So what exactly is a SOC Audit?
So what is
SOC is an acronym that now stands for System and Organization Controls (previously Service Organization Controls) and is an audit of a companies controls that are in place to help ensure the Security, Availability, Processing Integrity, Confidentiality and Privacy of their customers data. The SOC control standards were created and overseen by the American Institute of Certified Public Accountants (AICPA). SOC audits come in many types including SOC 1 & SOC 2 as well as SOC for Cybersecurity.
So what exactly is a
A SOC audit (which is normally a SOC 2 audit, but more on that later) is an audit of your companies policies, procedures and technology (your controls) that are in place to help protect the data your company operates on. SOC 2 audit reports are to help ensure your customers that your systems are properly built and operating securely. When customers hand over their valuable data to service organizations to process (such as third-party printing companies, data centers or payment processors), they want to know that its being protected while its out of their hands. The report created from a SOC 2 audit is a way for companies to prove they are properly securing their systems and data on behalf of their clients.
So what is the difference between
SOC 1 and SOC 2?
SOC 1 and SOC 2 are similar, but SOC 1 focuses on a companies financial processes and reporting, while SOC 2 focuses on how a company secures its data and technology. When discussing security or technology, most people who say “SOC Audit” are actually referring to a SOC 2 Type 1 audit. A type 1 audit is a point-in-time audit that evaluates how a company is at the time of the audit. A SOC 2 Type 2 audit reviews the previous 12 months to ensure all controls were in place at all times. Most companies will start with a SOC 2 Type 1 and then follow it up annually with a SOC 2 Type 2 audit.
What are the
SOC Service Trust Principals?
The service trust principals are the 5 key areas then can be assessed during a SOC 2 audit. They are groups of controls that ensure the system is meeting each of the outlines service principles.
1. Security: The system is protected against unauthorized access (both physical and logical).
2. Availability: The system is available for operational use as committed or agreed.
3. Processing integrity: System processing is complete, accurate, timely and authorized.
4. Confidentiality: Information designated as confidential is protected as committed or agreed.
5. Privacy: Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the service organization’s privacy notice, and with criteria set forth in generally accepted privacy principles issued by the AICPA.
So how do I
Prepare for a SOC Audit?
Preparing for a SOC audit can be a daunting task. Adsero Security can help you collect all your policies, procedures and evidence that is needed for the SOC audit. The next step is to identify any gaps in compliance that could cause problems during the audit. Adsero Security can help you craft policies and gather evidence of compliance that you will need during the auditing process. Understanding the requirements for a SOC audit can be confusing, but Adsero Security can help you understand exactly where you stand and what your company needs to have a successful SOC audit.