Start your SOC 2 attestation journey here
System and Organizational Controls 2 (SOC 2) outlines criteria you can use to manage and protect customer data in the cloud.Learn More
Apptega makes managing SOC 2 compliance simple with access to automated reports, alerts, notifications, policy templates, and framework mapping.Learn More
You can use SOC 2’s Trust Services Criteria to develop your cybersecurity program and mature it over time.Learn More
If your organization stores, processes, or transmits customer data, then SOC 2 is right for you. SOC 2 should also be used to evaluate SaaS providers.Learn More
SOC 2 Trust Services Criteria (TSC) outline five key principles to help you develop controls to help keep customer data safe.Learn More
SOC 2’s TSCs align with 17 COSO principles. See what they are and how you can apply them to your cybersecurity program.Learn More
SOC 2 Points of Focus help you determine which controls apply to your organization and how to implement them.Learn More
SOC 2 includes 61 compliance categories. See what they are and learn how Apptega can help you simplify control management.Learn More
You’ve invested time and resource-building your SOC program, now check out these great tips to ace your SOC 2 audit.Learn More
Want to ensure your investments into SOC 2 pay off? Check out, “Secrets to Passing a Cybersecurity Audit” for help.Learn More
You can map SOC 2 TSCs to other frameworks including ISO 27001 and NIST CSF. Apptega makes it simple with Harmony.Learn More
Have questions about SOC 2? This SOC 2 frequently asked questions section is a great place to start.Learn More
System and Organization Controls (SOC) 2 attestation, similar to certification, is a great way to demonstrate your organization takes data protection and privacy seriously and that you have controls in place that support those standards.
While some common cybersecurity frameworks and requirements, for example, the General Data Protection Regulation (GDPR), set rigorous standards your organization must meet for compliance, you can use SOC 2 criteria to create controls specific for your organization’s unique needs, as long as they align with the one of the five SOC 2 Trust Services Criteria (TSC):
SOC 2’s origins are rooted in the Statement of Auditing Standards No. 70, also known as SAS 70, from 1992. Certified public accountants (CPAs) originally used SAS 70 standards to conduct audits to determine how well service organizations manage information security controls and similar processes. For the purposes of SOC criteria, a service organization is any third party that provides services to your organization as a part of your organization’s information systems.
In 2010, the American Institute of CPAs (AICPA), replaced SAS 70 auditing with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16). From SSAE, two new auditing reports emerged—SOC 1 Type 1 and SOC 1 Type 2. Type 1 reports focus on your organization’s capabilities on a specific date, whereas Type 2 reports focus on your controls on an ongoing basis.
SOC 2 focuses on the protection of data, evaluating your controls for those five TSCs we mentioned earlier. SOC 2 also includes a description of your service auditor’s tests of your controls and related results. Those reports are generally not made public.
There is also a SOC 3, which is similar to SOC 2, but it doesn’t include a description of a service auditor’s tests of controls and results, like SOC 2 does, so you can share it with the public, for example, on your website or social media.
Want to learn more about the evolution of SOC 2 from SAS 70 to the present? Check out, Explaining SOC: Easy as 1-2-3.
Apptega is ideal for managing cybersecurity and compliance based on a variety of frameworks. Within the platform, you can automate the implementation and management of your compliance progress for all of the SOC 2 requirements, including:
SOC 2 provides organizations with best practices to help you manage your cybersecurity posture and meet compliance criteria. Apptega can show you the way to get the most out of your SOC 2 compliance journey.
The SOC 2 core is built on Trust Services Criteria (TSC). You can use TSCs to determine the effectiveness of your organization’s controls related to security, availability process integrity, privacy, and confidentiality. These controls are for information processed by your systems, not just at your primary location, but also if you have divisions or other operating units that conduct or support functions within your organization.
While TSCs focus on controls, effective SOC 2 practices also require sound judgment, facilitated by points of focus, which we’ll go into more detail in the next section (or if you’d like to go ahead and learn more, check out the Points of Focus section below).
TSCs are also aligned to 17 principles from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. Those 17 principles are categorized in a series of classifications (check out the Common Criteria Section below).
There are no regulatory requirements for SOC 2, so you can choose to meet one, some, or all of the TSCs. You can even begin with one or two and then build your controls out to meet more TSCs over time as you mature your program. While these are not in a specific required order, it’s a good idea to begin with the Security TSC.
