Soc Certification Requirements

That means soc 2 applies to nearly every saas company as well as any company that uses the cloud to store its customers information.

Soc certification requirements. Soc 2 is based on policies communications procedures and monitoring. Trust services criteria for general use report these reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security availability processing integrity confidentiality or privacy but do not have the need for or the knowledge necessary to make effective use of a soc 2 report. Note that soc levels indicate differences both in the purview of the certification and in the intended audience for the reports. It is important to keep in mind a service organizations clients when choosing which standards to comply with.

The five controls are security availability processing integrity ensuring system accuracy completion and authorization confidentiality and privacy. System and organization controls soc reporting is a suite of service offerings cpas may provide in connection with system level controls of a service organization or entity level controls of other organizations. A type 1 reports on a service organizations suitability of design of controls on a specific date while a type 2 reports on the effectiveness of the control design over a period of time. Aws system and organization controls soc reports are independent third party examination reports that demonstrate how aws achieves key compliance controls and objectives.

The system has controls in place to protect against unauthorized access both physical and logical. The specific trust service principles explained below must be met in order to successfully achieve certification. Soc 1 reports are performed by a service auditor. Soc 1 is divided into type 1 and type 2 reports.

Before 2014 cloud vendors only had to meet soc 1 compliance requirements. Soc 2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients. This report and audit is completely different from the previous. For security conscious businesses soc 2 compliance is a minimal requirement when considering a saas provider.

Soc 2 measures controls specifically related to it and data center service providers. When choosing between a soc 2 or iso 27001 certification an organization should consider its regulatory requirements as well as which countries the organization plans to do business with. The purpose of these reports is to help you and your auditors understand the aws controls established to support operations and compliance. Developed by the aicpa soc 2 is specifically designed for service providers storing customer data in the cloud.