If you work with any third parties to support the delivery of your service that are responsible for your information security controls (either fully or partially), these third parties will be termed a ‘subservice organisation’ in a SOC 2 context and will need to be identified within your SOC 2 report. The report will also need to identify the SOC 2 criteria and the information security controls they are responsible for, and how it fulfils your requirements for those controls.
Here, the ideal scenario is for your subservice organisations to have their own SOC 2 report, as this can be used as evidence. However, if the subservice organisation does not have a SOC 2 report but does have an ISO 27001 certification, for example, you can utilise information relating to this certification and the controls they have in place to maintain it.
On our path of growing our business, we have found in URM a very capable and knowledgeable consultancy firm to guide and structure our processes towards SOC 2 compliance. The consultancy by URM played an essential role in building our competences and expanding the compliance framework for our SaaS based propositions.
Scientific data platform
All you need to meet SOC 2 requirements
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
Find out more
related BLog
Preparing for a Successful SOC 2 Audit
Published on
17 Oct
2025
URM’s blog offers key advice on what to expect from your SOC 2 audit in practice, the types of evidence you will need to provide, how best to prepare, and more.
Read more
Information Security
Published on
29/8/2025
SOC 2 ExplainedURM’s blog answers key questions about SOC 2, including what it is & who it applies to, why it is beneficial, how SOC 2 reports are structured & more.
Read more
"
We would like to pass on our gratitude to our consultant for all his hard work and advice during our 3-year re-certification and assessment against the new Standard. After seven days of auditing, we have two OFIs that the assessors have put forward from the audits. This pays testament to our URM consultant, his hard work, eye for detail and advice given, both during the audits and during all the works beforehand.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.