Build trust with SOC 2 in 2024

The international standard of choice for demonstrating your commitment to Security, Availability, Processing Integrity, Confidentiality and Privacy.

aicpa-soc-2-badge-header
soc2-explained-video-cover
SOC 2 STANDARD

Is this the year you grow with SOC 2?

There’s no better standard to baseline your information security and earn trust with a broad customer base.

AssuranceLab is a registered CPA and CA firm ready to help you earn trust with SOC 2 in the US and globally.

We provide end-to-end readiness and audit services, with a cloud-native and agile approach that enables you to work at your own pace.

alab-network-countries-and-employees

You’re in great company. We work with hundreds of fast-growing software companies across 13 countries, ranging in size from 2 to 26,000 employees.

alab-network-countries-and-employees-1

You’re in great company. We work with hundreds of fast-growing software companies across 20+ countries, ranging in size from 2 to 26,000+ employees.

SOC 2 STANDARD

Is this the year you

grow with SOC 2?

There’s no better standard to baseline your information security and earn trust with a broad customer base.

AssuranceLab is a registered CPA and CA firm ready to help you earn trust with SOC 2 in the US and globally.

We provide end-to-end readiness and audit services, with a cloud-native and agile approach that enables you to work at your own pace.

alab-soc2-image
Sine-logo
Plexure-logo
salestrekker-logo
Nano-logo
Livepro-logo
Livehire-logo
Inlogik-logo
Humanforce-logo
Data-zoo-logo
Enboarder-logo
Dropsuite-logo
Checkbox-logo
Bravura-solutions-logo
rockt-logo
Civic Ledger Logo_Navy_Official

THE BENEFITS

Clear reasons to act

alab-international-credibility-icon

International
credibility

A globally recognised attestation
report to build trust at scale

alab-customer-confort-and-trust-icon

Customer comfort
and trust

A detailed report addressing crucial
customer due diligence questions

alab-minimal-business-disruption-icon

Minimal business
disruption

Agile and flexible audits that help minimise the disruption while meeting client deadlines

alab-choice-of-goalposts-icon

Choice of
goalposts

Optional criteria for availability,
confidentiality, processing integrity
and privacy

alab-multi-standard-compliance-icon

Multi-standard
compliance

A strong starting point in meeting
multiple related frameworks,
standards and certifications

alab-recognition-of-partial-progress-icon

Recognition of
partial progress

The ability to achieve a SOC 2 report
with outstanding issues or process improvements

THE PROCESS

Four Steps to SOC 2

left arrow right arrow
SOC 2 Readiness Assessment

SOC 2 Readiness Assessment

We built Pillar so you can assess your compliance with 30+ global standards. Pillar is always free. It helps you get started with a tailored view of your controls and any gaps to prepare for our compliance audits for one or more frameworks.

SOC 2 Remediation Support

SOC 2 Remediation Support

We guide you as you address any gaps and implement fit-for-purpose processes that align with your culture and the SOC 2 criteria. Our flexible and responsive team helps you work through it at your own pace.

SOC 2 Audit Type 1

SOC 2 Type 1 Audit

We conduct the Type 1 audit at your pace to help you minimise disruption and learn through the process. Our iterative reviews and feedback helps you stay on track and achieve real operational benefits for your company.

SOC 2 Type 2 Audit

SOC 2 Audit Type 2

We conduct the Type 2 audits either at your pace within a defined timeline to suit your preference, or increasingly with our continuous audit practices that conduct the audits in the background throughout the year to minimise disruption and increased confidence in your compliance.

Get started your way.
We’re ready when you are!

FREE GUIDE

Get our comprehensive guide to SOC 2

The gold standard when it comes to earning the trust of your dream customers

assurancelab soc2 booklet cover Jan2023

We’ve prepared a free guide for leaders who think their next phase of growth will require a security and compliance focus.

Our SOC 2 Guide Includes:

5 reasons startups get accredited

2 strategies for compliance

SOC 2 vs. ISO 27001

Compliance platforms

Costs, timeline and what to expect

FAQ

Your questions answered

Is SOC 2 a certification?

No, it is an attestation report. It is commonly treated like a certification but there are three key differences:

  1. You can achieve a SOC 2 report no matter how many issues you have. These may cause exceptions or a qualification, but the report itself is still valid with those disclaimers included.
  2. Instead of a single page certificate, a SOC 2 report provides details of your compliance scope and processes in a system description. It also includes details of your controls and the auditor’s tests that validated those controls (for Type 2 reports).
  3. There is no prescribed certification period. For SOC 2 you can choose your reporting dates and periods for your selection of Type 1 and Type 2 reports, as desired to fit your customers’ expectations.

SOC 2 is often treated like a certification, with accreditation logos to highlight your status of compliance. It may also be used by large enterprise as a pass/fail of meeting their requirements, but by design it can be used more broadly for enterprise due diligence and vendor risk management.

What is the scope of a SOC 2 report?

SOC 2 follows a common industry standard when determining the scope. That is, by looking at which services, systems, data, processes, and people are relevant to be secured to protect the customers and other parties that rely on that security.

This scope is formed by starting with a focus on a specific service. That may be one or more Software-as-a-Service offerings, platform infrastructure, another function as a service, or professional services, as examples. That then cascades down to what systems are used to deliver the service(s), the data that is collected, the people that operate and support it, and the processes to manage the services in a secure manner that covers the SOC 2 Trust Services Criteria.

