SOC

The Type-1 Report is about the control design

The Type-2 Report is the final output with verification on control effectiveness by a third-party
AICPA’s Assurance Services Executive Committee (ASEC) certified.

The 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality,
and Privacy (With Revised Points of Focus — 2022) (2017 TSC) presents control criteria
established by the AICPA’s Assurance Services Executive Committee (ASEC) for use in
attestation or consulting engagements to evaluate and report on controls over the security,
availability, processing integrity, confidentiality, or privacy of information and systems used to
provide products or services
● Across an entire entity
● A subsidiary, division

SOC 2 requirements stem from the Trust Service Criteria (TSC) defined by the American
Institute of CPAs (AICPA). Your exact requirements, however, will depend on the TSC we
choose.

Security:
It requires you to enable access control, entity-level controls, firewalls, and other
operational/governance controls to protect your data and applications. This TSC takes
substantial effort and will require participation from your IT Development, IT Infrastructure, HR,
senior management, and operations teams.

Availability:
The availability criteria in SOC 2 focus on minimizing downtime and require you to
demonstrate that your systems meet operational uptime and performance standards. It includes
network performance monitoring, disaster recovery processes, and procedures for handling
security incidents, among others. Business continuity, data recovery, and backup plans are
critical pieces here.

Confidentiality
This principle requires you to demonstrate the ability to identify and safeguard
confidential information throughout its lifecycle by establishing access control and proper
privileges (to ensure that data can be viewed/used only by the authorized set of people or
organizations).
Confidential data includes financial information, intellectual property, and any other form of
business-sensitive details specific to your contractual commitments with your customer.

Processing Integrity
This principle assesses whether your cloud data is processed accurately, reliably, and on
time and if your systems achieve their purpose. It includes quality assurance procedures and
SOC tools to monitor data processing. This is relevant for businesses that execute critical
customer operations such as financial processing, payroll services, and tax processing, to name
a few.

Privacy
It requires you to protect Personally Identifiable Information (PII) from breaches and
unauthorized access through rigorous access controls, two-factor authentication, and
encryption. Privacy is relevant to you if your business stores customers’ PII data such as
healthcare data, birthdays, and social security numbers.

Each above TSC defines a set of compliance objectives and requirements your business must
adhere to with your defined controls.

Please Answer the following Questions by checking if your company

has the following:
Any previous Certificates
1. PCI-DSS certified
2. ISO27001 certified
Answer these Questions:
1. Number of total employees in your company?
3 W-2 employees
8 Contractors
2. Does the company have a corporate structure i.e.,
a. A board of directors : NO
b. A CEO : YES
c. Detail of remaining staff?:
i. Partnership with 3 owners.
ii. 3 W-2 employees
iii. 8 Contractors
3. Is there any HR department in your company?
NO
4. Is software development in-house or outsourced by your company?
Outsourced
5. Is there an information security department in your company?
No
6. Is there any audit department in your company?
No
 7. Narrate the service details for which SOC-2 is required. It is important to choose an
auditor for control design or direct audit.
Answer: To ensure our company and product offering are secure, compliant and
aligned to industry best practices.