Skip to the content

SOC 2 data security

More and more companies use IT service organizations for automated data processing. In view of the increasing importance of information security, more and more companies are forming such assurance organizations as assurance questions. This creates a growing need for a reporting format specifically for IT service organizations.

SOC 2 compliant

A SOC2 report is intended for IT service organizations that account for the collection, processing and transmission of third party personal information. SOC2 is a derivative of the American variant prepared by AICPA (the US accountancy organization), which requires the name of the Service Organization Control Report in the Netherlands.

Customers of service organizations can assess the governance of the service organization using a SOC2 report. In addition, an SOC2 reporting is a quality stamp for the organization.

SOC2 report

A SOC2 report reports on the following quality aspects:

  • Security: The system is protected against unauthorized access, use or customization.
  • Availability: The system is available for use as indicated by the service organization or as agreed.
  • Process integrity: The processes in the system are complete, valid, accurate, timely and authorized.
  • Confidentiality: The information is confidential as agreed.
  • Privacy: The collection, use, storage, and disclosure and destruction of personal information is in accordance with the user's privacy policy and other criteria.

Adequate control measures

With an SOC2 report, an IT service organization can demonstrate that it has implemented adequate internal control measures, complies with all guidelines and is therefore capable and reliable.

An SOC2 report describes in detail which directives are met. It is clear to the customer which systems and processes comply with the SOC2 guidelines. This allows a customer to fully support this mark.

Components SOC2 reporting

An SOC2 report consists of the following components:

  • Section I: Registration of Management
  • Section II: Independent Auditor Assurance Report
  • Section III: Description of the system by the service organization
  • Section IV: Principles and criteria applied and the test performed by the auditor including the outcome thereof (optional for a Type I report)
  • Section V: Other information provided by the service organization that has not been audited by the auditor (optional)


Do you have a question? Get in touch with one of our IT audit professionals. We are pleased to help you.