PCI SSC and the payment brands

The standard

Back in 2011 theAssurance Services Executive Committee (ASEC) of the American Institute of Certified Public Accountants (AICPA) created a set of Service Organisation Controls (SOC) and pertaining assessments which include assessments of financial controls (SOC 1, formerly SAS70) and assessments over service provider’s controls for managing customer data (SOC 2 and SOC 3).

SOC 2 is specifically designated for service providers storing and processing customer data in the cloud, e.g. nearly most of the SaaS companies. SOC 2 compliance is a minimal requirement when considering a cloud based services provider.

Trust Services Principles and Criteria

SOC 2 defines criteria for managing customer data based on five Trust Services Principles and Criteria (TSPs) – relevant to

  1. Security – the system is protected against unauthorised access
  2. Availability – the system is available for operation per entity’s commitment
  3. Processing Integrity – the system processing is complete, accurate and authorised
  4. Confidentiality – the system protects confidential information per entity’s commitment
  5. Privacy – personally identifiable information is managed (collection, use, retention, disclosure of) per entity’s commitment in the privacy notice as well as with criteria set forth in the AICPA’s generally accepted privacy principles


Both SOC1 and SOC2 reports can be issued either as Type I or Type II, where;

  • Type I – provides an assessment on whether the design of controls meets the relevant TSPs
  • Type II- similar as Type I with an audit of operating effectiveness of the assessed controls

SOC 2 vs SOC 3

A SOC 2 report contains details on tested controls including details on tested environment, test results and associated descriptions, whereas SOC 3 is similar but only contains a summary of assessed systems and results without any details.

SOC 2 Report and the scope

Unlike other security standards, SOC 2 reports are unique to each organisation as each organisation is responsible for the design of controls in compliance to one or more of TSPs. The service organisation, depending on its needs – the type of service provided as well as customer needs, can choose to attest to one, more or all of the TSPs, thus the scope of the report will contain only attested criteria. Any combination of TSPs can be chosen.

What is required for attestation?

Identifying your attestation requirements and associated scope and relevant TSPs is a place to start. Every organisation should establish, adopt and adhere to a set of Information Security policies and associated procedures relevant to the security, availability, processing integrity, confidentiality and privacy of customer data.

Read more on how to achieve SOC2 compliance ..

SOC2 services

SOC 2 audit is performed by a Certified Public Accountant (CPA) company, and whilst we are not a CPA company and cannot perform audits, we can assist you with getting your compliance status as trusted advisors. Our SOC 2 services are based on a methodological approach. While you have established the key drivers for SOC 2 certification based on your business and customer needs, our services will help you address following:
  1. Setting the scope in order to determine all systems subjected for SOC 2 audit as well as identifying applicable TSPs.
  2. GAP analysis to assess your existing controls against identified TSPs and identify gaps.
  3. Action plan to remediate all your control gaps and propose set of controls, including governance, IS policies, risk management, processes, technical controls.
  4. Implementation of missing controls and documentation
  5. Controls re-assessment actions and issuing a final report on overall achieved maturity.
  6. Guidance and support during the audit process – externalised CSO role.

We shall closely work with you to determine the best approach for achieving SOC 2 compliance, reducing the risk of not achieving the goal and getting things done on time.