The Common Criteria/Security of the AICPA Trust Service Principles must be included in a SOC 2 report, with additional criteria available.
- Common Criteria/Security – The system is protected against unauthorized access, physically and logically
- Availability – The system is available for operation and use as committed to or agreed
- Confidentiality – Information designated as confidential is protected as committed to or agreed
- Processing Integrity – System processing is complete, accurate, timely, and authorized
- Privacy – Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in GAPP (Generally Accepted Privacy Principles).
Two types of SOC 2 reports exist:
- Type I: Test of Control Design Effectiveness (A period of time).
- Type II: Test of Control Operating Effectiveness (During a period of time of effectiveness).
What Does Elevate Think?
Often, clients call Type I the policy documentation and Type II the testing phase. Although this is accurate, Type I is more than that, as it includes an assessment of the design and implementation of controls, in which additional audit artifacts are required outside of policies and procedures (e.g. Risk Assessment, Pen Testing, Sample of 1, etc.). Elevate helps you navigate through the difference and determine what is the best approach to achieve compliance.