Menu
SOC

Home / SOC

SOC

What is SOC reporting?

Start your journey to build trust with SOC reporting, the most effective way to ensure how strong your internal control environment is. The American Institute of CPAs (AICPA) Auditing Standards Board developed System & Organization Controls under SSAE18 compliance standard. By attaining SOC attestation, you can make sure that your organisation’s information security measures can overcome the threats posed by today’s digital and technology landscape.

Our team of professionals evaluates AICPA-defined risk and focuses on key criteria and ICFR such as enterprise governance, data management, network protection, endpoint security, change management, system monitoring, etc., revealing our constant dedication to finding any discrepancies in the control environment.

These reports, your trustworthy companions, not only highlight our dedication to excellence but also bolster our credibility in the competitive landscape.

How does HITRUST CSF work?

HITRUST CSF combines relevant control requirements across 19 domains based upon 1,900 requirements at various implementation levels defined in CSF reference library creating a comprehensive set of measures. Organizations after subscribing to the HITRUST CSF select their preferred assessment type and defines targeted risk areas. This leads to a tailored assessment object creation and HITRUST fetches the requirement statements or controls based on the defined object. Then entity undergoes an assessment against these controls to achieve HITRUST CSF Certification. This certification signifies a commitment to the highest standards of information protection, instilling confidence in stakeholders demonstrating a proactive approach to cybersecurity.

Evolution of SOC

soc-pic1

SOC 1 vs SOC 2 vs SOC 3

  SOC 1 SOC 2 SOC 3
Focus Relates to Internal Control over Financial Reporting (ICFR) Relates to controls based on Security, Availability, Processing Integrity, Confidentiality & Privacy Same as SOC 2 (sought after completing SOC 2 audit)
Controls & Standards
  • Transaction Processing and Security Controls
  • Against ISAE 3402 & SSAE 18
  • Five Trust Service Criteria prescribed by AICPA (Security, Availability, Processing Integrity, Confidentiality & Privacy)
  • Against SSAE 18 & ISAE 3400 (UK)
 Summary of results from SOC 2
End Users Management, Customers & their auditors Management, Customers & their auditors after executing NDA General public
Types
  • Type 1: audit is conducted at a point of time.
  • Type 2: audit is conducted over a period.
  • Type 1: audit is conducted at a point of time.
  • Type 2: audit is conducted over a period.
 Only available in Type 2
Applies To Service organisation that stores and processes customers financial data critical to their financial statements. Service organisation that deals with sensitive information unrelated to financial reporting. SOC 3 is meant for marketing purposes; used as collateral by service organisation to show compliance with SOC 2.
Examples Majorly financial software e.g., payroll processors, medical claim processors, loan servicing companies   Cloud Service Providers, third-party SAAS, Healthcare service providers and B2B vendors etc. An organisation may get summarised SOC 2 results with no organisation specific critical information on SOC 3 report and display it on website.

SOC 2 Readiness and Attaining Attestation

It can be overwhelming to achieve SOC 2 attestation for the first time. We can help you identify gaps and prepare you to achieve type 1 certification at a faster pace.

Service Design

soc-pic2

About AICPA’s Trust Service Criteria’s

soc-cri

SECURITY

(Common Criteria)

Controls in this criteria are designed to prevent or detect unauthorized access/removal/alteration/misuse and disclosure of data.

soc-cri

AVAILABILITY

Controls to address the availability of data by ensuring the operational uptime and performance standards.

soc-cri

PROCESSING INTEGRITY

Controls to ensure the timely and accurate processing of data by evaluating the data flows and processes.

soc-cri

CONFIDENTIALITY

Controls to ensure that organization protects confidential and business sensitive information from unauthorized access and disclosure.

soc-cri

PRIVACY

Control particulary applies to organisation dealing with PII (Personal Identifiable Information) and ensures it is prevented from unauthorised access and disclosure.

Why us?

  • Our dedicated team is adept at performing complex IT audits in a cost-efficient manner.
  • Critically examine the systems and draw clear picture of the existing security environment.
  • Support end to end audit process to overcome resource scarcity for our clients.
  • Quickly adapt to the audit support applications used by clients to document the audit procedures and findings.
  • Delivering actionable recommendations and remediation plans to enhance client processes in the future.