Book FREE Consultation

URM is pleased to provide a FREE 30 minute consultation on Transitioning to ISO 27001:2022 for any UK-based organisation. Once an enquiry form has been submitted, we will be in touch to understand the nature of your enquiry and to book a mutually convenient time for a 30-minute consultation slot with one of URM’s specialists.

What Is
SOC 2?
A Guide to SOC Compliance & Certification

What is SOC 2?

SOC 2 is a framework used to help organisations manage data securely.  The framework focuses on adhering to specific criteria in order to securely handle data, helping protect the interests of your organisation as well as your client’s privacy.

SOC 2 compliance is crucial for organisations that process sensitive data, providing reassurance to their clients and partners that their data is being handled securely and professionally.  Unlike other information security standards such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001, you do not obtain certification against SOC 2.  Instead, the primary output of a SOC 2 audit is a SOC 2 report, which can then be passed on to any entities that have requested you achieve SOC 2.

The Trust Principles of SOC 2

Security

Required for all SOC 2 reports, security is central to the purpose of SOC 2. The objective of this principle is ensuring that systems and information are safeguarded against unauthorised access, unauthorised disclosure or theft of information, and system destruction or damage.

Availability

The availability principle dictates that you implement controls which ensure your systems and data remain available and accessible to authorised users.

Processing Integrity

The processing integrity principle is aimed at ensuring the information you process is complete, accurate, valid, timely, and authorised.

Confidentiality

Under the confidentiality principle, you will need to identify what information should be defined as ‘confidential’, implement controls to protect this information, and also dispose of it when it is no longer required.

Privacy

The focus of the privacy principle is personal information and how your organisation processes it.  It is aimed at ensuring the security of personal information is protected.

Enquire Now to Start your Journey Towards SOC 2 Compliance

URM has a 19 year track record of providing high quality consultancy and training support, assisting organisations improve their information security (IS) and information governance posture and capabilities.  A particular niche skill is helping organisations to conform or certify to ‘best practice’ international (IS) standards such as SOC 2 and ISO 27001.

Get in touch with our information security experts today to find out more.

Contact Us

SOC 2 Gap Analysis

The initial step on your organisation’s journey in gaining a successful SOC 2 report is for an independent consultant, such as URM, to carry out an SOC 2 gap analysis. This will allow you to identify any discrepancies between your organisation’s current information security measures, and the SOC 2 trust services.

Starting with a project planning and scoping workshop, our consultants will help you clarify and determine the most appropriate scope for the audit, and identify which of the SOC 2 criteria and controls you will be assessed against.  Once we have established which SOC 2 criteria and controls are relevant and applicable, URM will work with you to assess the selected controls against the SOC 2 requirements.

SOC 2 Gap Analysis Service

SOC 2 Remediation

URM’s SOC 2 remediation service is here to help you correct any issues or gaps identified in our gap analysis process.  Our experts can offer tailored advice and guidance for those seeking SOC 2 compliance.

Having conducted the gap analysis and identified the areas which need further attention to become compliant, URM can collaborate with you to address these gaps.  Depending on the specific control, the support we provide can range from offering advice and guidance on what is expected and how to achieve the requirements, to assisting with the actual development of the controls by defining and documenting these (particularly for those controls focused on governance, people and process).

SOC 2 Remediation

Training to Become SOC 2 Compliant

URM’s training courses and awareness workshops are available for those who are unsure if SOC 2 compliance is required for their organisation.  Our training and awareness workshop will also demonstrate best practices in becoming SOC 2 compliant.

SOC 2 Training and Awareness Workshop

SOC 2 Audit and Assessment

Our experts at URM can run an independent SOC 2 audit and assessment. We will analyse the controls that you have in place, generating a report stating whether or not your organisation satisfies SOC 2 requirements.  URM  is able to conduct both Type 1 and Type 2 reports.

Many organisations find significant benefit in receiving expert advice and guidance through the formal assessment process.  Leveraging our extensive SOC 2 experience (and our wealth of knowledge around information security in general), URM can support you throughout the audit.  This can include helping you to gather evidence, assisting with the presentation of control maturity, and with interpreting the auditor’s questions and expectations.

SOC 2 reports are valid for 12 months, and, as such, you will need to undergo a full SOC 2 audit on an annual basis. SOC 2 audits are extremely evidence-focused and, in that sense, are comparable to a Payment Card Industry Data Security Standard (PCI DSS) audit.  There are two types of SOC 2 audit you can undertake; Type 1 and Type 2.  A Type 1 audit is more of a ‘point in time’ audit and is aimed at assessing whether controls have been designed properly at the time of the audit.  Meanwhile, an auditor conducting a Type 2 audit will look for evidence of the effective operation of the policies and processes over a specified time period.

