SOC 2 TYPE II CERTIFICATION
What is SOC 2 certification?
Information security is a critical issue for all businesses and organisations, including those that outsource critical business operations to third party providers (e.g. SaaS providers, cloud providers). And indeed, poor data management (especially by application and network security providers) can leave businesses vulnerable to attacks such as data theft, extortion and malware installation.
Thus, SOC 2 is an auditing process that aims to ensure that your service providers are managing your data securely to protect your organisation's interests and your customers' privacy. For companies concerned about the security of their data, SOC 2 compliance is a minimum requirement when considering a SaaS provider.
SOC 2 certification is awarded following an external audit. This audit assesses a vendor's compliance with one or more of the cybersecurity pillars, detailed below.
-
Security: security and protection of system resources from unauthorised access, using IT security tools such as access control tools, network and web application firewalls, two-factor authentication or intrusion detection.
-
Availability: refers to the accessibility of the system and/or data, through monitoring network performance and availability, and handling security incidents.
-
Integrity: this principle of processing integrity is concerned with whether or not a system is achieving its purpose (i.e. providing the right data at the right price at the right time). Therefore, data processing must be complete, valid, accurate, timely and authorised.
-
Confidentiality: data is considered "confidential" if access and disclosure is limited to a set of previously authorised persons. Encryption tools, firewalls and strict access controls are essential to the confidentiality of a company's data.
CyberSecura can assist you with your SOC certification project. Please note that the external certification audit cannot be performed by CyberSecura.
What is the difference between SOC 2 type I and II?
The objective of these two certifications is essentially the same: to demonstrate that the appropriate and relevant technical requirements for the security of the certified organisation have been properly implemented. SOC 2 type I certification only requires the effective implementation of these technical requirements. On the other hand, SOC 2 type II certification is a little more exhaustive, since it requires an observation phase of 3 months after the implementation of these requirements. This final observation phase must be carried out by an auditor external to the organisation and the certification project. If necessary, we work with an experienced partner auditor.
Why get SOC 2 type II certification?
-
To reduce the risk of damage to the company's reputation, the risk of legal penalties, the risk of loss of commercial revenue due to the loss of sensitive information.
-
To reassure your customers, employees, suppliers and other interested parties about the security of their data.
-
To respond to invitations to tender for which ISO/IEC 27001 certification is required.
-
Demonstrate to the general public that your organisation takes information security issues very seriously.
-
To improve the information assets of your organisation and its customers year on year, thanks to the continuous improvement aspects of the standard.
The SOC 2 type II certification process
-
A gap or blank audit, to take stock of your current situation, the assets already in place, the gap with the standard, the organisation's resources and to achieve your objectives.
Draft your security policies and procedures.
Implementation of technical security requirements. -
Managing your certification project: drawing up micro and macro plans, estimating costs and the time required.
Carrying out technical audits (application and infrastructure audits).
Workload
To ensure that the certification project progresses satisfactorily, between 40 and 70 days of services are required. This volume of work is given as an indication and may vary depending on the size of the organisation and the resources dedicated to the certification project.
All our services to help you obtain a SOC or ISO 27001 security certification are carried out by Saghar Estehghari, co-founder, CTO and expert consultant in cybersecurity, certified ISO/IEC27001 Lead Implementer.
WHAT HE SAYS
Guillaume Bouchard, CEO Checkstep
"The CyberSecura teams were very professional and responsive."
THE CLIENT USECASE
Would you like to find out more about our SOC 2 Type II certification support service? Download our customer case study for more information!
​
If you download the usecase on this page, you will access French content. If you want to read this usecase inn English, please click here!