SOC 2

SOC 2 - System and Organisation Controls

PrimoConnect are specialists in helping provide a compliant SOC 2 report, across Sussex, the Southeast, London and nationwide.

Requirements: SOC 2




SOC 2

The term SOC stands for 'System and Organisation Controls'. This framework is relevant to all service organisations that handle customer data and aim to demonstrate their commitment to security and privacy. The SOC 2 framework was established by the American Institute of Certified Public Accountants (AICPA), and it outlines five key "trust service principles" for managing customer data safely and privately.

  • Security

  • Availability

  • Processing integrity

  • Confidentiality

  • Privacy

A SOC 2 EXAMINATION REPORT SETS OUT THE DETAILED INFORMATION AND ASSURANCE ON SAFETY AND PRIVACY THAT YOUR CLIENT NEEDS, AS A SERVICE PROVIDER. SOC 2 REPORTS ARE UNIQUE TAO EACH ORGANISATION, UNLIKE OTHER STANDARDS. 

A SOC 2 report is separated into Type I and Type II:

  • Type I - An assessment of the controls’ efficacy at a point in time

  • Type II - An assessment of the controls’ efficacy over a period of time (usually nine months)

SOC 2 certificates are issued by external auditors. Those auditors assess an organisation’s compliance with one or more of the five key trust principles, based on the company’s existing systems and processes.

Why work with PrimoConnect?

  • PrimoConnect has a 100% track record of achieving UKAS accredited certification for clients.

  • With our extensive experience in multiple ISO standards, we can provide valuable insights and advice on their implementation and integration.

  • We come highly recommended by all major certification bodies for ISO consultancy.

  • Our compliance team has established strong partnerships with Cranfield Universities.

  • Our team of expert consultants, along with our selected group of technical specialists, ensure you receive the best service possible for your project.

  • Our compliance division offers a proven software solution that provides a simple, efficient and effective platform to manage all your compliance needs.

  • We are the only UK consultancy to make all of our legal registers freely available and provide no-obligation updates to anyone who requests them, free of charge.


What is SOC 2?

SOC 2 is a suite of standards established by the AICPA, against which an organisation’s internal controls relating to security, availability, processing integrity, confidentiality and privacy, are evaluated and reported on.

Organisations that provide cloud-based or outsourced IT services commonly chose to use SOC 2, the aim of which is to reassure customers and stakeholders that the organisation has the requisite controls established to protect sensitive data and uphold its systems’ availability and integrity.

What are the different types of SOC 2?

  • A SOC 2 Type 1 report focuses on the design and implementation of controls that are relevant to security, availability, processing integrity, confidentiality or privacy within an organisation. It provides assurance about those controls at a specific point in time.

    An independent auditor (an AICPA member) performs the examination and it is carried out in accordance with the AICPA's SOC 2 standard. The report sets out the auditor's opinion in relation to the controls’ design and implementation, but does not include testing of the operational efficacy of those controls over a period of time. This type of report therefore affords customers and stakeholders with an independent assessment of the controls that existed at a moment in time; this can assist potential customers making informed decisions when using the services offered by the organisation.

  • A SOC 2 Type 2 examination report considers the effectiveness of a service organisation's controls over, usually, a six-month span. It reports on the controls relevant to security, availability, processing integrity, confidentiality, and/or privacy.

    An independent auditor (an AICPA member) performs the examination and it is carried out in accordance with the AICPA's SOC 2 standard. The report sets out the auditor's opinion in relation to the controls’ design and implementation, and also the testing of the operating effectiveness over time. This type of report therefore affords customers and stakeholders with an independent assessment of the controls; this can assist potential customers making informed decisions when using the services offered by the organisation.

  • The term “SOC 2+” is sometimes used to refer to an enhanced version of the SOC 2 report. The difference with a SOC2+ report is that it includes further reassurances on the organisation’s compliance with other standards and/or regulations, for instance, HIPAA, PCI-DSS or ISO27001. It is an examination report on the effectiveness of a service organisation's controls over, usually, a six-month span. It is set apart from a SOC 2 report as it assesses and encompasses additional compliance requirements.

    The SOC 2+ report provides customers and stakeholders with an independent assessment of the controls, allowing them to make informed decisions when using the services offered by the organisation.

    It should be noted that “SOC 2+” is not a recognised AICPA term. Instead, it is a term that is used by some companies to show they have met multiple compliance standards.

  • SOC 2 Type 1 reports on the design of controls.

    SOC 2 Type 2 reports on the operating effectiveness of controls.

    Generally, SOC2 Type 1 is not accepted by business partners; therefore, companies aim to achieve SOC2 Type 2.

    SOC 2+ is an enhanced version of the SOC 2 report. It provides further reassurance in regards a company’s compliance with other regulations or standards (e.g. HIPAA, PCI-DSS, ISO 27001). Put more simply, it is an integrated management system.


Information Guides

What is an independent service auditor's report in SOC 2? 

An independent service auditor's report is a document generated by an autonomous auditor to offer assurance regarding the effectiveness of controls relevant to security, availability, processing integrity, confidentiality, and/or privacy that are designed and implemented at a service organisation. The report is targeted towards the customers and stakeholders of the service organisation seeking assurance about the controls in place and how they safeguard sensitive data while ensuring the availability and integrity of the organisation's systems.

