What Is
SOC 2?
A Guide to SOC Compliance & Certification

SOC 2 is a framework used to help organisations manage data securely.  The framework focuses on adhering to specific criteria in order to securely handle data, helping protect the interests of your organisation as well as your client’s privacy.

SOC 2 compliance is crucial for organisations that process sensitive data, providing reassurance to their clients and partners that their data is being handled securely and professionally.  Unlike other information security standards such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001, you do not obtain certification against SOC 2.  Instead, the primary output of a SOC 2 audit is a SOC 2 report, which can then be passed on to any entities that have requested you achieve SOC 2.

The initial step on your organisation’s journey in gaining a successful SOC 2 report is for an independent consultant, such as URM, to carry out an SOC 2 gap analysis. This will allow you to identify any discrepancies between your organisation’s current information security measures, and the SOC 2 trust services.

Starting with a project planning and scoping workshop, our consultants will help you clarify and determine the most appropriate scope for the audit, and identify which of the SOC 2 criteria and controls you will be assessed against.  Once we have established which SOC 2 criteria and controls are relevant and applicable, URM will work with you to assess the selected controls against the SOC 2 requirements.

URM’s SOC 2 remediation service is here to help you correct any issues or gaps identified in our gap analysis process.  Our experts can offer tailored advice and guidance for those seeking SOC 2 compliance.

Having conducted the gap analysis and identified the areas which need further attention to become compliant, URM can collaborate with you to address these gaps.  Depending on the specific control, the support we provide can range from offering advice and guidance on what is expected and how to achieve the requirements, to assisting with the actual development of the controls by defining and documenting these (particularly for those controls focused on governance, people and process).

Our experts at URM can run an independent SOC 2 audit and assessment. We will analyse the controls that you have in place, generating a report stating whether or not your organisation satisfies SOC 2 requirements.  URM  is able to conduct both Type 1 and Type 2 reports.

Many organisations find significant benefit in receiving expert advice and guidance through the formal assessment process.  Leveraging our extensive SOC 2 experience (and our wealth of knowledge around information security in general), URM can support you throughout the audit.  This can include helping you to gather evidence, assisting with the presentation of control maturity, and with interpreting the auditor’s questions and expectations.

SOC 2 reports are valid for 12 months, and, as such, you will need to undergo a full SOC 2 audit on an annual basis. SOC 2 audits are extremely evidence-focused and, in that sense, are comparable to a Payment Card Industry Data Security Standard (PCI DSS) audit.  There are two types of SOC 2 audit you can undertake; Type 1 and Type 2.  A Type 1 audit is more of a ‘point in time’ audit and is aimed at assessing whether controls have been designed properly at the time of the audit.  Meanwhile, an auditor conducting a Type 2 audit will look for evidence of the effective operation of the policies and processes over a specified time period.