Overview
SOC 2 is a framework developed by the American Institute of CPAs (AICPA) that defines criteria for managing customer data based on five "trust service principles": security, availability, processing integrity, confidentiality, and privacy. It is specifically designed for service providers storing customer data in the cloud.
Trust Service Principles
- Security: Protection against unauthorized access, use, or modification
- Availability: System accessibility for operation and use
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized
- Confidentiality: Protection of confidential information
- Privacy: Collection, use, retention, disclosure, and disposal of personal information
Report Types
- Type I: Describes a service organization's systems and whether the design of specified controls meets the relevant trust services criteria at a specific point in time
- Type II: Includes everything in a Type I report and also details the operating effectiveness of those controls over a specified period of time (minimum 6 months)
Compliance Process
- Gap analysis and readiness assessment
- Implementation of required controls
- Internal testing and documentation
- External audit by a CPA firm
- Report issuance and maintenance
