SOC reports demonstrate an organization’s level of assessing _____ and implementing ____ to address ____
assessing vulnerabilities/risks, and implementing internal controls to address those risks.
A SOC attestation is a signed report produced by a _____
Certified Public Accountant (CPA)
Difference between SOC 1 and SOC 2
SOC 1 report is geared towards financial reporting controls, SOC 2 is geared towards operational risk and data protection.
A SOC 1 audit is based on the TSCs. What is this and what are the 5? SAP(I)CP
Trust Services Criteria - focus areas to address as deemed appropriate to the organization based on identified risks.
Security is the only criteria required
Optional include:
Availability
Processing Integrity
Confidentiality
Privacy
SOC 1 is designed for companies offering services that directly impact:
Financial reporting
Type I vs. Type II
Type 1 typically first step - takes a snapshot of your controls at a point in time. type 2 assesses those controls over a period of time. Typical is 12 months, but we can support 3, 6, 9, 12.
SOC 2 report focuses on how an organization implements/manages controls for what parts of an organization?
controls that mitigate identified risks across different parts of the org, operational risk
How to prepare for a SOC 1 audit? 5 steps.
- Define scope - entire org or specific departments?
- take inventory of information systems - servers routers etc. so auditors can get understanding of scope of the assessment
- Readiness assessment - identify gaps in the controls environment and remediate prior to audit
- control objectives
- Continuous monitoring
SOC 1 and 2 services A-LIGN offers:
SOC 1 and 2 readiness, type 1 cert, and type 2 cert.
If you were looking at additional framework certifications - such as ISO42001 or PCI DSS - we can add value in 3 ways. Plus other value:
- cost consolidation
- time and effort savings with A-SCEND/audit harmonization
- help with international regulation requirements like GDPR, and mapping overlaps with frameworks like ISO27001.
scalable services in both SOC and ISO, and Pen Testing
breadth of partnerships with GRC tools as well as readiness services providers, continuous monitoring services, etc. - we can help point you in the right direction.
Is Pen Testing required for ISO 21007?
Not explicitly but strongly recommended as a risk assessment / controls for vulnerability management and security testing - Annex A controls - and demonstrating your commitment to continued improvement, key component of ISO 27001
ISAE 3402 and CSAE 3416
equivalent to SOC 1 but for international standards or Canadian standards
GDPR
Services to understand
