SOC 2 and the Security Criteria
The most recent American Institute of CPAs (AICPA) System and Organization Controls 2 (SOC2) guide was released in January 2018, but it is always good to have a refresher course on any cybersecurity regulations your organization needs to adhere to. Let us look at some of the basics of SOC 2.
The five trust services criteria are security, availability, confidentiality, privacy, and processing integrity. Of these five, the only criteria that are required to be in a System and Organization Controls 2 examination is security, which is also known as the common criteria. The security criteria are referred to as common criteria because many of the criteria used to evaluate a system are shared among all five of the Trust Services Criteria.
The other available criteria can be added to the examination at the discretion of management, or if it is determined that the criteria are key to the services being provided.
Determining which of the criteria to include in the scope of an SOC 2 examination is a key step in your System and Organization Controls 2 planning process. A service organization should do some research and know about the available criteria and if they apply to their services and system. It is also important to get advice from a knowledgeable third party that can help you navigate these waters.
There are plenty of challenges to maneuver through when pursuing SOC 2 certification. You do not have to go through this alone. Contact 2W Tech for help. We have a robust Cybersecurity Compliance Program that will ensure your organization complies with all industry-related regulations.