SOC 2 Type 1 and SOC 2 Type 2
How does it work?
Step #2 You document your business processes with our help.
Step #3 We take the examination audit for you.
20+ years in companies like yours across hundreds of implementations and audits. We have your back. Proven documents and processes honed over decades of continual improvement and external audit. We help you define the SOC trust services or general IT controls.
You have some work to do
Don’t get me wrong you have work to do. Some business processes you may have, some you may not have, some may need improving. We know what’s needed and will help you but be prepared, you have work to do on your business processes
If you are considering a SOC 2 certification then chances are your clients are asking for it. It isn’t actually a certification. It is a detailed audit report. Used between companies that have a relationship to demonstrate the controls that are in place and their effectiveness. This is not a public document. Your first consideration will be a time based question. Are you being asked for a SOC 2 Type 1 or SOC 2 Type 2. A SOC 2 Type 1 is a point in time audit. A SOC 2 Type 2 is a continuous audit and significantly more difficult with a significantly higher burden on you as an organisation. Which ever type you are going for, we have it covered.
We would strongly urge any approach to SOC 2 to be founded on an ISO 27001 implementation. It doesn’t have to be. It will make life a lot easier. We see on average 80% of the requirements of SOC 2 covered in ISO 27001.
Each audit body has a slightly different approach. This is usually in the tools they use. What you can rest assured of is that they will work with you to define the controls and trust criteria. It is not in their interest for you to fail from the outset. After all, this is a very expensive undertaking.
The one thing we would say is, do not worry.
SOC 2 FAQ
A type 1 audit is a point in time audit. This audit takes place at a certain time and to all intents and purposes the test of the controls covers the time the audit takes place. A type 1 audit is the most cost effective of the two types and the easiest to achieve.
A type 2 audits is a continuous audit. What this means is that you define a time period over which you want to provide assurance of controls. This is typically 12 months but if this is your first time through then 6 months is typical, 3 months is possible. The auditor can seek evidence of controls from any point in time. As a result the administrative burden is higher, clearly. You have to be on top of your game for all of your controls, every day.
No, not really. It is not a certification. It is an audit report. A detailed audit report that includes warts and all. It is not a public facing document. It is a document you share with trusted third parties you are engaged with to demonstrate the controls you have and their effectiveness.
It doesn’t exist. You cannot certify to SOC 2. It is a detailed audit report. The report includes a lot of details about your organisation. It includes audit findings.
We are your data security officer
Need us on demand? As your data security officer we run it month in month out. You are in safe hands for the road ahead. Spend time on what is important to you, nurturing and growing you business. Let us take care of data security. See what is involved.