standard

SOC 2 consultants

SOC System and Organisation Controls 

AvISO specialises in helping you provide a compliant SOC 2 report across Kent, the Southeast, London and UK Wide. 

Requirements: SOC 2 

More information on this standard...
Scroll down
case studies
the benefitsWHat is SOC2

in brief

SOC stands for ‘System and Organisation Controls’. The SOC 2 framework applies to all services organisations which store data that wish to convey assurance. Its primary objective is to ensure the safety and privacy of your customer’s data. SOC 2 was developed by the American Institute of Certified Public Accountants and defined its principles for managing customer data on five “trust service principles”

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy
A SOC 2 examination report provides your client with the detailed information and assurance they need on safety and privacy as a provider of services. Unlike other standards, SOC 2 reports are unique to each organisation and are broken down into Type I and Type II. 
  • Type I - assessment of the effectiveness of controls at a point in time
  • Type II - assessment of the effectiveness of controls over a period (typically nine months)

Outside auditors’ issue SOC 2 certification. They assess the extent to which an organisation has complied with one or more of the five trust principles based on the systems and processes in place.

why work with AvISO

  • AvISO has a 100% success rate of achieving UKAS accredited certification to ISO 27001:2013 for our clients
  • AvISO has experience with a wide selection of ISO standards, including ISO 27001:2013, so can offer tried and tested advice on their implementation and integration
  • We are recommended buy all the major Certification Bodies for ISO 27001:2013 Consultancy
  • AvISO has built excellent relationships with Cranfield Universities
  • With an exceptional In-House team of ISO 27001:2013 Consultants and working closely with a rigorously selected group of Technical Experts ensures you receive the best possible service whatever your project.
Need this standard

What is SOC2?

SOC 2 is a set of standards established by the American Institute of Certified Public Accountants (AICPA) for evaluating and reporting on the internal controls of a service organisation related to security, availability, processing integrity, confidentiality, and privacy.

It is commonly used by organisations that provide cloud-based or other outsourced IT services. The goal of SOC 2 is to provide assurance to customers and stakeholders that the service organisation has appropriate controls in place to protect sensitive data and maintain the availability and integrity of its systems.

What are the different types of SOC2:

Question icon ISO consultancy London

SOC2 Type 1

SOC 2 Type 1 is a report on the design and implementation of controls at a service organisation relevant to security, availability, processing integrity, confidentiality, or privacy. It is an examination report that provides assurance about the design and implementation of the service organisation's controls at a specific point in time.

The examination is performed by an independent auditor who is a member of the AICPA and is conducted in accordance with the AICPA's SOC 2 standard. The SOC 2 Type 1 report includes the auditor's opinion on the design and implementation of the controls. Still, it does not include testing of the operating effectiveness of the controls over a period of time. This type of report is intended to provide customers and stakeholders with an independent assessment of the service organisation's controls as they existed at a specific point in time, which can help them make informed decisions about using the service organisation's services.

Question icon ISO consultancy London

SOC2 Type 2

A SOC 2 Type 2 report is an examination report that provides assurance about the effectiveness of a service organisation's controls over a period, typically six months. It is a report on the controls at a service organisation relevant to security, availability, processing integrity, confidentiality, and/or privacy.

The examination is performed by an independent auditor who is a member of the AICPA and is conducted in accordance with the AICPA's SOC 2 standard. A SOC 2 Type 2 report includes the auditor's opinion on the design and implementation of the controls and testing of the operating effectiveness over time. The report is intended to provide customers and stakeholders with an independent assessment of the service organisation's controls, which can help them make informed decisions about using the service organisation's services.

Question icon ISO consultancy London

SOC2 Type 2+

SOC 2+ is a term that is sometimes used to refer to an enhanced version of the SOC 2 report that includes additional assurance on the service organisation's compliance with other relevant regulations or standards, such as HIPAA, PCI-DSS or ISO27001.

SOC 2+ report is an examination report that provides assurance about the effectiveness of a service organisation's controls over a period, typically six months. In addition to SOC 2 criteria, it covers additional compliance requirements as well.

The SOC 2+ report is intended to provide customers and stakeholders with an independent assessment of the service organisation's controls, which can help them make informed decisions about using the service organisation's services. It is important to note that SOC 2+ is not an official AICPA term; it’s a term that some service providers use to indicate they have met multiple compliance standards.

