A company’s Information Security Management System should support its business strategy, not constrain it. We put the strategic needs of our clients businesses first, determining the scope of the company’s ISMS so the boundaries can be clearly defined such that the ISMS supports the business’s long-term goals.
In early 2011, the AICPA issued its Service Organization Control (SOC) reporting framework. The purpose of this framework is to differentiate between the common types of AICPA reports that service organizations are expected to provide to their customers. A SOC 2 report, titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is designed to meet a broad set of reporting needs about the controls at a service organization in the form of a CPA firm’s independent attestation report.
Understanding the distinction between Type 1 and Type 2 SOC 2 Attestation and when it’s appropriate according to the maturity level of an ISMS.
A SOC 2 report is an attestation report issued by an independent Certified Public Accounting (CPA) firm, which opines on the design or operating effectiveness of a service organization’s controls and whether one or more of the following five (5) defined criteria and/or principles have been achieved: security, availability, processing integrity, confidentiality and/or privacy.
The SOC 2: AT101 (SOC 2) report is most useful for service organizations whose clients do not necessarily rely on the reported controls for financial reporting purposes, but depend on their service organization’s ability to maintain a controlled environment; formerly a SAS 70 report was issued for such service organizations. The SOC 2 report demonstrates to a service organization’s clients the ability of the organization to be independently assessed against one or more of the five (5) AICPA Trust Services Principles:
A SOC 2 report, in addition to one or more of the AICPA Trust Services Principles, may also include criteria defined by management, industry standards or third parties. The criteria must meet the following basic characteristics:
Our Risk, Audit, and Compliance practice works with our clients as part of a broader ISMS program development strategy or its own ancillary program to ensure the scope of the client’s ISMS is in compliance with the selected principles and criteria of AICPA SOC2 reporting standards so that the client can effectively pass a SOC2 attestation by a third-party CPA firm utilizing one or more of the Trust Services Principles and Criteria, as specified by the client.
Our risk advisors work with our clients to determine if a Type 1 or Type 2 audit is appropriate for the maturity of the client’s Information Security Management System. A “Type 1” SOC 2 examination is performed when management requires a report on the fairness of presentation of the service organization’s system and the suitability of the design of controls as of a specified date. A “Type 2” SOC 2 examination is performed when management requires a report on the fairness of presentation of the service organization’s system and the suitability of the design and operating effectiveness of controls over a period of time that results in a Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy, which includes an independent auditor’s opinion letter, management’s assertion, description of the service organization’s system, and results of tests of controls.
We share our clients’ ambitions working to understand their reality and deliver true results – focusing on strategic decisions and practical actions. We align our incentives with our clients’ objectives so they know we’re in this together as a closely-held partnership.
Badger Meter retains Brier & Thorn to build ISO 27001 certified ISMS compliant with SOC 2 Type 1 for attestation by Brightline. Scope of ISMS to include BEACON, the company’s smart meter Software-as-a-Service and mobile platform.
Transworld Systems Inc, a nationwide collections and cashflow management company protects consumer cardholder data, protected healthcare information, and personally identifiable information with new ISMS, managed services, ISO 27001 certification and SOC 2 attestation in partnership with Brier & Thorn.