What is a SOC 2?
Are you securing your client’s data with due diligence and care? A SOC 2 report will certify your security policies and procedures, and provide peace of mind to your customers.
The SOC 2 Trust Services Criteria
A SOC 2 report is issued on a number of criteria. The standards are flexible, and you aren’t required to address them all. Instead, start with the Security criteria (below) as the minimum requirement and add-on additional ones as needed. For example, if you only store customer data, you might just need the Security criteria. However, if you further process data, you could consider adding Processing Integrity.
The following is a description of all the criteria:
- Security: Are you protecting data from unauthorized access? (This is the only required criteria.)
- Confidentiality: Is the data limited to only those personnel in need?
- Processing Integrity: Is the data complete, accurate, timely, valid, and available as authorized?
- Availability: Are the data and systems available as agreed?
- Privacy: Is personal information collected, used, stored, disclosed, and disposed of in accordance with your privacy notice?
Are You SOC 2 Ready?
Embarking on a journey toward SOC 2 compliance requires some homework. Here’s a checklist to gauge whether you’re ready to go through an audit:
Have you performed a self-assessment to identify controls you have (and don’t have)?
- To identify controls, please consider the use of our control mapping tool.
Have you performed a risk assessment?
- Identify assets
- Identify threats
- Analyze risk based on likelihood and impact
Have you built necessary controls based on the risk assessment?
- Inventory all unique controls through the use of the risk controls matrix
- Map new controls to the control mapping tool
Have you drafted a systems diagram?
Have you drafted your systems description?
- This is required for you to issue a SOC 2 report. Click here for an example.
The above illustrates the tactical steps to implement a security program. Organizations that rush through these steps often fail to comply, or they run the risk of overspending on security. Please refer to our in-depth guide on how to implement a security program.
Our Menu of Services
While issuing a SOC 2, Clark Nuber will evaluate your organization as it relates to the AICPA’s Trust Services Criteria of security, availability, processing integrity, confidentiality, and privacy. Any systems provider that stores, processes, or transmits their customers’ sensitive data will benefit from a SOC 2 report.
If you are only responsible for managing your customers’ financial data, please contact us for our SOC 1 services.
|The Design Assessment||The SOC 2 Type 1||The SOC 2 Type 2
|Assess process design ||Assess process design ||Assess process design and operating effectiveness
|Provide recommendations||Provide recommendations||Provide recommendations
|-||Issue Type 1 Report||Issue Type 2 Report
The Design Assessment
We recommend the Design Assessment if you’re issuing a SOC 2 report for the very first time.
The SOC 2 report requires an assessment of the design of your policies and procedures (collectively, “controls”). During a Design Assessment, Clark Nuber will identify any controls issues early, so that you have time to fix them without incurring the additional costs of issuing an actual report.
The SOC 2 Type 1
We recommend the Soc 2 Type 1 report if your customers actively demand a Type 1 or if you believe you can pass the Design Assessment.
The SOC 2 Type 1 is a Design Assessment with a corresponding report. If you pass the Design Assessment, you can then opt to issue a Type 1 report. The Type 1 is commonly referred to as a “point-in-time” report. It provides a snapshot view of your controls.
The SOC 2 Type 2
We recommend the Soc 2 Type 2 report if your customers actively demand a Type 2 or if you have demonstrated process maturity and design effectiveness.
The SOC 2 Type 2 report is the highest bar and is an assessment of the operating effectiveness of your controls. This is commonly referred to as “testing over a period of time.” SOC 2 Type 2 reports are commonly issued every six to nine months. It provides a trend view of your controls.
Why Clark Nuber?
Clark Nuber uses technology tools to better streamline our audit processes. We believe that technology should exist to deliver value. You will have real-time visibility into the status of the audit and everything in one place to manage documentation.
We embrace the workplace of the future. Most of our clients are tech startups with resources all around the globe. We harness technologies that can help build relationships remotely without incurring additional costs.
Focus on Tech
At Clark Nuber, we provide a full range of audit, taxation, consulting, and security services to our technology clients. We understand the industry and the unique business problems you face.
Please contact us if you’re considering a SOC 2 report, we’d be happy to help.