The independent service auditor's report plays a critical role in the SOC 2 examination process. The examination is conducted in accordance with the AICPA's SOC 2 standard by an independent auditor who is a member of the AICPA. The auditor scrutinises the service organisation's controls and procedures and offers an opinion on whether the controls are appropriately designed and implemented and operating effectively over time. The report comprises the auditor's opinion, as well as a summary of the service organisation's controls and test results.

What is Management's Assertion in SOC 2?

The Management's Assertion is a critical component of the SOC 2 report, wherein the management of the service organisation provides a statement acknowledging their responsibility for the design and implementation of controls over the security, availability, processing integrity, confidentiality, and privacy of the system and data it handles. The SOC 2 report includes the Management's Assertion, which is one of the crucial elements that offer assurance to the service organisation's customers and stakeholders.

The Management's Assertion comprises a statement of the management's responsibility for designing and implementing controls, a description of the service organisation's control environment and a statement of the management's belief regarding the efficacy of the controls. It serves as a vital aspect of the SOC 2 examination process since it highlights the service organisation's commitment to upholding appropriate controls and safeguarding sensitive data.

The independent auditor reviews the Management's Assertion and assesses whether the controls are suitably designed and implemented, as well as whether they are operating effectively over a period. The auditor also assesses the Management's Assertion before issuing an opinion in the report.

The purpose of the independent auditor's report is to provide customers and stakeholders with an unbiased evaluation of the service organisation's controls. This evaluation can assist in making informed decisions about whether to use the organisation's services.

What is System Description in SOC 2?

The System Description is a comprehensive document contained in the SOC 2 report, offering a detailed overview of the service organisation's system, encompassing the infrastructure, network, software, applications, data, and other pertinent information. It plays a critical role in the SOC 2 examination process as it facilitates a better understanding of the service organisation's system and the controls that are implemented to safeguard the security, availability, processing integrity, confidentiality and privacy of the system and the data it handles.

The system description typically includes information such as:

  • A comprehensive depiction of the system's infrastructure and network architecture.

  • An account of the software and applications that are used to support the system.

  • Details about the data that is processed (including data types, data flows, and data storage).

  • A detailed explanation of the security controls that are in place to safeguard the system and data.

  • Information on the availability and disaster recovery controls.

  • Specifics about the access controls and user management.

  • A detailed description of the incident management and monitoring process.

What are Trust Services Criteria and Related Controls in SOC 2?

In the SOC 2 report, the Trust Services Criteria (TSC) and Related Controls refer to the set of standards and controls that a service organisation must comply with to ensure the security, availability, processing integrity, confidentiality and privacy of its system and the data it processes. Meeting the TSCs is essential as they are the fundamental set of requirements that a service organisation must meet to successfully pass a SOC 2 examination.

How many control areas are there in SOC 2?

SOC 2 reports are based on the AICPA's SOC 2 standard, which consists of five Trust Services Criteria (TSC) categories:

  • Security: refers to the set of controls that safeguard the confidentiality, integrity, and availability of the information system and the data it processes.

  • Availability: refers to the set of controls that guarantee the system and data are available for use as agreed or committed

  • Processing integrity: refers to the controls that enable the system to process data in a complete, accurate, timely and authorised manner.

  • Confidentiality: refers to the controls that enable the system to process data in a complete, accurate, timely and authorised manner.

  • Privacy: refers to the set of controls that protect the collection, use, retention, disclosure and disposal of personal information in compliance with relevant laws and regulations.

The categories are further divided into multiple objectives and controls, and the service organisation must provide a comprehensive account of its controls, procedures and test outcomes to the auditor. The auditor subsequently assesses the controls and provides an opinion on whether they are appropriately designed and implemented to meet the criteria.

What are the best resources to learn about SOC 2?

There are resources available to find our more about SOC 2, including:

  • AICPA SOC 2 webpage: The AICPA provides a wealth of SOC 2 information on its website, including the SOC 2 standard, guidance on undertaking a SOC 2 examination and FAQs.

  • SOC 2 standard: The SOC 2 standard, officially known as "AT-C 205 - SOC for Service Organisations: Trust Services Criteria", is the set of standards that service organisations must meet in order to pass a SOC 2 examination.

  • SOC 2 books and guides: there are many books and guides that set out an overview of SOC 2 and explain the requirements in full.

  • SOC 2 blogs and articles: several blogs and articles provide information and insights about SOC 2, which cover best practices, common challenges and case studies.

  • SOC 2 training and certification: some organisations offer training and certification programmes that aim to help organisations understand and implement SOC 2.

  • SOC 2 auditing firms: some firms provide SOC 2 auditing services; these firms provide guidance and consultancy on SOC 2 implementation and compliance.

Ask A Question

If you would like to know more about SOC 2 and other compliance standards, certification and the value of a good management system you can add to your business we would love to hear from you: Sussex: 01273 526 433 | London: 0800 464 0131 | info@primoconnect.co.uk