SOC 2 Compliance: What You Need to Know

With the System and Organization Controls 2 Type 2 audit now successfully behind us, riskmethods clearly and proudly demonstrates SOC 2 Type 2 compliance in all aspects of security practices and controls. Our customers know that they can rely on our security, availability, processing integrity, confidentiality, and privacy.  

Yet what does SOC 2 compliance mean for you? Our securITy rockstars, Nasim Al-Tamimi, riskmethods Chief Technology Officer and Robert Ibisch, riskmethods Chief Information Security Officer took us on backstage tour of the topic. 

SOC 2 is an audit conducted by an independent auditing firm, across five categories called Trust Services Criteria. The five categories, and their key aspects, are: 

• Security refers to protection of information throughout its lifecycle 
• Availability involves performance monitoring, disaster recovery, and security-incident handling 
• Processing Integrity focuses on ensuring that data is processed in a predictable manner, free of accidental or unexplained errors 
• Confidentiality covers ability to protect confidential information throughout its lifecycle, including collection, processing, and disposal 
• Privacy focuses on Personally Identifiable Information (PII) 

The auditor evaluates the evidence we supply for the controls in each category. When completed, we receive the official SOC 2 report that assures our customers and business partners that their data is handled securely.   

Specifically, the SOC 2 evaluates the organization’s technical management. It assures that our customers’ data is handled securely. At the same time, it verifies that the infrastructure, policies, procedures, and systems we have in place protect customer data within our company’s operational processes, as well as within The riskmethods Solution^TM. 

What is key is that an independent party verifies all the critical aspects of data security mentioned. The auditor provides an independent opinion, and proof that we have been consistent in following the standards. riskmethods proactively protects the IT-security of our customers and their data. For example:

SOC 2 Type 2 has a set of over 300 requirements and controls in the categories of security, availability, processing integrity, confidentiality, and privacy. In addition to verifying the infrastructure, software, people, policies and procedures, the auditor gathers evidence of how we apply each and every of those requirements and controls for the review period.

Originally established by the American Institute of Certified Public Accountants, the SOC framework is increasingly globally recognized. SOC 1 is very focused on the operational financial health of an entity. It is used as a single indicator for the capability of a company to operate. In comparison, SOC 2 is rather a comprehensive audit for SaaS companies and solutions. As described, it covers the data-handling aspects of security, availability, processing integrity, confidentiality, and privacy. We opted for all of these in our audit.

The Type 2 audit covers a 12-month interval. In other words, Type 2 has an annual recurrence, covering how the SaaS company operated throughout the year. Type 1 is performed only once. This one-off audit might even cover the work of just one day!

This is not new to us! We have long implemented all of those procedures, policies, and controls. This compliance audit enables us to prove that we have been following and practicing the right procedures and controls.  

We value transparency, so we can earn our customers’ trust. Through SOC 2 Type 2 compliance, we can prove we are an IT and cloud-service provider who uses verified information-security practices to ensure operational and security excellence.