Guide To SOC Certifications

Networks & Cyber Security
Written By Kyle Hagerty

Key Takeaways:

  • SOC (system and organization controls) is a process focused on certifying internal safeguards for handling sensitive data.

  • SOC certifications are a sign an organization is practicing diligent information security.

Cyber security and information security go hand-in-hand. To that end, SOC was developed by the American Institute of CPAs (AICPA), setting criteria for managing customer data based on five ‘trust service principles’. SOC (system and organization controls) is an auditing process that leads to certification if independent certified public accounts determine an organization is practicing appropriate SOC safeguards.

SOC 1 vs SOC 2 vs SOC 3

Because SOC examines internal controls, different SOC certifications all require organizations to display different types of controls regulating the interaction between clients and client data. Each different SOC certification covers a different purview, aimed at different audiences requesting the report or certification.

SOC 1: A basic report on an organizations’ controls related to its’ clients’ financial reporting

SOC 2: Building off the financial data in SOC1, an SOC2 cert also requires standard operating procedures (SOP) to be established for vendor management, risk management, regulatory oversight, and general oversight. Any business that requires documented standards for regulators, auditors, or compliance should pursue SOC 2.

SOC 3: An SOC 3 certification is a somewhat simplified version of SOC 2, using less formalized documentation, mostly used by businesses or organizations with less compliance and regulation concerns.

Type I vs Type II

SOC 1 and SOC 2 reports come in two varieties: Type I and Type II. A Type I report lists policies and procedures in place at a specific moment in time. Type II reports go a step further by listing policies and procedures over a specified time period. That means SOC 2 Type II is the most comprehensive and rigorous certification.

Trust Service Principles

SOC auditors are assessing five key areas. First, security principles protecting against unauthorized access, looking at access controls, proper removal of data, web application firewalls, two-factor authentication, and intrusion next. Second, availability, looking at how rigorous an organization adheres to service level agreements (SLAs) by monitoring network performance, availability, and failover. The third is processing integrity, examining whether systems are achieving their purpose by providing complete, valid, timely accurate, and authorized data. Confidentiality is fourth, detailing encryption and other efforts to protect sensitive information during transmission. Last is privacy, ensuring data is kept private during collection, use, retention disclosure, and disposal.

SOC 2 compliance isn’t typically required by SaaS and cloud computing vendors but is of crucial importance in compliance, regulation, and auditing. If your business or organization handles sensitive data from clients with high standards, SOC certifications show your business partners you’re serious about rigorous information security.

 
Customer Guides
Everything You Need To Know About BREEAM
Everything You Need To Know About BREEAM
Everything You Need to Know About NYC's Local Law 97
Everything You Need to Know About NYC's Local Law 97
How to Calculate NYC Local Law 97 Building Emissions
How to Calculate NYC Local Law 97 Building Emissions
The Difference Between Energy Efficiency vs Conservation
The Difference Between Energy Efficiency vs Conservation
What is Peak Demand Management?
What is Peak Demand Management?
 
Kyle Hagerty
Previous

Everything You Need To Know About Washington D.C.’s BEPS
Next

Guide To FedRamp Certification