What is SOC 2 and why is everyone talking about it?
As the number of companies who have access to customer data increases, so too has the demand for SOC 2 certification. Technology companies are expected to be SOC 2 compliant, particularly when they store customer data in the cloud. This is particularly the case for Managed IT Services Providers.
SOC 2 compliance means that a company has established and follows strict information security policies and procedures that are audited for compliance. These policies must cover the security, availability, processing, integrity, and confidentiality of customer data.
EasyIT is SOC 2 compliant, we have been audited by an independent AICPA certified audit member. The result is that we have proven our policy and procedures are in compliance with the certification providing us the audited credential of SOC2. EasyIT stands alone in the IT services market providing you confidence that we adhere and abide by the standards set, you can rest assured that we can stand behind you during an audit and provide you documentation or can provide the reports you need for an audit.
Here are answers to some of the most common questions we are asked about SOC 2 and why your IT company should be compliant.
What is a SOC 2 report?
A SOC 2 report evaluates your data systems using the American Institute of Certified Public Accountants’ (AICPA) Trust Services Principles (TSPs). The TSPs are industry-recognized standards for service providers, software providers and developers, web marketing companies, and financial services organizations.
SOC 2 reports provide assurance to prospective and current customers about the security, availability, confidentiality, and privacy of the information systems your organization uses.
Why is everyone talking about it?
Organizations need to prove to customers that their data is secure. They need to show that a strong control environment is in place. They also need to show that there is the same level of control and oversight of third parties who hold or access that data.
Customers are asking for evidence that these controls are in place and operating effectively. The main way to do this is to attain SOC compliance. This confirms the robustness and reliability of an organization’s information systems.
Being able to say you have a SOC 2 compliant information system is a great tool for your organization. With an expanding network of vendor-customer relationships in the tech sector and the importance of data security in these relationships, having a SOC 2 report is a badge of trust.
SOC 2 reports are being used as a screening technique early in the sales process throughout the Tech and Financial Services sectors. Organizations that do not have them may be eliminated from consideration.
How is a SOC 2 report prepared?
A SOC 2 report is based on a number of different Trust Service Principles. The five Trust Service Principles are Security, Availability, Processing Integrity, Confidentiality, and Privacy. The SOC 2 report provider assesses and reports on each of the principles. Each principle has criteria that the organization seeking the report must meet to get their certification.
The Security principle is mandatory for all SOC 2 reports. The organization can then decide which of the other principles are relevant for their business or for their customers’ needs.
The Processing Integrity principle is important for organizations whose services need accurate calculations based on the data they hold. The Confidentiality principle is important for organizations that hold and process high volumes of confidential data. The Availability principle is important for organizations providing on-demand systems or services that must function round the clock. The Privacy principle is important for organizations that hold client’s or customers’ personal information. Privacy is receiving increased attention in light of GDPR regulations.
What does the SOC 2 reporting process involve?
The process for obtaining a SOC 2 report usually begins with a readiness review. This identifies any gaps in the control environment and allows time to address these gaps. Once the organization seeking a report and the SOC 2 report provider are satisfied that the organization’s control environment is ready to pass the SOC 2 category requirements outlined above, a SOC 2 Type I report can be completed. This involves testing the controls to confirm that they are designed and operating as expected at the date of the report.
A Type II report will then cover the design and operational effectiveness of controls over an extended period of time, usually six months to a year.