What is SOC2 and do we need it?

SOC 2 Trust Categories

  • Security
  • Confidentiality
  • Processing Integrity
  • Availability
  • Privacy
  • Security: Control Environment (CC1.x), Communication and Information (CC2.x), Risk Assessment (CC3.x), Monitoring Activities(CC4.x), Control Activities (CC5.x), Logical and Physical Access Controls (CC6.x), System Operations (CC7.x), Change Management (CC8.x), Risk Mitigation (CC9.x)
  • Additional criteria for Availability (A1.x)
  • Additional criteria for Confidentiality (C1.x)
  • Additional criteria for Processing Integrity (PI1.x)
  • Additional criteria for Privacy (P1.x)

Difference between SOC 1 and SOC 2

  • Per aicpa.org, SOC 2 reports “are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy.” while SOC 1 reports are on just financial controls. They handle the financial transactions that a company makes.
  • SOC 1 report is a report generated by auditors for other auditors but a SOC 2 report usually has more confidential internal information which is not supposed to be shared with anyone outside the company (Actually this statement is not always true as most of the time customers ask for the reports and if you do not share the report, they may consider another provider)

Who needs a SOC 2 report?

Type 1 or Type 2?!

Why not SOC 3?

--

--

--

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Ocean Protocol Secures V3 Contracts Implementation With CertiK

You need to protect your company from Coronavirus scams.

NFTWARS listed on UNISWAP + Update on Coingecko and CMC listing

Trump’s Nuclear Deal Retreat to Cost Republicans ‘Another’ Iranian Hack

Deep Dive: Kaseya VSA Mining Payload

How nearly all hardware wallet multisig setups are insecure

Cloudbric Progress Report (7/3 ~ 7/16)

The written Law is unable to catch-up with the fast pace of technology — GDPR is an example

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Pournader

Ben Pournader

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB

More from Medium

Edge Computing Security: Device Attestation Through A Certificate Hierarchy Approach

Why moving from Peoplesoft HCM to Oracle HCM Cloud is the right move for your organization?

Oracle HCM Cloud | Tangenz Corporation

Frontier Portal: Background Information on Platform Cooperativism

Renaming a GCP instance