Service Organization Control (SOC) 2

Part 1 - General information
Service Organization Control (SOC) 2
SOC 2
American Institute of Certified Public Accountants (AICPA)

Service Organization Control (SOC) 2
SOC 2 reports are designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant (CPA). The certification scheme is defined and maintained by American Institute of Certified Public Accountants (AICPA). Examples of stakeholders who may need these reports are, management or those charged with governance of the user entities and of the service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls. Use of these reports generally is restricted to parties that have this understanding The AICPA Guide: Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (currently under development) provides guidance for performing these engagements.
an organisation, one or more services, set of business processes, one or more cloud services

Service Organization Control (SOC) 2
Part 2 - Underlying information security standard or best practices
AICPA Trust Services Principles, Criteria and Illustrations presents measurement criteria for use when providing attestation or consulting services to evaluate controls relevant to the security, availability, and processing integrity of a system, and the confidentiality and privacy of the information processed by the system. The guidance was established by the Assurance Services Executive Committee (ASEC) of the AICPA.
AICPA
detailed technical requirements
Facilities (hardware, cooling, etc), PaaS, IaaS, SaaS, Organization (processes, policies)
purchase for a small fee
yes (description below)
The SOC 2 requirements relate to a set of Trust Services Principles and Criteria, as follows: Trust Services Principles - see below a. Security. The system is protected against unauthorized access, use, or modification. b. Availability. The system is available for operation and use as committed or agreed. c. Processing integrity. System processing is complete, valid, accurate, timely, and authorized. d. Confidentiality. Information designated as confidential is protected as committed or agreed. e. Privacy Trust Services Criteria - see below a. Organization and management. b. Communications. c. Risk management and design and implementation of controls. d. Monitoring of controls. e. Logical and physical access controls. f. System operations. g. Change management.
Part 3 - Assessments and certification of compliance
Certified Public Accountants (CPAs) are the premier providers of SOC 2 reports for service organizations.
AICPA
audit code/guideline
no
no
no
no
yes - provide a link to an example
no
other (describe briefly)
The SOC 2 Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy is issued either at a moment in time (e.g. as of the date DD/MM/YYYY) or it is covering a period of time, Always in the past (e.g. from DD/MM/YYYY to DD/MM/YYY)
Part 4 - Current adoption and usage
Fully adopted framework, on a global basis.
global
global
Part 5 - Security objectives
Security Policies
Description:

The entity defines and documents its policies for the security of its system.

References:

S1.1, S1.2, S1.3

Security Communications
Description:

The entity communicates its defined system security policies to responsible parties and authorized users.

References:

S2.1, S2.2, S2.3, S2.4, S2.5

Security Procedures
Description:

The entity placed in operation procedures to achieve its documented system security objectives in accordance with its defined policies.

References:

S3.1, S3.2, S3.3, S3.4, S3.5, S3.6, S3.7, S3.8, S3.9, S3.10, S3.11, S3.12, S3.13, S3.14

Security Monitoring
Description:

The entity monitors the system and takes action to maintain compliance with its defined system security policies.

References:

S4.1, S4.2, S4.3, S4.4

Availability Policies
Description:

The entity defines and documents its policies for the availability of its system.

References:

A1.1, A1.2, A1.3

Availability Communications
Description:

The entity defines and documents its policies for the availability of its system.

References:

A2.1, A2.2, A2.3, A2.4, A2.5

Availability Procedures
Description:

The entity placed in operation procedures to achieve its documented system availability objectives in accordance with its defined policies.

References:

A3.1,A3.2,A3.3,A3.4,A3.5,A3.6,A3.7,A3.8,A3.9,A3.10,A3.11,A3.12,A3.13,A3.14, A3.15,A3.16,A3.17

Availability Monitoring
Description:

The entity monitors the system and takes action to maintain compliance with its defined system availability policies.

References:

A4.1, A4.2, A4.3

Process Integrity Policies
Description:

The entity defines and documents its policies for the processing integrity of its system.

References:

I1.1, I1.2, I1.3

Process Integrity Communications
Description:

The entity communicates its documented system processing integrity policies to responsible parties and authorized users.

References:

I2.1, I2.2, I2.3, I2.4, I2.5

Process Integrity Procedures
Description:

The entity placed in operation procedures to achieve its documented system processing integrity objectives in accordance with its defined policies.

References:

I3.1 - I3.21

Process Integrity Monitoring
Description:

The entity monitors the system and takes action to maintain compliance with the defined system processing integrity policies.

References:

I4.1, I4.2, I4.3

Confidentiality Policies
Description:

The entity defines and documents its policies related to the system protecting confidential information, as committed or agreed.

References:

C1.1, C1.2, C1.3

Confidentiality Communications
Description:

The entity communicates its defined policies related to the system’s protection of confidential information to responsible parties and authorized users.

References:

C2.1, C2.2, C2.3, C2.4, C2.5

Confidentiality Procedures
Description:

The entity placed in operation procedures to achieve its documented system confidentiality objectives in accordance with its defined policies.

References:

C3.1 - C3.20

Confidentiality Monitoring
Description:

The entity monitors the system and takes action to maintain compliance with its defined confidentiality policies.

References:

C4.1, C4.2, C4.3

Privacy Management
Description:

The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.

References:

P1.1, P1.2

Privacy Notice
Description:

The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.

References:

P2.1,P2.2

Privacy Choice and Consent
Description:

The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

References:

P3.1, P3.2

Privacy Collection
Description:

The entity collects personal information only for the purposes identified in the notice.

References:

P4.1, P4.2

Privacy Use, Retention and Disposal
Description:

The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.

References:

P5.1, P5.2

Privacy Access
Description:

The entity provides individuals with access to their personal information for review and update.

References:

P6.1

Privacy Disclosure to Third Parties
Description:

The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

References:

P7.1, P7.2

Privacy Security for Privacy
Description:

The entity protects personal information against unauthorized access (both physical and logical).

References:

P8.1, P8.2

Privacy Quality
Description:

The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.

References:

P9.1, P9.2

Privacy Monitoring and Enforcement
Description:

The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related inquiries, complaints and disputes.

References:

P10.1, P10.2