SOC2 Type 1 and 2

Service Organization Control 2 (SOC 2) is  a report that can be provided to third parties to demonstrate a strong control environment; an audit performed by a third-party auditor (CPA) to provide said report; or the controls and “framework” of controls that allow an organization to attain a SOC 2 report. In other words, SOC 2 is a “report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy,” according to the AICPA.

The SOC 2 framework is published by the American Institute of Certified Public Accountants (AICPA) and is a voluntary cybersecurity attestation most widely used by service organizations with primarily US-based customers, partners, and other stakeholders.

SOC 2 focuses on five key areas, known as Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. These criteria are the foundation of SOC 2, ensuring service organizations effectively manage and protect customer data. 

Security: This area focuses on protecting systems and data from unauthorized access, both physical and logical, as well as from cyber threats like malware and phishing attacks.

Availability: Ensuring that systems and data are accessible and functioning when needed, including provisions for disaster recovery and business continuity.

Processing Integrity: This criterion verifies that data is processed accurately and completely, including controls for input validation, data accuracy, and data output.

Confidentiality: Protecting sensitive information from unauthorized disclosure, which may include implementing access controls, encryption, and secure storage practices.

Privacy: This aspect focuses on complying with privacy regulations and protecting the privacy of customer data, including managing personal information, data retention, and data deletion policies.