What is SOC2 ? 

• SOC2 (Service Organization Control) is a framework for IT Companies. 

  SOC 2 measures the effectiveness of your systems and processes based on the AICPA Trust Service Criteria and checks adherence to information security standards and rules including Common Criteria standards.

  
  

  As a greater number of individuals and companies have begun using cloud-based technology, it has become important to ensure that the data stored in these processors and storage systems are properly protected and secured.

  The American Institute of CPAs (AICPA) created the System and Organizational Control 2 (SOC 2), which is an audit that analyzes detailed requirements regarding the security of customer data. 

  SOC 2 is not limited to cloud-based providers, but it is one of the ways one can ensure that a provider is committed to secure data storage.

5 Principles of Trusted Service 

1. Security
   Protection of Information and systems against unauthorized access of data
   Security policies / tools in place
2. Availability
   Information and systems are available according to the organizations requirements and any contracts / obligations in place
3. Process Integrity
   System processing is complete, valid, accurate, timely and authorised according to specifications
4. Confidentiality
   Confidential information, such as protected health information, personal information, financial information and other is protected
5. Privacy
   Personal data is dealt with according to the privacy principle. This includes the collection, use, retention and deletion of data

SOC2 Audit Elements

• Infrastructure

  Physical, IT, and other hardware such as mobile devices.

• Software

  Applications and IT system software that supports application programs, such as OS and utilities.

• People

  All personnel involved in the organization’s operations.

• Processes

  All automated and manual procedures.

• Data

  Transmission streams, files, databases, tables, and output used or processed by your organization.

SOC 2 Type of Reports 

• Type I 
  This report is a snapshot at a given point of time. An audit conducted against the Trust Services Criteria standard if the organization had the appropriate controls that made it compliant with SOC 2 standards. 
  This optional report is a starting point for building the SOC2 Type II compliance.  Are all the security controls that are in place today designed properly?
• Type II
  A Type II report reflects the results of an audit conducted against the Trust Service Criteria standard over a period of time. Further, the Type 2 Reports will require more preparation from side of the organization. 
  This period typically covers six months the first time, and then a year thereafter. 
  This is more difficult to attain, but it also assures the compliance much stronger. The organization must demonstrate adherence to the controls and policies for a period of time, and that usually requires a degree of automation and a long-term commitment.