SOC 2 Reports

International Credibility

A SOC 2 report helps build international credibility by demonstrating your commitment to data security and compliance. It provides customers with confidence through detailed answers to due diligence questions, while minimizing business disruption with agile, tech-enabled audits. You can tailor the audit to your goals, align with multiple compliance frameworks, and even achieve a report while making known process improvements.

No, SOC 2 is not a certification. It is an attestation report issued by a qualified auditor that verifies your organization’s controls for protecting customer data. Unlike a certificate, the SOC 2 report includes a detailed system description, scope of compliance, and results from control testing. You can receive a report even with exceptions, and you have flexibility in choosing your reporting dates and audit periods.

The scope of a SOC 2 report is determined by identifying which services, systems, data, processes, and people must be secured to protect customers and other stakeholders. It begins with focusing on a specific service, such as a SaaS product, platform infrastructure, or professional services. From there, the scope expands to include the systems used to deliver the service, the data collected, the personnel involved, and the processes to meet the SOC 2 Trust Services Criteria.

All SOC 2 reports include the Common Criteria for Security: Security, Availability, Processing Integrity, Confidentiality and Privacy. Security is always included, but the subsequent areas can be added optionally.

• Security: included in all reports, this covers basic system and data security
• Availability: the reliability and resilience of your systems and services
• Confidentiality: how data is classified, handled and retained in line with its level of sensitivity
• Processing Integrity: the objectives of your services and how those are managed to ensure complete and accurate data processing
• Privacy: managing personally identifiable data in line with individuals’ privacy rights.
• Security, Availability, and Confidentiality are commonly included to satisfy most enterprise customers’ expectations with minimal additional work on top of the Common Criteria.

Not as such. SOC 2 reports are not pass/fail. The report can be issued with any number of exceptions and qualifications. Organizations have the benefits of choosing the timing of their examination dates when it works best for you, and you’re confident in the effectiveness of your controls design.

SOC 2 reporting requires mapping your internal controls to 33 common criteria to establish a state of compliance. These controls include documented policies, system configurations, and defined processes. Sensiba supports this journey with integrations to compliance platforms and our PolicyTree solution, which generates tailored policies to form the foundation of your program. The audit process includes preparing a system description, evaluating your controls, and issuing a report—Type 2 reports also include testing results. For first-time audits, especially Type 1, we offer flexibility to make improvements during the process.

Yes, is the short answer. Unlike ISO 27001, there are no prescribed audit days, so using automation can help auditors achieve the required level of comfort for their controls. But that relies on an audit firm that’s familiar with the specific platform you’re using. It also only works if the controls and scope of the audit are adaptable to the platform. If you look to have customized controls or diverge from the way the platform works, it can cause additional work. We integrate with many compliance automation platforms to ensure a streamlined approach to your audit.