SOC 2

SOC 2

SOC 2

SOC (Service and Organization Controls) 2 is a security certification that was developed by the American Institute of Certified Public Accountants (AICPA).

The SOC 2 accreditation was launched in 2013. It was initially created for the domestic market but can now be achieved across other parts of the world too. Its primary target audience is companies that store company and customer data in the cloud, such as technology companies and those that sell software as a service (SAAS).

SOC 2 reports may be one of two subtypes. Vendors first obtain a Type 1 report. With this report, auditors examine a vendor’s control catalog and make a determination regarding the ability of the controls, as stated by the vendor, to meet the Trusted Service Criteria (TSC).

The SOC2 audit is based on a set of criteria that are used in evaluating controls relevant to the security, availability, processing integrity, confidentiality, or privacy of a system.

Components are evaluated during  SOC2 Audit:

Infrastructure (physical , IT, or other hardware such as mobile devices)

Software (application programs and IT system software that supports application programs, such as OS and utilities)

People (all personnel involved in the use of the system)

Processes (all automated and manual procedures)

Data (transmission streams, files, databases, tables and output used or processed by a system)