X

WHY

Connect with Us

SOC2

A company’s Information Security Management System should support its business strategy, not constrain it. We put the strategic needs of our clients businesses first, determining the scope of the company’s ISMS so the boundaries can be clearly defined such that the ISMS supports the business’s long-term goals.

In early 2011, the AICPA issued its Service Organization Control (SOC) reporting framework. The purpose of this framework is to differentiate between the common types of AICPA reports that service organizations are expected to provide to their customers. A SOC 2 report, titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is designed to meet a broad set of reporting needs about the controls at a service organization in the form of a CPA firm’s independent attestation report.

DEMYSTIFYING TYPE 1 AND TYPE 2 SOC2 ATTESTATION

Understanding the distinction between Type 1 and Type 2 SOC 2 Attestation and when it’s appropriate according to the maturity level of an ISMS.

STRENGTHENING YOUR ISO 27001 ISMS WITH SOC2 COMPLIANCE

How to build a SOC2 compliant Information Security Management System from the ground-up.

Overview

A SOC 2 report is an attestation report issued by an independent Certified Public Accounting (CPA) firm, which opines on the design or operating effectiveness of a service organization’s controls and whether one or more of the following five (5) defined criteria and/or principles have been achieved: security, availability, processing integrity, confidentiality and/or privacy.

The SOC 2: AT101 (SOC 2) report is most useful for service organizations whose clients do not necessarily rely on the reported controls for financial reporting purposes, but depend on their service organization’s ability to maintain a controlled environment; formerly a SAS 70 report was issued for such service organizations. The SOC 2 report demonstrates to a service organization’s clients the ability of the organization to be independently assessed against one or more of the five (5) AICPA Trust Services Principles:

  • Security: The system is protected against both physical and logical unauthorized access.
  • Availability: The system is available for operation and use as committed or agreed.
  • Processing Integrity: System processing is complete, accurate, timely, and authorized.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and criteria set forth in Generally Accepted Privacy Principles issued jointly by the AICPA and the CICA.

A SOC 2 report, in addition to one or more of the AICPA Trust Services Principles, may also include criteria defined by management, industry standards or third parties. The criteria must meet the following basic characteristics:

  • Objectivity
  • Measurability
  • Completeness
  • Relevance

Summary

Our Risk, Audit, and Compliance practice works with our clients as part of a broader ISMS program development strategy or its own ancillary program to ensure the scope of the client’s ISMS is in compliance with the selected principles and criteria of AICPA SOC2 reporting standards so that the client can effectively pass a SOC2 attestation by a third-party CPA firm utilizing one or more of the Trust Services Principles and Criteria, as specified by the client.

Our risk advisors work with our clients to determine if a Type 1 or Type 2 audit is appropriate for the maturity of the client’s Information Security Management System. A “Type 1” SOC 2 examination is performed when management requires a report on the fairness of presentation of the service organization’s system and the suitability of the design of controls as of a specified date. A “Type 2” SOC 2 examination is performed when management requires a report on the fairness of presentation of the service organization’s system and the suitability of the design and operating effectiveness of controls over a period of time that results in a Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy, which includes an independent auditor’s opinion letter, management’s assertion, description of the service organization’s system, and results of tests of controls.

Client Results

We share our clients’ ambitions working to understand their reality and deliver true results – focusing on strategic decisions and practical actions. We align our incentives with our clients’ objectives so they know we’re in this together as a closely-held partnership.

Badger Meter certifies ISMS to ISO 27001 with SOC 2 Type 1 Attestation through partnership with Brier & Thorn

Badger Meter retains Brier & Thorn to build ISO 27001 certified ISMS compliant with SOC 2 Type 1 for attestation by Brightline. Scope of ISMS to include BEACON, the company’s smart meter Software-as-a-Service and mobile platform.

Brier & Thorn retained by collections and cashflow management company to build ISO 27001 ISMS for certification and SOC 2 attestation

Transworld Systems Inc, a nationwide collections and cashflow management company protects consumer cardholder data, protected healthcare information, and personally identifiable information with new ISMS, managed services, ISO 27001 certification and SOC 2 attestation in partnership with Brier & Thorn.

SHARE