What is SOC Compliance?
The Service and Organization Controls (SOC) 2 and SOC 3 reports are based upon the AICPA’s Trust Service Criteria (TSC) and is used to help address reporting concerns around internal corporate governance, risk and compliance processes. The specific areas related to TSC are Security, Availability, Processing Integrity, Confidentiality and Privacy. Each of the criteria have a corresponding point of focus, which needs to be met for the overall criteria to get an unqualified opinion. The criteria are pre-defined which makes it easier for businesses to know what is required of them to be compliant.
The Service Organization Control reports are widely used by publicly traded organizations in the US and Canada to assess the security controls implemented both internally and by their service providers.
Having a SOC report is practically a requirement for IT managed service companies and failure to maintain consistent compliance throughout the year can be particularly damaging. SOC assessments are generally conducted over a rolling 12 month period where evidence of continual compliance must be presented to avoid the embarrassment and potential loss-of-revenue associated with security exceptions being placed in your report.
Complyify helps you discover if a SOC report can help your business, what your scope of compliance obligations would be, and track the success of your security controls throughout the year. Complyify can also help with other regulatory requirements including pci compliance.