SOC 2 – Information security for service providers
The combination of increasing digital assets and national, international and industry-specific regulations and directives results in stricter requirements on organizations’ information security work. In return, more and more companies are requiring increased transparency and ability to demonstrate objectively to their service provider’s ability to manage and report their IT and information security. An effective way to demonstrate compliance with security requirements is to generate objective reports on compliance with accepted frameworks and standards, such as SOC 2, verified by an external auditor.
SOC 2 (Service Organization Control) is a reporting framework from AICPA (American Institute of Certified Public Accountants) that ensures and formalizes information security of service providers.
The framework’s controls are based on five basic principles, called Trust Service Criterias; security, availability, confidentiality, privacy and processing integrity.
The controls are predefined, however there are possibilities to adjust the control implementation to better suit the context of the company and applied technology. This means that the organization, to some extent, can adapt the controls to their own operations, which are then reported and validated through external audits.
These reports can later be used to provide customers, supervisory authorities, partners and people in their own organization with information on the current security status in relation to the controls. Working with the SOC 2 framework is also a good way of being transparent, proving to customers and stakeholders that your organization prioritize security through auditing from a third party.
Are you considering becoming SOC 2 compliant? Sentor’s consultants possess the relevant skills and experience to support you in your work. Our GRC team assists several companies to implement and comply with various management systems and information security frameworks, such as ISO27001 and SOC 2.
Sentor’s methodology for achieving SOC 2 compliance consists of five phases;
1. Getting started
In consultation with you, we define the scope for your SOC 2 report and which Trust Service Criterias are applicable to your business. The work includes inventory and classification of assets, as well as risk analyzes to further map the security level of your organization. All information that emerges from this phase is important for the future work and the next steps.
2. Control design and implementation
We continue to work with the defined scope by design and implementation of controls in accordance with SOC 2 Trusted Service Criteria, as well as establish a governance model for information security using documented policies.
3. Internal audit
Once the controls are designed and implemented, we conduct an internal audit in order to verify compliance and prepare for the external audit in the next step. Internal auditing is carried out by security experts from Sentor who have not been involved in phases 1 and 2 to ensure objectivity.
4. SOC 2 type 1 and 2
When it is time for external audits, we are there and support you during the process. In practical terms, this usually includes assistance in describing the control design and its implementation.
The external audit for SOC 2 is divided into two parts; SOC 2 type 1 which is an audit of compliance with the defined controlsat the time of the audit, and SOC 2 type 2 which is an audit of continuous compliance with the defined controls during a period of time, of at least 6 months. In other words, the difference between type 1 and type 2 is the period for measurement, of which type 2 takes into account compliance with controls over a longer period of time.
We recommend starting with a SOC 2 type 1 audit before proceeding with SOC 2 type 2. This is to ensure that the results of the first individual audit meet the objectives before a measurement is initiated over time.
5. Ongoing support
During the remaining work with compliance with SOC 2, Sentor can continue to assist with information security expertise to facilitate maintaining good information security over time. In many cases, this is often about support for key actions in particularly important activities, such as risk analysis, incident management, etc.