Skip to main content

SOC 2 is developed by the AICPA (American Institute of CPA’s) and defines criteria for the management of user organizations’ data based on the Trust Service Criteria – The Trust Service Criteria relate to security, availability, processing integrity, confidentiality and privacy related controls. A SOC 2 report ensures that a service organization keeps data private and secure while processing or in storage, that data is accessible at any time and that specific controls are implemented relating to confidentiality and privacy of information.

ISAE 3000 is the international standard for reporting over non-financial information, issued by the IFAC (International International Federation of Accountants). SOC 2 reports issued under the SOC 2 standard are based on Trust Services Criteria. For security, availability, confidentiality, processing integrity, and privacy specific principles and criteria are defined. SOC 2 | ISAE 3000 reports are modular, implying that reports can cover one or more of the principles, depending on the needs and requirements of a services organization. SOC 2® is a registered trademark of the AICPA. This sites is for information purposes only.

Unique reports

SOC 2 reports are unique to each organization. Each service organization designs its own controls in line with specific business practices and selects one or more of the Trust Services Criteria. A SOC 2 | ISAE 3000 report provides user organizations (along with supervisory authorities, regulators or business partners) with information about how a service provider manages customer data.

Type I and Type II assurance

There are two types of SOC 2 reports; a SOC 2 Type I describes a vendor’s systems and a service auditor confirms whether the control design is suitable to meet relevant Trust Services Criteria. A SOC 2 Type II also details the operational effectiveness of those systems. In a SOC 2 | ISAE 3000 Type II report the sprecific testing procedures on the operating effectiveness of the controls is also included by the service auditor.

SOC 1 or SOC 2?

ISAE 3402 | SOC 1 Type 2 reports relate solely to controls at a service organization that impact the user entity’s internal controls over financial reporting. An ISAE 3402 | SOC 1 report addresses the Trust Services Criteria only within the limited context of financial reporting. An ISAE 3402 | SOC 1 Type 2 will typically only cover the security framework as it relates to financial reporting, the information infrastructure and processing integrity in relation to financial processes. Subjects such as backup and business continuity are generally only covered marginally in an ISAE 3402 Type 2 report. A SOC 2 report focuses on non-financial information and is applicable when there is no financial impact on the outsourced services.

Trust Services Criteria

In the management description typically a control framework is included which describes the control objectives (requirements) and how these control objectives are achieved by the individual controls. In a SOC 2 | ISAE 3000 the framework is based on the Trust Services Criteria. Each of the criteria has defined requirements (Points of Focus) that must be met to implement within the organization to demonstrate adherence to the criteria. The five Trust Services Criteria are outlined below. The only criteria mandatory for SOC 2 is the Security criteria. These criteria are also referred to as the Common Criteria.

COSO Framework

In addition to security requirements, the Common Criteria also contain requirements for an internal control framework, including risk management. In the management description of the system of a service organization the following components are included; the infrastructure (the network, hardware components and virtualization software); software (operating system, applications and utilities); procedures followed by employees to control security and data (information in systems, including transaction data, databases and individual files).

Trust Service Criteria

Protection against unauthorized access (physical and logical), data integrity, change management and incident management.
Availability of systems for operation and usage as agreed in Service Level Agreements.
System processing is complete, accurate, timely and authorized.
Information designated as confidential is protected and processed accordingly.
Personal information is collected, used, retained, disclosed and destroyed in accordance with privacy requirements of the user organization and legally required privacy requirement, such as the General Data Protection Directive.