SOC 2 audit was developed by the American Institute of CPAs and is a flexible compliance framework that companies can implement to ensure they are securely managing customer data. Simply put, it is a review of a company's controls relating to protecting customer information. It is comprised of five trust services criteria, only one of which (Security) is required. It is also the largest. In order to meet SOC 2 audit requirements you have to comply with a number of controls (points of focus). You can put these controls in order using code, policies, or procedures. You will then supply these policies and procedures to an auditor along with documents that prove these policies and procedures are being followed. The auditor will then check to make sure your documents are aligned and provide sufficient evidence of compliance. There are two types of SOC 2 audits, type I and type II. Type II reviews an extended time period (1 year). Type I is a spot audit. Below are the five SOC 2 points of focus.
- Security (Required) - Data and systems are protected against unauthorized access. Protected against unauthorized disclosure of information. And those systems are protected against damage that could compromise the availability, integrity, confidentiality, or privacy that affect the entity’s ability to meet its objectives.
- Availability - Information and systems are available for operation and use to meet the entity’s objectives.
- Processing integrity - System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality - Information designated as confidential is protected to meet the entity’s objectives.
- Privacy - Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.
Is there a list of policies and procedures you can pick from?
Yes, when you supply a client or business with your SOC 2 report, they will look to see if you show any exceptions. A report with no exceptions is a great sign that you are responsible for your customer's data. In many cases, companies with a SOC 2 report are required to request a SOC 2 report from any company they will be sharing data with. This is why working towards a SOC 2 report with little to no exceptions is advantageous for many platforms looking to sell to US corporations.
Are there a minimum number of policies and procedures you have to implement?
At a minimum, you must implement the security points of focus. Your auditor will likely reject your report if you do not implement enough policies and procedures within the security point of focus.
ISO 27001 is the leading international standard focused on information security. The ISO 27001 certification lifecycle refers to the process that an organization goes through to implement, maintain, and continuously improve its information security management system (ISMS) in accordance with the ISO 27001 standard.
The ISO 27001 certification lifecycle typically consists of the following stages:
- Initial Certification (Stage 1) - Evaluate the design of processes and assess the right documentation and controls in place to progress to Stage 2.
- Initial Certification (Stage 2) - Evaluate the evidence to prove your ISMS and controls are effective and that they meet the ISO 27001 requirements. Passing Stage 2 results in an ISO 27001 certification. The ISO 27001 certification lasts 3 years starting from the date of initial certification.
- Surveillance Audit 1 and 2 - Evaluate your ISMS and a sample of your controls. Two surveillance audits; one each subsequent year following initial certification.
- Recertification Audit - The recertification audit occurs during the year of ISO 27001 certificate expiration. Similar to Stage 2, this audit evaluates the evidence to prove your ISMS and controls are effective, and that they meet the ISO 27001 requirements. Passing a recertification audit will renew the ISO 27001 certification period for the next 3 years.
Some of the key requirements of ISO 27001 include:
- Developing and maintaining a documented ISMS that includes policies, procedures, and guidelines for managing information security risks.
- Conducting a risk assessment to identify potential threats and vulnerabilities, and implementing controls to mitigate these risks.
- Implementing controls to protect against unauthorized access to information and information systems.
- Implementing controls to ensure the confidentiality, integrity, and availability of information and information systems.
- Implementing controls to ensure the security of information during processing, storage, transmission, and disposal.
- Implementing controls to protect against the unauthorized use of information systems.
- Implementing controls to ensure the security of system documentation and records.
- Implementing controls to prevent unauthorized changes to information and information systems.
- Implementing controls to ensure the security of information during the development and maintenance of information systems.
- Implementing a process for managing and reviewing the effectiveness of the ISMS on an ongoing basis.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes standards for protecting the privacy and security of personal health information. The HIPAA requirements apply to covered entities, which include healthcare providers, healthcare clearinghouses, and health plans.
The HIPAA requirements can be divided into two main categories:
- Privacy requirements - These requirements establish rules for the use and disclosure of personal health information. They include provisions for consent, authorization, and minimum necessary use of personal health information.
- Security requirements - These requirements establish rules for protecting the confidentiality, integrity, and availability of personal health information. They include provisions for access controls, audit controls, integrity controls, and transmission security.
In addition to these requirements, HIPAA also includes provisions for enforcement, including the ability to impose fines and penalties for non-compliance. It is important for covered entities to carefully review and understand the HIPAA requirements in order to ensure compliance with the law.
Other important standards
There are many standards and reports that organizations can use to demonstrate their commitment to information security and compliance. These include:
- PCI DSS (Payment Card Industry Data Security Standard) - This standard is designed to ensure the secure handling of payment card data by merchants and service providers. We recommend using Stripe to handle this for you.
- GDPR (General Data Protection Regulation) - This EU regulation sets out the requirements for protecting the personal data of EU citizens and establishing data protection as a fundamental right.
- ISO 9001 - This standard is focused on quality management and outlines the requirements for an organization's quality management system.
- ISO 14001 - This standard is focused on environmental management and outlines the requirements for an organization's environmental management system.
It's worth noting that each of these standards and reports has a specific focus and may not be relevant to all organizations. It's important to carefully evaluate which standards and reports are appropriate for your organization based on your industry, business model, and the type of information you handle.