What are the five Trust Services Criteria categories?

All SOC 2 reports include the Common Criteria for Security: Security, Availability, Processing Integrity, Confidentiality and Privacy. While Security is always included, the subsequent four areas can be added optionally.

  1. Security: included in all reports, this covers basic system and data security
  2. Availability: the reliability and resilience of your systems and services
  3. Confidentiality: how data is classified, handled, and retained in line with its level of sensitivity
  4. Processing Integrity: the objectives of your services and how those are managed to ensure complete and accurate data processing
  5. Privacy: managing personally identifiable data in line with individuals’ privacy rights.

Security, Availability, and Confidentiality are commonly included to satisfy most enterprise customers’ expectations with minimal additional work on top of the Common Criteria.

Can you fail SOC 2?

Not as such. SOC 2 reports are not pass/fail. The report can be issued with any number of exceptions and qualifications. Most companies choose to delay their issuance of a SOC 2 report until it is “clean”. If you are in an annual reporting cycle with customer commitments, you may not have that flexibility, so the report may be issued with disclaimers about any identified exceptions and qualifications.

What’s required for SOC 2?

There are a few things to be aware of that SOC 2 reporting entails:

  1. There are 33 common criteria to satisfy by mapping your controls and implementing a state of compliance. Our Pillar platform maps this for you, and highlights areas to be fixed to reach compliance.
  2. The controls include documented policies, system configurations, and defined processes. Our PolicyTree solution generates your tailored set of policies that are the foundations of your compliance program.
  3. An audit is conducted to verify your compliance, which AssuranceLab performs. We have some flexibility for first time reports, especially Type 1, that lets you fix things as we work through them with you.
  4. A system description is prepared to overview your compliance scope and activities. We add your tailored controls, mapped to the criteria, and the results of the audit (Type 2); we then both sign off to issue the final report.

Can we reduce the audit work by using a compliance platform?

Yes is the short answer. Unlike ISO 27001, there’s no prescribed audit days, so using automation can help auditors achieve the required level of comfort in your controls in less time. But that relies on an audit firm that’s familiar with the specific platform you’re using and that has an audit approach built for it. It also only works if the controls and scope of the audit are limited to the way the platform works. If you look to have customised controls or diverge from the way the platform works, it can cause additional work for the audit.

What’s the difference between SOC 1 and SOC 2?

The Service Organisation Control, now sometimes referred to as System and Organisational Control (“SOC”), standards have been around for decades. Their earlier use was driven by financial reporting objectives, later termed “SOC 1”. That’s where third parties would rely on IT systems or services, and that would impact their financial statement audits or other financial interests, like in asset management or superannuation as examples.

As reliance on third party services evolved with the Software-as-a-Service boom, these reports naturally evolved to being used for assurance over those third party services even if there were no direct financial objectives involved. The Trust Services Criteria were then introduced to better align to the modern needs of third parties that were reliant on the security, availability, confidentiality, processing integrity and privacy of third party services. This became “SOC 2” to differentiate from the earlier SOC 1 purpose.

What is a SOC 3 report? What’s required for SOC 3?

SOC 3 is deceptive in the context of what SOC 1 and SOC 2 are. SOC 3 is just a redacted version of a SOC 2 Type 2 report that can be published or more easily shared without the confidential information included in SOC 2 reports. A CPA firm like AssuranceLab issues the SOC 3 report using the relevant information from a SOC 2 Type 2 audit and it is usually issued alongside the SOC 2 Type 2 report.

What are Type 1 and Type 2 reports?

A Type 1 report attests to your compliance by design. It’s a snapshot in time that can be achieved by showing you have the right systems and processes in place to satisfy the SOC 2 Trust Services Criteria.

A Type 2 report attests to your compliance by both design and operational effectiveness over a period of time, usually between 3-12 months. This shows your systems and processes have been operating consistently to satisfy the SOC 2 Trust Services Criteria.

Usually a Type 1 report is issued first to baseline compliance. This starts the process of moving into your Type 2 audit. Annual audits are the industry standard, however, the SOC 2 framework has the flexibility to choose the report dates and periods as desired depending on your business's goals and timelines. 

OTHER STANDARDS

Earn trust with other leading standards

alab-blended-audits-icon

Blended Audits

Combine two or more compliance frameworks into a single blended audit process without duplication to scale trust, not costs and effort.

alab-hipaa-icon

HIPAA

The de facto global and best practice standard for proving secure handling of electronic protected health information (ePHI).

alab-custom-framework-icon

Custom Frameworks

Manage any compliance obligations from customers, regulators or your own internal risk requirements with custom frameworks.

alab-iso-27001-icon

ISO 27001

An international framework to apply a structured and best practice methodology for managing information security.

alab-csa-star-icon

CSA STAR

A comprehensive, best practice standard for cloud security to achieve Level Two accreditation in the security, trust and risk (STAR) register.

alab-cdr-icon

Consumer Data Right

Access consumer data in Australia’s economy-wide open data regime with Consumer Data Right accreditation.

alab-esg-icon

ESG Reporting

A flexible and lightweight framework to report up to 500+ positive impact activities supporting environmental, social and governance (ESG) objectives.

alab-gdpr-icon

GDPR

The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.

alab-soc1-sox-itgc-icon

SOC 1 / SOX ITGC

Satisfy publicly listed customers regulated by Sarbanes Oxley and supporting financial reporting requirements.

alab-gdpr-icon

GDPR

The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.