Find out more about SOC 2 Assessment and Auditing Services

SOC 2 Consultancy Services

If you’re looking to understand whether SOC 2 is the right approach for you, what efforts are required to comply or attest, or prepare for a SOC 2 report (be that Type 1 or Type 2), URM can provide you with a full range of services.

Get in touch with our SOC 2 experts today to find out more.

Contact Us

Why URM for SOC 2?

Track record

URM has a 19 year track record of providing high quality consultancy and training support, assisting organisations improve their information security (IS) and information governance posture and capabilities.  A particular niche skill is helping organisations to conform or certify to ‘best practice’ international (IS) standards such as SOC 2 and ISO 27001.  URM is particularly adept at developing existing frameworks to meet the requirements of these standards or building on existing ISO 27001 ISMS’ to achieve SOC 2 conformance.  Having assisted over 400 organisations to achieve world recognised standards, URM has worked with organisations of all sizes from micro businesses to multi-national organisations and from all the major market sectors.

Tailored approach

URM is renowned for adopting a highly tailored and bespoke service where its consultants are constantly striving to deliver sustainable solutions that meet both the current and future needs of the client organisation.

Flexible delivery

When transferring knowledge on meeting the requirements of SOC 2, URM can deliver this through various delivery mechanisms, i.e., through one-to-one support, workshops or training courses.  Furthermore, when delivering remediation services to address gaps,  URM’s support is tailored and flexible, based on the client’s requirements, internal knowledge and available resources.  Support can be delivered on an activity-per-activity basis or where a consultant is allocated on a recurring basis, e.g., 1 day a week. Such an engagement helps to ensure that remediation activities are followed through, remain compliant and that sufficient evidence for the audit is generated.

SOC 2 Consultancy Services

Webinars & Events

URM has gained a reputation as the preeminent UK provider of live webinars, aimed at delivering valuable and practical insights to organisations  looking to improve their information security, risk management, data protection etc. The webinars  are delivered by our senior consultants who share hints and tips on topics such as certifying to ISO 27001, SOC 2 and Cyber Essentials, complying with the GDPR.  All of our webinars are completely free to attend, and include an opportunity to ask questions at the end.

WebinarISO 27001 vs SOC 2

In this webinar, URM will be sharing its extensive experiences of supporting organisations to certify/attest to these two standards.

Read more
Listen to recording
USB stick, Padlock, Keys

SOC 2 FAQs

Does SOC 2 have any sister standards?

Yes, there are a number of SOC reporting standards, but the 3 main standards are SOC 1, SOC 2 and SOC 3.  SOC 1 is for organisations which are supplying services that could impact the financial reporting controls of their customers (e.g., payroll service providers).  SOC 3 is a ‘slimmed down’ version of a SOC 2 report.  It is a public report that can be included on your website, largely covering the same areas as SOC 2.

How long does it take to implement SOC 2?

This will depend on your organisation’s maturity at the start of the implementation process, and on whether you already have any other information security certifications.  If you are ‘starting from scratch’, it is likely to take around 9-12 months from the beginning of your compliance project to receive your report.  However, if you are already certified to ISO 27001, for example, you may be able to complete the process faster than this.

Who carries out SOC 2 audits?

SOC 2 audits can only be conducted by accountants who have been accredited by the American Institute of Certified Public Accountants (AICPA), the organisation that developed SOC 2.

Information Security FAQ

Speak to a SOC 2 Expert

If you’re looking to understand whether SOC 2 is the right standard for you, what efforts are required to comply or attest, or prepare for a SOC 2 report (be that Type 1 or Type 2), URM can provide you with a full range of services.

Speak to one of our experts for more information on how we can help you. Simply call 0118 206 5410 or request a call back using the form below.

ISO 27001 vs SOC 2 - Part 3

Published on
10/7/2023

3rd part of question and answer session where URM compared and contrasted 2 of the world’s leading information security standards, ISO 27001 and SOC 2.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
3/7/2023
ISO 27001 vs SOC 2 - Part 2

2nd part of question and answer session where URM compared and contrasted 2 of the world’s leading information security standards, ISO 27001 and SOC 2.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
21/6/2023
ISO 27001 vs SOC 2 - Part 1

URM delivered a question and answer session where it compared and contrasted 2 of the world’s leading information security standards, ISO 27001 and SOC 2.

Read more
"
Without URM, Havas People would not of achieved its certification goals.
Director, Havas People