A customer recently tweeted asking us, “What is SOC 2 and what makes it better?”
SOC 2 in 140 characters:
SOC 2 assures clients we use systems to protect their data. It audits security, availability, process integrity, privacy, and confidentiality.
[Tweet “SOC 2 assures clients we use systems to protect their data. It audits security, availability, process integrity, privacy and confidentiality.”]
The longer version:
SAS70 was designed to audit controls whereas SSAE was designed to attest to the validity of systems fitness for a particular purpose. The differences are more obvious at the associated SSAE SOC level. SOC 1 is primarily designed to review financial reporting systems. SSAE SOC 2 covers operational control systems following a predefined Trust Services Principles and Criteria around security, availability, process integrity, privacy and confidentiality. SOC 3 documents relate to whether service organizations’ systems met the SOC 2 criteria but do not describe the tests or results achieved.
Our SSAE SOC 2 reporting assures our customers that we have adequate control systems in place to safeguard their data and information.
For more information on the transition, plus how this reporting strengthens our managed services, visit our auditing standards page.