30 November 2023

SOC 2: what are we actually assessing?

The internationally recognized Service Organization Controls (SOC 2) guidelines have been established for IT service organizations. This SOC 2 standard is a form of assurance specifically aimed at IT service organizations that want to provide assurance on controls in the areas of Security, Availability, Integrity of Processing and Confidentiality and Privacy.

 

But how do IT auditors assess these controls? And what exactly is meant by the terms Security, Availability, Integrity of Processing and Confidentiality and Privacy?

Quality aspects SOC 2

  • Security: The system is protected against unauthorized access, use or changes.
  • Availability: The system can be used in the agreed upon manner and meets the agreed upon requirements for availability.
  • Integrity of processing: Processing of data in the system is complete, accurate, timely and authorized.
  • Confidentiality: Information marked as confidential is protected in accordance with agreed upon requirements.
  • Privacy: Personal information is collected, retained, disclosed and deleted to conform to the agreed requirements and in accordance with the General Data Protection Regulation.

The aspects mentioned above are elaborated in a number of control objectives (criteria). These control objectives are developed into (example) control measures focused on achieving the control objectives for the Security, Availability, Integrity of Processes, Confidentiality and Privacy of the information processed by the system.

Management objectives SOC 2

The Security aspect is elaborated in so-called 'Common Criteria' and is part of every SOC 2 audit. Additional control measures have been formulated for the other quality aspects, which can optionally be chosen in a SOC 2 audit.

 

Quality aspects (Principles)

Number of control measures

Security (mandatory)

33 general control measures

Availability

3 additional control measures

Integrity of processing

5 additional control measures

Confidentiality

2 additional control measures

Privacy[1]

Nvt.

 

[1] The privacy control objectives and measures in SOC2 are based on US law and cannot be used in Europe. Alternatively, a selection of standards from NOREA's Privacy Control Framework is included.

How do you choose the right SOC 2 quality aspects?

As indicated, Security is a mandatory component of a SOC 2 report.

Availability is the second most frequently chosen quality aspect for a SOC 2 survey. Since most service organizations provide an outsourced service to their customer, its availability is often contractually defined through so-called Service Level Agreements (SLAs). Therefore, the quality aspect Availability is a very interesting one to include in a SOC 2 survey.

If the service organization processes transactions for its customers, i.e. manipulates and generates data, the quality aspect Processing Integrity is relevant. This provides assurance that the data is processed in an accurate, complete, timely and authorized manner.

The last two principles are Confidentiality and Privacy. The principles are similar in that they both relate to the information "in" the system. The difference is that the privacy principle relates only to personal data. Does the service organization process confidential information and have specific agreements with the client regarding the security of this data? Then the confidentiality principle is of interest.

If the service organization processes personal data (on a large scale) for its client then a processor agreement will generally have been entered into with the client. These agreements will often include required control measures. A SOC 2 report with the Privacy section can serve as a way to demonstrate compliance with the processor agreement.

Our IT auditors help you choose

Choosing the right quality aspects to include in a SOC 2 review is an important process. Our IT auditors (REs) have years of experience with SOC 2 processes at IT service organizations and are knowledgeable about which principles are best to apply in a given situation. We will therefore guide you in choosing the right principles for your SOC 2 audit.