Trust and assurance for data security

SOC 2 Examinations

The SOC 2 Examination has its roots in Webtrust and Systrust reports, but if you remember those, you’ve probably been at this too long. We remember the trusty ;reports and pour one out for them occasionally.

reliable security and compliance

Who should get a SOC 2 Examination?

  • Cloud Service Providers
  • SaaS Providers
  • IaaS Providers
  • Companies that have customers banging on the table and demanding a SOC 2

SOC 2 Examination Scope

You set your scope based upon the selected Trust Services Criteria. The base Criteria is “Security” which includes a set of 9 “Common Criteria”. Optionally, you can add four additional criteria on the topics of Availability, Confidentiality, Processing Integrity and Privacy. This is typically driven by whatever your customer is blurting out as they bang on the table. If you want to talk about your scope, we’ll be happy to humor a call.

Let’s Talk SOC 2 Scope Here

HR and Entity Controls

Here we talk about background checks, security awareness training, confidentiality agreements, performance reviews and risk assessment.

Logical and Physical Access Controls

Here we talk about multifactor authentication. user access management, password controls, and all the encryption things.

Change and IT Operations Controls

Here we talk about how change is inevitable, except from a vending machine. Even if vending, you still should test your code. IT operations includes all the “other” things.

Vendor Risk Management Controls

So you outsourced something to someone? Great. Let’s talk about how you know that they are able to participate and excel at meeting your customers’ requirements.

Trusted soc 2 audit services

Our Audit Process

We’ve been at this long enough that we can audit our way out of a paper bag. Even as paper bags have increased in overall quality, we have continually surprised ourselves by getting out before the local house cat found us.

01

Scoping and Planning

Before we get too carried away, we get to know you, what you do and what processes impact financial reporting. This lets us tailor our requests to match what you actually do instead of going on a fishing expedition with a shrimp net.

02

Control Testing and Evidence Collection

We leverage our audit portal to provide a list of requests, manage their status and assign them to all the folks you’ve voluntold to help with the audit effort. We provide near real time feedback as you’re submitting evidence to know if you went over, under or hit “the bar”.

03

Reporting and Issuance

This part you usually don’t have to help with – we slip into the back room and count some beans, do some quality assurance and then present you a draft report on a platter. If it looks good, great, we finalize, if not, well… uhh… we do it again.

soc 2 compliance made simple

Pricing for SOC 2 Examinations

Type 1 Examination starting at

$17,900

A Type 1 Examination is as of a point in time. It’s a lower level of assurance than a Type 2, but it’s also a good way to get started for first time SOC 2 goers. Sometimes, the Type 1 will get skipped.

  • SOC 2 Examination as of a Point in Time
  • Assumes fewer than 100 Employees, one system in scope
  • Additional Criteria – Add Availability or Confidentiality for $2,200 or Processing Integrity or Privacy for $4,300 each
Type 2 examination starting at

$21,900

A Type 2 Examination covers the same topics as the Type 1, however, it happens over a 6-12 month period meaning we’ll want to confirm you did the things you said you’d do over that period of time.

  • SOC 2 Examination over a period of time
  • Assumes fewer than 100 Employees, one system in scope
  • Additional Criteria – Add Availability or Confidentiality for $2,700 or Processing Integrity or Privacy for $5,500 each
TALK AT US, PRETTY PLEASE

Questions We Get Asked (or, FAQs)

Here’s a few questions we typically get – if you don’t see what you’re looking for, let us know and we’ll be glad to add it!

A SOC 2 Type 1 report is an examination performed as of a specific point in time. We think of this as something like taking a picture of the family at a holiday. Once you wrangle all of the kids into one place and pose them, you can just keep taking the picture until everyone happens to be smiling. It’s often the starting place for companies going through SOC 2 for the first time and helps to set the stage for the Type 2 examination.

AA SOC 2 Type 2 report is an examination performed over a period of time. Going back to the picture analogy, instead of taking a posed picture, you would instead take a video of everyone posing which would allow you to identify who was making funny faces. This provides a much higher level of assurance to your customers and is most likely what they are expecting when asking you for your SOC 2 report. As a service organization, we have found that the biggest leap between the Type 1 and Type 2 reports is the ability to document and evidence what the service organization is doing in a way that it can be reviewed afterward.

For a more explicit breakdown of the differences, we have a blog post right here that explains it well.

The frequency is driven by the businesses’ customers’ requirements. Typically, businesses receive audits and updated reports on an annual basis.

