Service and Organization Controls report
Whether under American Institute of CPAs (AICPA) SSAE18, UK’s ISAE3000, or NZ’s SAE3150, a Service and Organization Controls (SOC) assurance report provides your customers insight into your organisation and assurance on the controls of your organisation. A SOC report can cover several control areas, ranging from governance, communication and risk management to technical security and privacy controls.
When do you need a SOC report?
If you offer, for example, your services through your SaaS or IaaS cloud platform to your customers. As a service provider, your customers might require you to have a SOC report to have confidence and assurance in your controls to protect their data. In most cases, these customers are in the USA or have ties with the USA and sometimes the UK. Another reason you might want to pursue a SOC assurance statement is to attract more customers from the USA or UK. A SOC report, based on SAE 3402 or SSAE 16, is a powerful marketing instrument to attract the attention of customers, especially from these countries.
SOC 1,2 or 3 model?
Depending on the needs of your customers you can choose to pursue a SOC 1,2 or 3 assurance report. Note that SOC 3 is just a stripped public version of SOC1 or SOC2 that you can obtain after getting a SOC1 or SOC2 assurance report.
| Purpose of SOC report | Which controls are covered in your report | |
|---|---|---|
| SOC1 | Assurance for your customers financial statements | Controls relevant to your customers financial reporting |
| SOC2 | Assurance to customers or other stakeholders on Security, Confidentiality, Processing integrity, Availability and/or Privacy | Controls on Security, Confidentiality, Processing integrity, Availability and/or Privacy |
| SOC3 | To provide potential customers and the public assurance on your controls | General information on Security, Confidentiality, Processing integrity, Availability and/or Privacy |
| Report on | Testing | |
|---|---|---|
| Type 1 | Description of organisation’s systems and control objectives The auditor’s opinion on the fairness of that description The auditor’s opinion on the design of controls to achieve the control objectives | At a specific point in time |
| Type 2 | Description of organisation’s systems and control objectives The auditor’s opinion on the fairness of that description The auditor’s opinion on the design of controls to achieve the control objectives The auditor’s opinion on the operating effectiveness of the implemented controls to achieve the control objectives | Over a period, usually 6 months |
Type 1 or 2?
Besides the above-mentioned SOC models, there are two levels of assurance you can choose from for each of the models.
Method
Achieving a SOC assurance statement might seem to be an expensive and daunting process. But it really doesn’t have to be. We have developed an efficient method to help you achieve your SOC aspirations or obligations.
Duration and cost
Based on our experience, you should be ready in 4 months for the auditors to perform the assurance audit. This can be shorter if you are already compliant with another security standard such as ISO27001, PCI or NIST. The readiness project will cost you just a fraction of what most other providers ask, given our templates and efficient approach to the SOC implementation.
Next Steps
We provide you a free consultation to explain what SOC means to you, whether it is the best choice for your business and how that relates to your other certifications or compliance obligations. Contact us here for a free consultation.
Contact us