Skip to Main Content
Main Menu
Standard

SOC2

Developed by the American Institution of Certified Public Accountants (AICPA), the SOC 2 (System and Organization Controls, and Service Organization Controls), also known as the 2017 Trust Services Criteria, is a international cybersecurity standard establishing guidelines for the secure management of client data.

Are you subject to SOC2?

SOC 2 is applicable to any organization who prioritizes data protection, privacy and security, and may not be narrowly restricted to financial institutions or organizations who process large volumes of financial data, including: cloud service providers, healthcare providers, and software as a service (SaaS) providers.

Key obligations of SOC2

Privacy notice

Organizations must create and make available privacy notices covering the purposes for collecting personal information, choice and consent processes, categories of personal information collected, data collection methods (e.g., cookies), and use, retention, and disposal periods. Notices should also detail whether information will be disclosed to third parties, security measures, breach notification processes, and if new information about the individual will be developed.

Vendor management

Where vendors and business partners are outsourced to support organizational operations, organizations must establish mechanisms to periodically assess their compliance with organizational privacy and data confidentiality standards and requirements. An assessment should also evaluate the level of performance and potential risk posed by vendors and business partners to organizational operations. All assessments shall be documented and retained.

Obtainment of consent

Organizations must obtain clear and explicit consent from individuals at or before the time sensitive personal information is collected. Where personal information is intended to be transferred to or from an individual’s device, obtain prior consent and document the individual’s consent to data transfers.

Performance of risk assessment

Organizations must identify potential risks to organizational operations by establishing a risk assessment procedure and management plan, and execute an entity-wide risk assessment. Assess the severity of known risks to the entity and develop mitigation measures to remediate the risk. All risk assessment results must be retained.

Implementation or technical security controls

Personal information in use, transit and at rest, and information assets must be protected by safeguards through implementing access controls, authentication methods, encryption and encryption keys, and malware detection mechanisms.

Whitepaper

Privacy and Data Security in Mergers & Acquisitions

Proactive data privacy practices are strategically critical in this data economy because of the extreme cost of mistakes today.

Achieve compliance

FAQs

  • What are the benefits for being SOC 2-compliant?

    Demonstrating compliance translates into holding a strong security posture, and maintaining trust with clients that their personal information is kept securely during data processing. Meeting SOC 2 requirements may overlap with other cybersecurity frameworks (e.g. ISO), which enables entities to demonstrate compliance with multiple frameworks.

  • Will I receive a certificate (or other credential) demonstrating compliance with the SOC 2 framework?

    Cloud service providers in particular may be SOC 2-certified when they demonstrate the five trusted criterias: security measures are implemented on information systems to prevent unauthorized data processing (security), access controls are implemented to enable only the authorized personnel to access confidential data (availability), information systems demonstrate accuracy (processing integrity), sensitive data are kept confidential (confidentiality), and data privacy of information is prioritized (data privacy).

  • What are the 17 principles that SOC 2 is based on?

    The 17 principles presented in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework including, but not limited to: commitments to organizational integrity and ethical values, internal governance by organizational board of directors, identifying and allocating organizational responsibilities, commitments to foster skillful individuals, upholding accountability and responsibility, ensuring the use of quality information, ensuring responsible communication, establishing organizational goals, risk management initiatives, upholding internal security controls and plans, and establishing internal data governance policies.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top