also have a peer review to ensure their audits are conducted according to accepted auditing standards.
CPA organizations may employ non-CPA professionals with the relevant IT and security skills to prepare for a SOC audit; however, a CPA must provide and issue the final report. A SOC audit carried out successfully by a CPA permits the service organization to use the AICPA logo on its website.
In the UK, SOC audits can be conducted by a qualified member of the ICAEW of chartered accountants in England and Wales or an equivalent organization.
The SOC audit process involves the following:
1. Reviewing the audit scope.
2. Developing a project plan.
3. Testing controls for design and operating effectiveness.
4. Documenting the result
5. Delivering and communicating the client report.