Skip to main content
For a SOC 2 certification, or better; a SOC 2 assurance opinion on the Trust Services Criteria, a Service Organization Control report is required. This report should be audited by an external auditor. The auditor issues a SOC 2 (ISAE 3000) Type I or SOC 2 Type II assurance report, which is included in the SOC report. This report should be prepared in accordance with the Trust Service Criteria. All controls are required to be included and should be auditable. Generally, this requires more registration of controls and more discipline to work in accordance with these controls
As a consequence of the increased IT outsourcing. Many organizations focus on core activities and outsource non-core processes. As a consequence of decreased trust among parties the demand for security and control over security risks increases.
A SOC 2 report will be audited by an external auditor. The reporting should be prepared in accordance with the Trust Services Criteria and audit regulations (the ISA's). If the responsible co-workers have an audit background this might help in the process of preparation of a SOC 2 report. Specialized organizations can support you with the preparation of the report, readiness assessment, and management of the audit process.
Professional user organizations (corporates) generally require these from their service providers. If processes are insourced to your enterprise and these processes are crucial for their business a SOC 2 report will be appropriate. Other organizations under the supervision of for example the SEC or FSA should be able to demonstrate that security is under control by service organizations.
SOC 2 and the Trust Services Criteria are international standards and guidelines for security. In (international) tenders a SOC 2 assurance report will probably be required in IT outsourcing situations. Another advantage is that your internal processes will be better aligned to your IT and security risks and better formalized.
In principal SOC 2 or ISAE 3000 requires that sample sizes are in line with the reduction of risk to a reasonable level. In the PCAOB guidelines, sample sizes are determined for controls depending on control frequency and control risk. Detailed guidelines for sample sizes are not included in the SOC 2 standard.
This is a semantic discussion. Strictly a SOC 2 report is not a certification. It is a service organization control report with an assurance report in accordance with SOC 2 and/or ISAE 3000. Generally, in the market often is referred to as a SOC 2 certification.