SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. The standard is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy. A SOC 2 report is tailored to the unique needs of each organization. Depending on its specific business practices, each organization can design controls that follow one or more principles of trust. These internal reports provide organizations and their regulators, business partners, and suppliers, with important information about how the organization manages its data. There are two types of SOC 2 reports:
Compliance with SOC 2 requirements indicates that an organization maintains a high level of information security. Strict compliance requirements (tested through on-site audits) can help ensure sensitive information is handled responsibly.
Complying with SOC 2 provides:
SOC audits can only be performed by independent CPAs (Certified Public Accountants) or accounting firms.
AICPA has established professional standards meant to regulate the work of SOC auditors. In addition, certain guidelines related to the planning, execution and oversight of the audit must be followed. All AICPA audits must undergo a peer review.
CPA organizations may hire non-CPA professionals with relevant information technology (IT) and security skills to prepare for SOC audits, but final reports must be provided and disclosed by the CPA.
If the SOC audit conducted by the CPA is successful, the service organization can add the AICPA logo to their website.
Security is the basis of SOC 2 compliance and is a broad standard common to all five Trust Service Criteria.
SOC 2 security principles focus on preventing the unauthorized use of assets and data handled by the organization. This principle requires organizations to implement access controls to prevent malicious attacks, unauthorized deletion of data, misuse, unauthorized alteration or disclosure of company information.
Here is a basic SOC 2 compliance checklist, which includes controls covering safety standards:
Keep in mind that SOC 2 criteria do not prescribe exactly what an organization should do—they are open to interpretation. Companies are responsible for selecting and implementing control measures that cover each principle.
Security covers the basics. However, if your organization operates in the financial or banking industry, or in an industry where privacy and confidentiality are paramount, you may need to meet higher compliance standards.
Customers prefer service providers that are fully compliant with all five SOC 2 principles. This shows that your organization is strongly committed to information security practices.
In addition to the basic security principles, here is how to comply with other SOC 2 principles:
SOC 1 and SOC 2 are two different compliance standards, with different goals, both regulated by the AICPA. SOC 2 is not an “upgrade” of SOC 1. The table below explains the differences between SOC 1 and SOC 2.
SOC 1 | SOC 2 | |
Objectif | Helps a service organization report on internal controls which pertain to financial statements by its customers. | Helps a service organization report on internal controls that protect customer data, relevant to the five Trust Services Criteria. |
Control objectives | A SOC 1 audit covers the processing and protection of customer information across business and IT processes. | A SOC 2 audit covers all combinations of the five principles. Certain service organizations, for example, deal with security and availability, while others may implement all five principles due to the nature of their operations and regulatory requirements. |
Audit intended for | The CPA of the audited organization’s managers, external auditors, user entities (customers of the audited service organization), and CPAs who audit their financial statements. | Executives, business partners, prospects, compliance supervisors, and external auditors of the audited organization. |
Audit used for | Helps user entities understand the impact of service organization controls on their financial statements. | Overseeing service organizations, supplier management plans, internal corporate governance and risk management processes, and regulatory oversight. |
Many Check Point’s products met the SOC 2 Compliance applicable trust services criteria, such as- CloudGuard Posture Management, CloudGuard Connect, Harmony Products, Infinity portal and more. See the full list here .