Back to Compliance
Security Standard
SOC 2
Service Organization Control 2
Global
Effective: January 1, 2010
Updated: January 1, 2022
Overview
SOC 2 is an auditing framework developed by AICPA for service organizations that store, process, or transmit customer data. It evaluates controls relevant to security, availability, processing integrity, confidentiality, and privacy (Trust Services Criteria). SOC 2 reports are widely used by SaaS providers and cloud services to demonstrate security posture to customers.
IAM Requirements
CC6.1: Logical and Physical Access Controls
- Implement logical access security software and infrastructure
- Control access to protected information assets
- Prevent unauthorized access from outside system boundaries
- Manage identification and authentication of users
CC6.2: User Access Administration
- New user registration and authorization process
- Modification of access based on role changes
- Timely removal of access when no longer needed
- Periodic access reviews
CC6.3: Role-Based Access
- Define and assign user roles
- Implement least privilege principle
- Segregate incompatible duties
- Approve and document access exceptions
CC6.6: Authentication
- Authenticate users before granting access
- Implement multi-factor authentication where appropriate
- Manage credentials securely
- Monitor for authentication anomalies
Compliance Checklist
1
Select applicable Trust Services Criteria2
Define system description and boundaries3
Identify and document controls4
Implement access provisioning procedures5
Deploy multi-factor authentication6
Establish access review processes7
Implement change management controls8
Deploy logging and monitoring9
Conduct security awareness training10
Perform risk assessment11
Conduct readiness assessment12
Engage CPA firm for SOC 2 auditPenalties for Non-Compliance
No direct penalties, but inability to provide SOC 2 report can result in lost business opportunities and customer trust
Quick Facts
- Region
- Global
- Effective Date
- January 1, 2010
- Enforcing Body
- American Institute of Certified Public Accountants (AICPA)