Skip to main content

SOC 2 is developed by the AICPA (American Institute of CPA’s) and defines criteria for the management of user organizations’ data based on the trust service principles – The trust service principles relate to security, availability, processing integrity, confidentiality and privacy.

Unique reports

SOC 2 reports are unique to each organization. Each service organization designs its own controls in line with specific business practices and selects one, some or more of the trust principles. An ISAE 3000 SOC 2 reports provides user organizations (along with supervisory authorities, regulators or business partners) with information about how a service provider manages customer data.

Unique reports

There are two types ofSOC 2reports; a SOC 2 Type I describes a vendor’s systems and a service auditor confirms whether the control design is suitable to meet relevant trust principles and a SOC 2 Type II which also details the operational effectiveness of those systems. In an ISAE 3000 SOC 2 the test of the controls on operational effectiveness by the service auditor is also included.

SOC 1 or SOC 2?

ISAE 3402 SOC 1 type 2 reports relate solely to controls at a service organization that impact the user entity’s internal controls over financial reporting. An ISAE 3402 SOC 1 report addresses the trust services principles only within the limited context of financial reporting. An ISAE 3402 type 2 will typically only cover the security framework as it relates to financial reporting, the information infrastructure and processing integrity in relation to financial process. Subjects such as backup and business continuity are generally only covered marginally in an ISAE 3402 type 2 report.

COSO components

In the management description of the system of a service organization the following components are included; the infrastructure (the network, hardware components and virtualization software); software (operating system, applications and utilities); procedures followed by employees to control security and data (information in systems, including transaction data, databases and individual files).

Control framework

In the management description typically a control framework is included which describes the control objectives and how these control objectives are achieved by the individual controls. In an ISAE 3000 SOC 2 the framework is based on the trust service principles; a set of professional attestation and advisory services based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs. The five trust services principles are;

Trust Service Criteria

Protection against unauthorized access (physical and logical), data integrity, change management and incident management.
Availability of systems for operation and usage as agreed in Service Level Agreements.
System processing is complete, accurate, timely and authorized.
Information designated as confidential is protected and processed accordingly.
Personal information is collected, used, retained, disclosed and destroyed in accordance with privacy requirements of the user organization and legally required privacy requirement, such as the General Data Protection Directive.