What is SOC II? SOC II is a service organization controls report performed by service providers in compliance with the Trust Service Principles (TSP) issued by Assurance Services Executive Committee of the American Institute of CPAs (AICPA) in coordination with the Canadian Institute of Chartered Accountants (CICA).
What is a Trust Service Provider? Trust Service Providers are third parties that handle IT services and privacy sensitive information for businesses and stakeholders.
Which “trust principles” does AICPA consider within a SOC II report? Security: The system is protected against unauthorized access (both physical and logical). Availability: The system is available for operation and use as committed or agreed. Processing integrity: System processing is complete, accurate, timely, and authorized. Confidentiality: Information designated as confidential is protected as committed or agreed. Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.
How are these trust services principles organized in the report? Policies: The entity has defined and documented its policies relevant to the particular principle. Communications: The entity has communicated its defined policies to responsible parties and authorized users of the system. Procedures: The entity placed in operation procedures to achieve its objectives in accordance with its defined policies. Monitoring: The entity monitors the system and takes action to maintain compliance with its defined policies.
What does it mean when a provider is SOC II certified?
SOC II certification provides assurance to clients that an independent organization has audited the Trust Service Provider’s internal controls and found the systems in place to be satisfactorily fulfilling the requirements outlined by AICPA.