SOC 2: What, Why and How

SOC 2 (Service Organization Control 2) is an information security control framework aimed at providing third-party assurance of a service organisation’s ability to manage and safeguard sensitive customer data.   The framework focuses on adhering to specific criteria (security, availability, processing integrity, confidentiality, and privacy) for key systems.  

SOC 2 assessments are conducted by independent certified public accountants (CPAs), who evaluate the effectiveness of your organisation's internal controls over a specified period. The flexibility of SOC 2 allows you to tailor your controls to specific needs, making it particularly relevant for SaaS organisations and, cloud providers, and data centres.   Unlike other information security standards such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001, you do not obtain certification against SOC 2.  Instead, the primary output of a SOC 2 audit is a SOC 2 report, which can then be passed on to any entities (typically customers) that have requested you achieve SOC 2.

In this webinar, URM will be looking to address the following questions:

• What is SOC 2?  
  • What are the trust service criteria and how do you determine which of 5 Trust Service Criteria are applicable to your service?
  • What is the difference between a Type 1 and Type 2 Report? What are the pros and cons of each?

• Why is SOC 2 increasing in popularity? We look at some of the benefits, including flexibility and customisation,  frequency of reporting and duration of assessment
• Who does it apply to?  And what is a typical scope?  How do you determine which of your services and processes should be in scope?
• How do you prepare for a SOC 2 audit?
  • What are the stages of a SOC 2 audit and what is involved?  What types of evidence will you need to provide?
  • How do you identify applicable sub-service organisations?
  • How do you engage a SOC 2 auditor?

• What are the pitfalls to avoid?
• What are the key success criteria?