There are five different Trust Services Criteria (formerly known as Trust Services Principles) to chose from to have included within your report. The five Criteria are Security, Availability, Confidentiality, Processing Integrity and Privacy. Selecting the correct Principles for your report involves some art and some science. The selection relates to the types of services that you offer, the commitments that you make to your customers as well as what your customers want to have assurance of you performing.

Security

The system is protected against unauthorized access (both physical and logical).

The Security Criteria is inherent to all of the Trust Services Criteria as it is comprised of nine common criteria that are also evaluated for Confidentiality, Availability and Processing Integrity. If you are getting a SOC 2 report, then it will minimally contain the Security Principle.

Confidentiality

Information designated as confidential is protected as committed or agreed.

The Confidentiality Criteria is selected when your company obtains access to your customer’s confidential information as part of the services that you perform. One of the main review areas for this Criteria are related to having an information classification program, a data retention policy and following data disposal procedures.

Availability

The system is available for operation as committed or agreed.

The Availability Criteria is selected when your company has significant commitments to the availability of its services to your customers. Review areas include your company’s monitoring processes for system availability, your Business Continuity and Disaster Recovery Planning processes, data backup and restoration processes and the design and implementation of a resilient system design.

Processing Integrity

System processing is complete, accurate, timely and authorized.

The Processing Integrity Criteria is selected when your company processes transactions on behalf of your customers and they have an interest in the completeness, accuracy and timeliness of your transaction processing services. Review areas are typically tailored to the types of transactions that you are processing on your customer’s behalf, and will typically include inputs to the system, processing steps performed by the system and system outputs.

Privacy

Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in Generally Acceptable Privacy Principles (GAPP).

The Privacy Criteria is selected when your company collects Personally Identifiable Information (PII) from users of its services. As this Principle aligns with GAPP, it is approached in a very different manner than the other Principles. One of the common misconceptions in wanting to select Privacy is that the scope of the Principle is intended to address data that your company collects directly from individuals. If your company is receiving PII from your customer (that is a business), then the PII is considered confidential information and is more appropriate to be reviewed using the Security and Confidentiality Criteria.

The correct report for your company depends on the needs of your customers. Active consultation with your customers and auditor allows you to select the best option to meet their needs.

There are five different Trust Services Criteria (formerly known as Trust Services Principles) to chose from to have included within your report. The five Criteria are Security, Availability, Confidentiality, Processing Integrity and Privacy. Selecting the correct Principles for your report involves some art and some science. The selection relates to the types of services that you offer, the commitments that you make to your customers as well as what your customers want to have assurance of you performing.

Security

The system is protected against unauthorized access (both physical and logical).

The Security Criteria is inherent to all of the Trust Services Criteria as it is comprised of nine common criteria that are also evaluated for Confidentiality, Availability and Processing Integrity. If you are getting a SOC 2 report, then it will minimally contain the Security Principle.

Confidentiality

Information designated as confidential is protected as committed or agreed.

The Confidentiality Criteria is selected when your company obtains access to your customer’s confidential information as part of the services that you perform. One of the main review areas for this Criteria are related to having an information classification program, a data retention policy and following data disposal procedures.

Availability

The system is available for operation as committed or agreed.

The Availability Criteria is selected when your company has significant commitments to the availability of its services to your customers. Review areas include your company’s monitoring processes for system availability, your Business Continuity and Disaster Recovery Planning processes, data backup and restoration processes and the design and implementation of a resilient system design.

Processing Integrity

System processing is complete, accurate, timely and authorized.

The Processing Integrity Criteria is selected when your company processes transactions on behalf of your customers and they have an interest in the completeness, accuracy and timeliness of your transaction processing services. Review areas are typically tailored to the types of transactions that you are processing on your customer’s behalf, and will typically include inputs to the system, processing steps performed by the system and system outputs.

Privacy

Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in Generally Acceptable Privacy Principles (GAPP).

The Privacy Criteria is selected when your company collects Personally Identifiable Information (PII) from users of its services. As this Principle aligns with GAPP, it is approached in a very different manner than the other Principles. One of the common misconceptions in wanting to select Privacy is that the scope of the Principle is intended to address data that your company collects directly from individuals. If your company is receiving PII from your customer (that is a business), then the PII is considered confidential information and is more appropriate to be reviewed using the Security and Confidentiality Criteria.

The correct report for your company depends on the needs of your customers. Active consultation with your customers and auditor allows you to select the best option to meet their needs.

Talk to Us!