Skip to Main Content
Main Menu
Search Opener
Search Close
Contact us
Standard

SOC2

Developed by the American Institution of Certified Public Accountants (AICPA), the SOC 2 (System and Organization Controls, and Service Organization Controls), also known as the 2017 Trust Services Criteria, is a international cybersecurity standard establishing guidelines for the secure management of client data.

Are you subject to SOC2?

SOC 2 is applicable to any organization who prioritizes data protection, privacy and security, and may not be narrowly restricted to financial institutions or organizations who process large volumes of financial data, including: cloud service providers, healthcare providers, and software as a service (SaaS) providers.

Key obligations of SOC2

Privacy notice

An organization’s privacy notices must be developed and made readily available to individuals concerning: the purposes for collecting personal information, choice and consent processes, categories of personal information intended to be collected, methods for data collection (e.g. via cookies), use, retention, and disposal periods for personal information, whether information will be disclosed to third-parties, security measures to protect personal information, processes to provide breach notifications, and whether new information will be developed concerning the individual.

Vendor management

Where vendors and business partners are outsourced to support organizational operations, organizations must establish mechanisms to periodically assess their compliance with organizational privacy and data confidentiality standards and requirements. An assessment should also evaluate the level of performance and potential risk posed by vendors and business partners to organizational operations. All assessments shall be documented and retained.

Obtainment of consent

Organizations must obtain clear and explicit consent from individuals at or before the time sensitive personal information is collected. Where personal information is intended to be transferred to or from an individual’s device, obtain prior consent and document the individual’s consent to data transfers.

Performance of risk assessment

Organizations must identify potential risks to organizational operations by establishing a risk assessment procedure and management plan, and execute an entity-wide risk assessment. Assess the severity of known risks to the entity and develop mitigation measures to remediate the risk. All risk assessment results must be retained.

Implementation or technical security controls

Personal information in use, transit and at rest, and information assets must be protected by safeguards through implementing access controls, authentication methods, encryption and encryption keys, and malware detection mechanisms.

Whitepaper

Privacy and Data Security in Mergers & Acquisitions

Proactive data privacy practices are strategically critical in this data economy because of the extreme cost of mistakes today.

Achieve compliance

Privacy Central

Privacy program development and compliance management

Automatically identify gaps and track compliance with PrivacyCentral for SOC2, ISO, NIST, and other privacy and security standards.
Data Inventory Hub & Risk Profile

Complete and maintain a data inventory

Automate with a Data Inventory Hub. Save time and reduce risk with automated data flow mapping, risk analysis, and remediation for personal data processes and general activities associated.
Assessment Manager

Mitigate Risks

Use pre-built risk and vendor assessments to mitigate risks with TrustArc’s Assessment Manager.

FAQs

  • What are the benefits for being SOC 2-compliant?

    Demonstrating compliance translates into holding a strong security posture, and maintaining trust with clients that their personal information is kept securely during data processing. Meeting SOC 2 requirements may overlap with other cybersecurity frameworks (e.g. ISO), which enables entities to demonstrate compliance with multiple frameworks.

  • Will I receive a certificate (or other credential) demonstrating compliance with the SOC 2 framework?

    Cloud service providers in particular may be SOC 2-certified when they demonstrate the five trusted criterias: security measures are implemented on information systems to prevent unauthorized data processing (security), access controls are implemented to enable only the authorized personnel to access confidential data (availability), information systems demonstrate accuracy (processing integrity), sensitive data are kept confidential (confidentiality), and data privacy of information is prioritized (data privacy).

  • What are the 17 principles that SOC 2 is based on?

    The 17 principles presented in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework including, but not limited to: commitments to organizational integrity and ethical values, internal governance by organizational board of directors, identifying and allocating organizational responsibilities, commitments to foster skillful individuals, upholding accountability and responsibility, ensuring the use of quality information, ensuring responsible communication, establishing organizational goals, risk management initiatives, upholding internal security controls and plans, and establishing internal data governance policies.

Related Resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top