Telefoon: 085-0046560
Mail: info@mathison.nl
Bezoekadres: Cypresbaan 7-9
2908 LT Capelle aan den IJssel
SOC 2
An organisation that outsources processes wants to entrust their valuable (confidential) data to a reliable service organisation. It is important from a digital service provider’s perspective to then be able to demonstrate that customers can trust their services offered. It is also becoming more and more of a legal requirement to comply with the Network and Information Security 2 (NIS2) directive, the Cyber Resilience Act (CRA), the Digital Operational Resilience Act (DORA) etc.
Having a SOC 2 assurance report can help demonstrate compliance: the assurance report aims to provide insight in the service delivery as provided by a digital service provider by an opinion of an independent expert using internationally recognized Trust Service criteria (TSC) as provided bij American Institute of Certified Public Accountants (AICPA).
What is a SOC 2 and how does it differentiate from an ISAE 3402?
A SOC 2 assurance report and an ISAE 3402 assurance report both provide insight on the management of security controls and risks concerned with the outsourced services by an independent auditor. Both types are assurance reports, that provide at insight in the effectiveness of the organisation’s control measures aimed to mitigate the risks involved with the oursourcing of the services and data by customers. However, there are also differences.
In a SOC 2 audit, the control objectives of the assessment framework are largely fixed (by selecting the defined applicable trust service criteria) and the control measures derived from the points to consider. In other words, a SOC 2 statement must use the trust service criteria from AICPA and define control measures that meet these criteria. The control measures can be chosen, but they need to take into consideration the points of focus.
- In a SOC 2 audit, the control objectives of the assessment framework are largely fixed (by selecting the defined applicable trust service criteria) and the control measures derived from the points to consider. In other words, a SOC 2 statement must use the trust service criteria from AICPA and define control measures that meet these criteria. The control measures can be chosen, but they need to take into consideration the points of focus.
- An ISAE 3402 statement is different: In this assurance statement, the auditor and auditee determine, which control objectives will be established and which control measures will be defined that meet the control objectives —in other words, the assessment framework as a whole need to be defined, taking into account the clients’ risks. The ISAE 3402 statement also has a link to the financial statements of the clients of the outsourced services.
- An ISAE3000 is the international standard for information security and other non-financial information in accordance with NOREA’s guideline 3000A, for testing of outsourced internal processes by digital service providers. A SOC 2 is performed via this standard
Contact us
Do you have questions about a SOC 2 statement, or have your customers asked for an assurance statement? Or would you like to discuss the possibilities of improving the control of your own processes? We would be happy to exchange thoughts with you about the various possibilities.
Target audience SOC 2 assurance report
A SOC 2 is particularly suitable for organisations offering services such as:
- Digital data processing via a Software as a Service (SaaS) model
- Providing IT services such as Managed hosting, datacenter facilities or other supporting cloud services.
For a customer of an IT service provider, a SOC 2 statement is invaluable. The assurance statement provides insight into the level of risk management in relation to the services outsourced to IT service providers. This gives customers insight into the effective risk management through security controls within the IT chain. This insight is also required by legislation such as DORA and NIS2.eten. Vanuit wetgeving als de NIS2 is dit inzicht ook nodig.
The process of a SOC-2 assurance audit
The process of a SOC 2 certification starts with the assessment framework: What control objectives in addition to the core objectives are relevant? The service organisation determines (together with the auditor) which additional control objectives and control measures apply to your organisation and provide sufficient confidence in among your customers. This is done through the following steps:
Determining the scope of the service: considering the service, a service provider determines which controls objectives and controls are relevant and which are not.
Establishing and going through system description: In a description, a service provider explains their processes that ensure that the service is secure and good, just as has been promised to their customers.
Evidence list: Preparing a list of evidence to use based on the security measures so that the audit can be conducted effectively with minimal impact on daily operations.
Audit work: conducting the interviews to assess the design, existence and operation (review) of the documents, system settings, logs, etc. In doing so, we validate to the extent to which the service provider complies with their own control measures.
Report and final follow-up: After the audit work, we prepare a draft report. In this draft we record the findings and our opinion. We then discuss the report with you so that you have insight into what is to come.
Internal quality control: Naturally, we follow NOREA’s quality guidelines and directives. We ensure quality through file control by an impartial third party who is not part of the audit team. This control by the external reviewer ensures that the audit report meets all NOREA requirements.
