SOC 2 Audit Services

Enhancing Security and Gaining Competitive Advantage

Trust, Security, and Compliance

SOC 2 is a compliance framework designed to assess and confirm an organisation’s information security practices. SOC 2 is governed by AICPA and is particularly prevalent in North America and amongst the Software as a Service (SaaS) industry. Achieving SOC 2 certification involves a thorough examination of your organisation’s security controls against the trust services criteria, defined by AICPA, to ensure that appropriate policies and controls are in place to safeguard customer data. Unlike many other compliance frameworks with “prescribed controls”, SOC 2 provides a flexible approach to the design and selection of controls that are relevant to your organisation.

Benefits

ISO 27001 certification offers numerous benefits for organisations looking to enhance their information security management. By achieving ISO 27001 certification, not only you enhance your security posture but also gain a competitive edge, build customer trust, and ensure compliance with applicable regulations.

Here are some of the key advantages

"Having already achieved SOC 2 accreditation, we were looking to further enhance our security and compliance framework by pursuing ISO 27001 certification. We engaged Cyber Ally, and they exceeded our expectations in every way. We highly recommend Cyber Ally to any organisation seeking to elevate their cybersecurity and compliance standards."

Nathan Miller, Head of Information Security & Compliance, Dovetail

"At Wolk Technology, we have been thoroughly impressed with the virtual CISO services provided by Cyber Ally. As an AWS Partner, ensuring the highest standards of security and compliance is paramount for us. The team at Cyber Ally demonstrated exceptional expertise and dedication, guiding us seamlessly through the complexities of ISO 27001 certification."

Wayne Hayes, CEO, Wolk Technology

"The Virtual CISO service from Cyber Ally has been invaluable for our growing business. Their strategic insights and on-demand expertise have significantly enhanced our cybersecurity framework, allowing us to focus on innovation without worry."

Emily T.

Your Questions Answered

SOC 2 stands for “System and Organization Controls 2.” and is a set of standards and criteria developed by the American Institute of Certified Public Accountants (AICPA) for managing customer data based on five “trust service principles” — security, availability, processing integrity, confidentiality, and privacy. It is particularly relevant for technology and cloud computing companies that handle customer data.

SOC 2 is underpinned by the following Trust Service Criteria:

  • Security: The system is protected against unauthorised access (both physical and logical).
  • Availability: The system is available for operation and use as committed or agreed.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.
  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorised.
  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice.

Security, also known as “Common Criteria” is the only mandatory requirement, whereas availability, confidentiality, processing integrity and privacy are optional. 

Not as such. SOC 2 reports are not pass/fail. The report can be issued with any number of exceptions and qualifications. Most companies choose to delay their SOC 2 report until it is “clean”. If you are in an annual reporting cycle with customer commitments, you may not have that flexibility, so the report may be issued with disclaimers about any identified exceptions and qualifications.

There are a few things to be aware of for SOC 2 reporting:

  • There are 33 common criteria to satisfy by mapping your controls and implementing a state of compliance. We integrate with several compliance platforms to assist your compliance journey.
  • The controls include documented policies, system configurations, and defined processes. Our PolicyTree solution generates your tailored set of policies that are the foundations of your compliance program.
  • An audit is conducted to verify your compliance, which AssuranceLab performs. We have some flexibility for first-time reports, especially Type 1, that lets you fix things as we work through.
  • A system description is prepared to overview your compliance scope and activities. We add your tailored controls, mapped to the criteria and the results of the audit (Type 2); we then both sign off to issue the final report.

Yes is the short answer. Unlike ISO 27001, there are no prescribed audit days, so using automation can help auditors achieve the required level of comfort for their controls. But that relies on an audit firm that’s familiar with the specific platform you’re using. It also only works if the controls and scope of the audit are adaptable to the platform. If you look to have customised controls or diverge from the way the platform works, it can cause additional work. We integrate with many compliance automation platforms to ensure a streamlined approach to your audit.

The service organisation control, sometimes referred to as system and organisational control (SOC) standards has been around for decades. Their earlier use was driven by financial reporting objectives, later termed “SOC 1”. That’s where third parties would rely on IT systems or services, and that would impact their financial statement audits or other financial interests like in asset management or superannuation. 

As reliance on third-party services evolved with the rise in software as a service companies, these reports naturally evolved to being used for assurance over those third-party services even when no direct financial objectives were involved. The Trust Services Criteria were then introduced to better align with the modern needs of third parties that were reliant on security, availability, confidentiality, processing integrity and privacy. This became “SOC 2” to differentiate from the earlier SOC 1 purpose.

A Type 1 report attests to your compliance by design. It’s a snapshot in time that can be achieved by showing you have the right systems and processes in place to satisfy the SOC 1 control objectives. 

A Type 2 report attests to your compliance by both design and operation over a set period of time, usually between 3-12 months, to show your systems and processes have been operating consistently to satisfy the SOC 2 control criteria. 

Usually, a Type 1 report is issued first as baseline compliance. That marks the start of the live and recurring Type 2 audit period for reports issued annually. That is the industry standard but the SOC standards have the flexibility to choose the report dates and periods as desired (usually driven by customers’ expectations that drive the industry-standard approach).

Partner with Cyber Ally

Cyber Ally is the partner of choice for Australian businesses of all sizes. We are broadly experienced in managing the cyber security threat landscape across many of Australia's industries. Let us help you secure your digital future.

Contact us