Question icon ISO consultancy London

Summary of the different SOC2 Types

SOC 2 Type 1 reports on the design of controls, while SOC 2 Type 2 reports on the operating effectiveness of those controls. SOC2 Type 1 is usually not accepted by business partners; therefore, for an organisation, the goal is to achieve SOC2 Type 2.

SOC 2+ is a version of the SOC 2 report that includes additional assurance on the service organisation’s compliance with other relevant regulations or standards, such as HIPAA, PCI-DSS or ISO 27001. In other words, it is an integrated management system.

Get In Touch

information guides

What is an independent service auditor's report in SOC 2?

An independent service auditor's report is a report prepared by an independent auditor that provides assurance about the design and implementation of the effectiveness of controls at a service organisation relevant to security, availability, processing integrity, confidentiality, and/or privacy. The report is intended for customers and stakeholders of the service organisation who are looking for assurance about the service organisation's controls and how they protect sensitive data and maintain the availability and integrity of its systems.

The independent service auditor's report in SOC 2 is a key part of the SOC 2 examination process. The independent auditor is a member of the AICPA, and the examination is conducted in accordance with the AICPA's SOC 2 standard. The auditor examines the service organisation's controls and procedures and then issues an opinion on whether the controls are suitably designed and implemented or whether they are operating effectively over time. The report includes the auditor's opinion and a description of the service organisation's controls and test results.

What is Management's Assertion in SOC 2?

In a SOC 2 report, Management's Assertion is a statement made by the service organisation’s management that represents their responsibility for the design and implementation of the controls over the security, availability, processing integrity, confidentiality, and privacy of the system and the data it processes. The management's assertion is included in the SOC 2 report, and it is one of the key elements that provide assurance to the customers and stakeholders of the service organisation.

The management's assertion includes a statement of management's responsibility for the design and implementation of the controls, a description of the service organisation's control environment, and a statement of management's belief about the effectiveness of the controls. The management's assertion is an important part of the SOC 2 examination process as it represents the service organisation's commitment to maintaining appropriate controls and protecting the sensitive data it processes.

The independent service auditor will assess the management's assertion and evaluate whether the controls are suitably designed and implemented or whether they are operating effectively over a period of time, as well as evaluating the management's assertion, before issuing an opinion in the SOC 2 report.

The independent service auditor's report is intended to provide customers and stakeholders with an independent assessment of the service organisation's controls, which can help them make informed decisions about using the service organisation's services.


What is System Description in SOC 2?

In a SOC 2 report, the System Description is a document that provides a detailed description of the service organisation's system, including the infrastructure, network, software and applications, data, and other relevant information. The system description is an important part of the SOC 2 examination process as it provides a clear understanding of the service organisation's system and the controls that are in place to protect the security, availability, processing integrity, confidentiality, and privacy of the system and the data it processes.

The system description typically includes information such as:

  • A detailed description of the system's infrastructure and network architecture
  • A description of the software and applications used to support the system.
  • Information about the data that is processed, including data types, data flows, and data storage.
  • A description of the security controls that are in place to protect the system and data.
  • Information about the availability and disaster recovery controls
  • Details about the access controls and user management
  • Details about the incident management and monitoring process

What are Trust Services Criteria and Related Controls in SOC 2?

In a SOC 2 report, Trust Services Criteria (TSC) and Related Controls are the standards and controls that the service organisation must meet to provide assurance about the security, availability, processing integrity, confidentiality, and privacy of its system and the data it processes. The TSCs are the core set of requirements that the service organisation must meet to pass a SOC 2 examination.


How many control areas are there in SOC 2?

SOC 2 reports are based on the AICPA's SOC 2 standard, which consists of five Trust Services Criteria (TSC) categories:

  • Security: The controls that protect the information system's confidentiality, integrity and availability and the data it processes.
  • Availability: The controls that ensure the system and data are available for use as committed or agreed.
  • Processing Integrity: The controls that ensure the system processes data in a complete, accurate, timely and authorized manner.
  • Confidentiality: The controls that protect non-public information from unauthorized access or disclosure.
  • Privacy: The controls that protect the collection, use, retention, disclosure, and disposal of personal information consistent with applicable laws and regulations.

Each category is divided into several objectives and controls, and the service organisation is required to provide a detailed description of its controls, procedures, and test results to the auditor. The auditor then evaluates the controls and issues an opinion on whether they are suitably designed and implemented to meet the criteria.

How to implement SOC 2?

