SOC 2
Introduction
SOC 2 (Service Organisation Control Type 2) is a cybersecurity framework that assesses how well a service organisation protects client data.
Purpose
Developed by the American Institute of Certified Public Accountants (AICPA), the purpose of SOC 2 is to:
Ensure that client data is handled securely by third-party service providers
Build trust between a company and its customers
Demonstrate a company's maturity in handling customer data
The SOC 2 report
The SOC 2 report evaluates controls against the Trust Services Criteria, focusing on controls in five categories:
The Patchworks SOC 2 report is available upon request.
Security
Information and systems are protected against unauthorised access/disclosure, and damage to the system that could compromise availability, confidentiality, integrity and privacy. Protections include:
Firewalls
Intrusion detection
Multi-factor authentication
Availability
Systems, tools, and processes are in place to ensure systems are available for operational use. These include:
Performance monitoring
Disaster recovery
Incident handling
Confidentiality
Systems, tools, and processes are in place to ensure information is protected and available on a legitimate, need-to-know basis (applies to various types of sensitive information). These include:
Encryption
Access controls
Firewalls
Processing integrity
Resources, tools and processes are in place to ensure system processing is complete, valid, accurate, timely and authorised. These include
Quality assurance
Process monitoring
Adherence to principle
Privacy
Systems, tools, and processes are in place to ensure personal information is collected, used, retained, disclosed and disposed of according to policy (privacy applies only to personal information). These include:
Access control
Multi-factor authentication
Encryption
Last updated