Understanding Service Organisation Controls (SOC)

What is Service Organisation Controls – SOC 2 
 

By the time your organisation has decided to use a cloud service provider or outsource elements of IT, often the most commonly raised concern to address is, “Is our information secure?” This is often followed by a more difficult question, “How do you know?”

As cloud services have matured and economic conditions have resulted in many organisations seeking to increase efficiencies through outsourcing, the need to be able to answer these questions comprehensively has grown. Furthermore, if you are already competing globally or have plans to do so, the above questions would further need to be answered from a legislative compliance perspective. 

This is precisely where the SOC 2 report fits in. You may be more familiar with the SOC 1 report (also called ISAE 3402, SSAE 16, or formally SAS 70). This is a report over the financial controls performed by the service organisation. The SOC 2 report follows the same approach, but is focused on the controls over IT.

The SOC 2 reporting standard is an Audit opinion report over internal controls related to Information Technology. It is based around the Trust Principles of Security, Availability, Integrity of processing, Confidentiality and Privacy. 

The benefits for the Service Organisation include:

• The service organisation can undergo one audit and distribute the report to multiple customers, reducing the time spent with individual auditors.

• The Trust Principles relate directly to the core service obligations and commitments of IT, Cloud and Hosting providers.

• The ability to integrate with other frameworks over IT controls and governance such as Cobit and ISO/IEC 27001.

• Staff throughout the service organisation gain improved insight over risk, governance and internal control.

The benefits to your organisation include:

• Independent Assurance over the controls operated by the Service Organisation to which you have outsourced an element of your business.

• A comprehensive report of the processes and controls in place at the Service Organisation. 

• Clearly articulated controls that need to be performed by your organisation when working with the Service Organisation.

• Insight into control gaps as highlighted in the report.
 

The Bottom Line

It is important to remember that your organisation cannot outsource the risks around IT. It is your organisation’s obligation to protect the information of your business, and your customers, even when your make use of a Service Organisation. A SOC 2 report will assist by providing assurance over the controls in place at the Service Organisation – you may want to make a positive SOC 2 report part of the contractual agreement between your organisation and that of the Service Organisation to demonstrate privacy compliance.

Message to Service Organisations

Contact us to discuss an efficient and pragmatic approach to obtaining a SOC 2 report.