There are several resources available for learning about SOC 2, including:

AICPA SOC 2 webpage: The American Institute of Certified Public Accountants (AICPA) provides a wealth of information about SOC 2 on its website, including the SOC 2 standard, guidance on performing a SOC 2 examination, and frequently asked questions.

  • SOC 2 standard: The SOC 2 standard, officially known as "AT-C 205 - SOC for Service Organisations: Trust Services Criteria" is the set of standards that service organisations must meet in order to pass a SOC 2 examination.
  • SOC 2 books and guides: Several books and guides are available that provide an overview of SOC 2 and explain the requirements in detail.
  • SOC 2 blogs and articles: There are a number of blogs and articles available that provide information and insights about SOC 2, including best practices, common challenges, and case studies.
  • SOC 2 training and certification: Some organisations offer SOC 2 training and certification programs that can help individuals and organisations understand and implement SOC 2.
  • SOC 2 Auditing firms: Some organisations provide SOC 2 auditing services; these firms can provide guidance and consultancy on SOC 2 implementation and compliance.

What are the best resources to learn about SOC 2?

There are several resources available for learning about SOC 2, including:

AICPA SOC 2 webpage: The American Institute of Certified Public Accountants (AICPA) provides a wealth of information about SOC 2 on its website, including the SOC 2 standard, guidance on performing a SOC 2 examination, and frequently asked questions.

  • SOC 2 standard: The SOC 2 standard, officially known as "AT-C 205 - SOC for Service Organisations: Trust Services Criteria" is the set of standards that service organisations must meet in order to pass a SOC 2 examination.
  • SOC 2 books and guides: Several books and guides are available that provide an overview of SOC 2 and explain the requirements in detail.
  • SOC 2 blogs and articles: There are a number of blogs and articles available that provide information and insights about SOC 2, including best practices, common challenges, and case studies.
  • SOC 2 training and certification: Some organisations offer SOC 2 training and certification programs that can help individuals and organisations understand and implement SOC 2.
  • SOC 2 Auditing firms: Some organisations provide SOC 2 auditing services; these firms can provide guidance and consultancy on SOC 2 implementation and compliance.
ask a question

If you would like to know more about ISO Standards, Certification and the value of a good management system you can add to your business we would love to hear from you: Kent: 01892 800476 | London: 02037 458 476 | info@avisoconsultancy.co.uk

By filling out this form, you agree to the terms laid out in our privacy policy
Thank you!
Your submission has been received, one of our team members will be in touch soon.
Oops! Something went wrong while submitting the form.
choose a standard

What Standard are you looking to obtain:

ISO 9001 – Quality Management System Standard
ISO 14001 – Environmental Management System Standard
ISO 27001 – Information Security Management System Standard
ISO 20001 - Information Technology Service Management Part 1
ISO27701:2019 – Privacy Management System Standard
ISO 30071-1 - Digital Accessibility Standard
ISO 37001 – Anti-Bribery Management System Standard
ISO 45001 – Health and Safety Management Standard
ISO 50001 – Energy Management System Standard
ISO 14064:1 - Quantification And Reporting Of Greenhouse Gas Emissions And Removals
ISO 14067 - Carbon Calculator
PAS 2060 - Carbon Neutrality
ISO 17024 - Conformity Assessment of the Certification of Persons
ISO 17025 – The competence of testing and calibration laboratories
ISO 20121 – Event Sustainability Management System Standard
ISO 37301:2021 – Legal Compliance Management System 
ISO 31000 - Risk Management
ISO 37002 - Whistleblowing
The Digital Operational Resilience Act (DORA)
ISO 22000 – Food Safety Management System Standard
BES 6001 - Responsible Sourcing of Construction Products
ISO 22301 – Business Continuity Management System Standard
IATF 16949 – Automotive Quality Management System Standard
ISO 44001- Collaborative business relationships
BS 8900 - Guidance for managing sustainable development
CYBER ESSENTIALS – Cyber Security
SOC2 Compliance
ESOS – Energy Savings Opportunity Scheme
FIAS – Fertiliser, Security & Traceability
Lexcel – Legal Management System
MOD Standards
SECR - Streamlined Energy and Carbon Reporting
TISAX® – Information Security for the Automotive Industry
AS 9100 - Aerospace Quality Management System | Aqms
esos Energy Audits
B CORP CERTIFICATION
ISO 45003 - Occupational Health and Safety Management
ISO 42001:2023 - Artificial Intelligence 
Need more info? Let us know how we can help
get in touch
Ask a Question
By clicking “Continue To Site”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Continue To Site