What is SOC 2 Compliance?

The SOC2 Type 2 assessment validates that your SOC2 controls are in place for a period of time. That time period of time can vary based on your individual organizational requirements. That time period could be three months, six months, it could be a year. The most common time period we see is either six months or a year. In the case of a SOC2 Type 2 this report is a historical look back over the audit period.

SOC 2 consists of two types: Type 1 and Type 2. A Type 1 report pinpoints a moment in time evaluation that determines whether your security controls meet the Trust Service Principle (TSP) requirements. The SOC 2 Type 2 assessment is the validation of your controls are ready at the time of evaluation. The time period being assessed depends on your organization’s requirements, which can vary between one quarter to one year.

The SOC 2 Reports are made up of five Trust Service Principles: security, availability, processing integrity, confidentiality, and privacy. Of the five TSPs, the only one that's required is trust. Companies must remember The TSP's are milestones to achieve, while best practices involve the proper controls to manage and implement that relate directly to the company.

SOC 2 reports are only generated by accounting firms by CPA's certified in the state conducting the assessment. It's important to remember that the 3rd party vendor that creates the TSP report must differ from the vendor that comes on board to fix the reported control errors. SOC2 reports must be independently delivered.

For more information on obtaining the SOC2 report, finding the right independent vendor to conduct the assessment, and to answer your questions, set up a free consultation with CYBER BUYER.