Service Organization Control (SOC) refers to a form of control of the administration procedures of IT organizations that provide any service. Basically, SOC 2 is an international reporting standard for cybersecurity risk management systems. This standard, developed by the American Institute of Certified Public Accountants (AICPA), was updated in March 2018.
While a SOC 1 report is designed to address internal controls over financial reporting, a SOC 2 report deals with a service organization’s controls over its operations and compliance.
SOC 2 is an audit procedure that enables your service providers to securely manage your data to protect the interests of your organization and the privacy of their customers. For security-conscious businesses, SOC 2 compliance is a minimum requirement when considering a SaaS provider.
How long is the SOC 2 report valid?
The opinion expressed in the SOC 2 report is valid for twelve months following the publication of the SOC 2 report.
How often are SOC 2 inspections done?
Most SOC 2 reports cover a 12-month period, but there are times when service organizations perform this audit every six months, depending on the customer’s preference and ongoing concerns in the operational control environment.
So why do we have to go through these inspections?
Any company that offers any service has the potential to pose a threat to its customers. Even a legitimate company in all respects can act as a link in a supply chain used to attack. However, companies working in the field of information security have a much greater responsibility: The products of these companies need to have the highest level of access to user information systems.
Therefore, from time to time, customers, especially large corporate companies, may be expected to ask the most plausible questions: How much can we trust these services? What kind of internal policies are there for these services we use? Could someone harm us with their products or associated services?
It is vital that your customers and business partners have no doubts that your products and services are reliable. We also believe that it is very important that your internal processes comply with international standards and best practices. For this reason, we work with independent auditors who have international audit experience.
Our auditors examined whether vendor processes adhere to five basic security principles:
- Security (is the process protected against unauthorized access?),
- Availability (is the process generally functional?),
- Process integrity (is the data delivered to the client safe?),
- Confidentiality (can other people access this data?)
- Privacy (is personal data stored by us, if so, how is this process carried out?)