The Security TSC is the most common criteria used by most organizations. It guides protection of information as your organization collects, uses, processes, transmits and stores it, as well controls for the systems that access, transmit, and store that data. Your security controls should ensure that information is protected from unauthorized access, unauthorized disclosure, and system damage that could put sensitive data at risk.
The Privacy TSC guides how your organization handles personally identifiable information (PII) such as names, addresses, phone numbers, etc. Consider the Privacy TSC as a tool to help you align your practices with your privacy notice. There are specific privacy criteria that include: notice and communication of objectives, choice and consent, collection, use, retention, and disposal, access, disclosure and notification, quality, monitoring and enforcement.
The Availability TSC focuses on ensuring information and systems are available for use and meet your objectives. It guides controls to support system access for operations, monitoring and maintenance.
The Processing Integrity TSC focuses on ensuring that your system processes are complete, accurate, timely, and valid.
The Confidentiality TSC applies to a gamut of sensitive data and guides how your organization protects that information from the time it’s collected or created all the way through to when and how your organization disposes of it or removes it from your organizational control.
When we introduced the Trust Services Criteria, we mentioned how each criterion also has points of focus. The purpose of these points of focus is to help you identify the important characteristics of each TSC. These points of focus can help you design your controls as well as guide the development and maturity of your security practices. You can further use points of focus as guide points to evaluate how well your existing controls work and identify where you may need to make changes or improvements.
It’s important to note that not every point of focus outlined in SOC TCSs are relevant to every organization. You can use the points of focus to help customize your controls based on your organization’s needs.
While the extensive list of points of focus for each of the TSCs and related common criteria is too lengthy to outline here, let’s take a quick look at an example:
Common Characteristic: Control Environment
CC 1.1 Principle: The entity demonstrates a commitment to integrity and ethical values.
COSO-Related Points of Focus:
Additional Points of Focus:
To see a full list of SOC 2 Points of Focus, check out AICPA’s Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy Guide.
As cyber-attacks increase across many industries, it’s important that your clients know—and trust—that your organization takes data security and privacy seriously. And now, more than ever, people need reassurances (and proof) that your organization has controls to keep their data safe. This trust is built on transparency and professionalism, both of which are industry best practices and vital components on AICPA’s trust services criteria. As a SaaS company, a SOC 2 audit can help you demonstrate to your clients that you’re taking proactive measures to ensure your client’s data is safe.Read More
Today’s modern enterprises—regardless of size—depend on a variety of frameworks to help build cybersecurity programs and ensure compliance and regulatory standards are met. Most organizations today face an increasing number of compliance mandates, which simultaneously increasing the number (and variety) of security frameworks they use to increase their cybersecurity posture. Managing those frameworks or mapping them to one another has long been a challenge for security professionals—until now, thanks to Apptega’s Harmony, the only intelligent framework mapping tool you’ll ever need.Read More
Configuration management is a way to identify, control, track, and audit changes as part of your cybersecurity program. Many security frameworks include configuration management in requirements. Whether you’re using recommendations like SOC 2 or more stringent requirements like ISO 27001, it’s important to understand the role of configuration management in keeping your organization safe. Check out this blog to learn more about how the two practices together to help increase your security posture.Read More
There are more than 20 common cybersecurity and privacy frameworks available today, ranging from comprehensive requirements mandated by GDPR to recommendations like SOC 2. So how do you know which framework (or multiple frameworks) are best for your organization? Check out this on-demand webinar to learn more about common frameworks, what sets them apart, and how you can simplify framework management by using Apptega.Watch Now
If you’ve invested time, money, and resources into building out your SOC 2 controls, you’ll want to do everything you can to ensure you have a successful SOC 2 audit. But where do you begin? How do you prepare? Check out this on-demand webinar to learn more from security experts that have been involved in auditing processes, learn more about common stumbling blocks, and get tips to help you prepare for a successful audit.Watch Now
As a SaaS company, your clients want to know that their data is secure within your organization, and with any related subcontractors you might outsource work to. But how do you build an effective cybersecurity program for your SaaS business, especially if you’re just getting started? Check out this on-demand webinar to learn how you can use SOC 2 and other frameworks to build your cybersecurity program with your existing resources.Watch Now