Service Organization Control (SOC) 2 Readiness

Backbone Consultants has extensive experience in delivering Service Organization Control (SOC 2) readiness assessments. Established by the American Institute of Certified Public Accountants (AICPA), the SOC Type 2 report has been gilded as the golden standard for attesting to an organization's internal control environment. Our SOC Readiness Assessments can assist SMBs to Fortune 100s alike achieve compliance across some or all of the five Trust Service Principles (TSP) defined by the AICPA.


Trust Service Principles:

• Security: The system is protected against unauthorized access, use, or modification.

• Availability: The system is available for operation and use as committed or agreed.

• Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.

• Confidentiality: Information designated as confidential is protected as committed or agreed.

• Privacy: The system’s collection, use, retention, disclosure, and disposal of personal information are in conformity with the commitments in the service organization’s privacy notice and with criteria set forth in the Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants (CICA).


The AICPA initially published the TSPs in 2009 and later revised them in 2014, adding the “Criteria Common to All Principles” to the Security Principle. The Common Criteria are applicable to four of the five TSPs, known as the 'non-privacy' principles, and are addressed only once in the report, rather than each principle addressing portions of common criteria, allowing for greater efficiency in the report. As a result, all SOC 2 examinations performed under the new standards must couple the Security Principle with any non-privacy principle. For instance, a SOC 2 that includes the Availability Principle must also include the Security Principle.


Common Criteria Categories:

• Organization & Management: The criteria relevant to how the organization is structured and the processes the organization has implemented to manage and support people within its operating units. This includes criteria addressing accountability, integrity, ethical values and qualifications of personnel, and the environment in which they function.

• Communications: The criteria relevant to how the organization communicates its policies, processes, procedures, commitments, and requirements to authorized users and other parties of the system and the obligations of those parties and users to the effective operation of the system.

• Risk Management & Design and Implementation of Controls: The criteria relevant to how the entity (i) identifies potential risks that would affect the entity’s ability to achieve its objectives, (ii) analyzes those risks, (iii) develops responses to those risks including the design and  implementation of controls and other risk mitigating actions, and (iv) conducts ongoing monitoring of risks and the risk management process.

• Monitoring of Controls: The criteria relevant to how the entity monitors the system, including the suitability, and design and operating effectiveness of the controls, and takes action to address deficiencies identified.

• Logical and Physical Access Controls: The criteria relevant to how the organization restricts logical and physical access to the system, provides and removes that access, and prevents unauthorized access to meet the criteria for the principle(s) addressed in the engagement.

• System Operations: The criteria relevant to how the organization manages the execution of system procedures and detects and mitigates processing deviations, including logical and physical security deviations, to meet the objective(s) of the principle(s) addressed in the engagement.

• Change Management: The criteria relevant to how the organization identifies the need for changes to the system, makes the changes following a controlled change management process, and prevents unauthorized changes from being made to meet the criteria for the principle(s) addressed in the engagement.


The other 'non-privacy' principles, Availability, Processing Integrity, and Confidentiality, have also been modified to include criteria that is only applicable the specific principle. This greatly reduces the redundancies found in the old TSPs when more than one non-privacy principle was in scope for the SOC 2 examination.


Readiness Assessment Phases:

1. Mapping of the existing control environment to each principle and common criteria.

2. Design and implement controls where gaps are identified between the control environment and the principle being assessed.

3. Testing of the controls for design and operating effectiveness.

4. Assist in crafting the management assertion and description of controls sections within the SOC 2.


Backbone’s SOC Type 2 Readiness Assessment service will not only provide the current maturity of an organization's control environment but also clearly define the path to becoming compliant prior to being externally audited. By allowing our Certified Information System Auditors (CISA) and Certified Information Systems Security Professionals (CISSP) to assist in your SOC readiness activities you be assured a solid foundation will be established for your SOC 2 report.