top of page

SOC 2 is a compliance framework designed to assess information security risks associated with using service providers and other third-party organisations and ensure customer data is managed securely.

SOC 2 (System Organization Control 2)

Table-01.png

Availability

Controls to ensure systems are available for operation and use as committed or agreed e.g. network monitoring, incident response, business continuity, and disaster recovery.

Confidentiality

Controls to protect information designated as confidential e.g. encryption, access controls, secure data disposal, monitoring and logging, information classification.

Type I evaluates the design and implementation of a service organisation’s controls at a specific point in time. It focuses on the suitability of the design of the controls and whether they are properly designed to meet the specified criteria.

 Security

Controls to protect systems and data from unauthorised access, use, disclosure, disruption, or destruction e.g. firewalls, access controls, identity management, secure configuration, threat detection.

Processing Integrity

Controls to ensure system processing is complete, valid, accurate, timely, and authorised e.g. data validation and integrity, quality assurance, accuracy and error handling.

Privacy

Controls to protect personal information in accordance with the organisation's commitments and subject to applicable laws and regulations e.g. consent and rights management, compliance, data storage and retention.

Type II evaluates the design and operational effectiveness of the service organisation’s controls over a specific period of time, assessing both the design and the operating effectiveness of the controls over the reporting period.

SERVICE DELIVERY

A SOC 2 audit evaluates the design and operational effectiveness of an organisation’s systems and processes and their ability to manage data in relation to five trust services criteria, as defined by the American Institute of Certified Public Accountants (AICPA):

circleChart.png

There are two types of SOC 2 audit, both of which are carried out by an independent and accredited Certified Public Accountant (CPA):

A SOC 2 audit is crucial for organisations that handle personal information and provides assurance to customers and stakeholders that the organisation has robust information security measures and organisational controls for safeguarding and managing data.

London Tube

Compliance: helps organisations align with various regulatory requirements, such as GDPR and HIPAA, reducing the likelihood of fines and reputational damage.

Robust security: ensures that appropriate information security systems and processes are in place to defend against breaches and unauthorised access.

Credibility: builds trust and confidence in the organisation and reassures existing or potential customers and stakeholders that it is committed to safeguarding data.

WHAT ARE THE BENEFITS?

Efficiencies: security and operational processes and policies are optimised and clearly documented, streamlining business operations.

Cost saving: the SOC 2 framework shares a significant number of security controls with ISO/IEC 27001:2022 meaning potential cost savings for organisations considering dual implementation.

Continuous Improvement: SOC 2 requires regular audits, which encourage continuous monitoring and improvement of security practices.

Main Table-01.png

Competitive Advantage: increases commercial opportunities and enable organisations to win new business, particularly where compliance is mandated.

Table-01.png
FORTIS CYBER SOC2 CONSULTANCY SERVICES
SOC2 Support Diagram.jpg
Table-01.png

Discovery

  • Assess the client’s business model, technical architecture, the services they provide and any sector-specific priorities.

  • Tailor the scope to fit the client’s needs, risks, environment and industry requirements.

Gap Assessment

  • Identify gaps between the client’s current state and SOC 2 compliance, focusing on the five trust service criteria.

  • Rank gaps based on risk and audit importance, aligning resources to high-impact areas.

  • Provide a detailed report of gaps with recommendations for remediation.

Design & Implement

  • Create a detailed action plan with responsible stakeholders, milestones for each gap identified and realistic timeframes for implementing the required controls.

  • Build or enhance controls, including development of policies and documentation, and implementation of required processes and technology controls.

Test & Train

  • Conduct internal testing of the controls to ensure they are operating effectively.

  • Perform a readiness assessment that simulates the actual audit process to identify any weaknesses or issues prior to the official audit.

  • Conduct training for staff members who will be responsible for control operation.

  • Prepare client team for what to expect during the audit, including how to present evidence and respond to auditor questions.

Post-Audit Support - Stay Ceritfied Service

  • Review exclusions with the client and help remediate any issues raised by the auditors.

  • Ensure all corrective actions are documented and lessons learned are incorporated into future processes.

  • Establish a process for continuously monitoring and improving controls to help maintain ongoing compliance.

ENGAGEMENT METHODOLOGY

The Fortis Cyber® Get Certified Service utilises a structured approach to guide clients through the process of becoming compliant and then passing the SOC 2 audit. We value efficiency, so we aim to avoid unnecessary controls that don’t add real value and focus on achieving compliance without overburdening the client’s business operations.

London City
bottom of page