The Definitive Guide
SOC 2
SOC 2 might be right for you if:
You want to demonstrate your commitment to security and privacy
You process information in the cloud or in data centers
You manage or store data for U.S.-based customers and business partners
You’re looking to improve your overall
security posture
You want to increase the valuation of
your organization
You want to beat competitors, win more deals and accelerate growth
Benefits of a SOC 2 Report
Your customers and partners want to know that you are going to protect their data, and they want to see that validated by an independent auditor. A SOC 2 report provides that trust, allowing you to get the edge over your competitors, close deals faster, and win more business. Plus, doing a SOC 2 report now could save you hours upon hours of headaches and fighting fires down the road when an important business transaction depends on it.
Protects sensitive information stored in the cloud
Demonstrates a commitment to corporate governance
Provides assurance to customers and partners that your systems are secure
Satisfies requirements for organizational and regulatory oversight
Serves as a competitive advantage, winning trust and driving revenue
Allows you to kiss the 500-question security questionnaire good-bye
SOC 2 Type II audits attest to both the design and the operating effectiveness of those controls over a period of time, typically between
3-12 months. This type of SOC audit provides assurance of not just how your systems are set up, but how they are used on a day-to-day basis.
A SOC 2 Type II will generally provide a greater level of trust to a customer or business partner due to the increased visibility of systems in action.
Type 2 Report
Decribes your organization’s system as a whole
Assesses the design of your organization’s controls, as well as their operating effectiveness
Focuses on a period of time in which the controls are operating
Features detailed descriptions of the auditor’s tests and test results of the controls
SOC 2 Type I audits attest to the design of controls at a single point in time. The auditor will review evidence from your systems as it exists at a “moment” and produce the Type I report based on that information.
Type 1 Report
Describe your organization’s system as a whole
Assesses the design of your organization’s internal controls
Tests a specific point in time
In A-LIGN’s Traditional Type 1 approach we will help your organization understand the SOC 2 criteria and report, identify key controls, and provide a detailed IRL (information Request List) which will outline the required documentation including policies and procedures. Once the IRL has been received by your team, you will work to input evidence within our in-house audit portal, A-SCEND to meet the requirements identified for each control. Once the evidence has been uploaded, A-LIGN will review and test what has been submitted. For the final step,
A-LIGN will report on our testing and provide your team a final report which will outline the testing performed and the compliance status of each requirement as of your defined review date.
Type 1 Report
Traditional
Approach
A-LIGN offers a Belay Approach audit for those not interested in taking the Readiness Assessment route in completing their SOC 2 audit. The Belay Approach is an actual SOC 2 examination resulting in the client receiving a SOC 2 report, but it is broken down into a two-stage approach.
Type 1 Report
Belay Approach
helps your organization understand the SOC 2 criteria and report, identifies key controls and relevant policies and procedures, and uncovers potential issues that may arise.
Stage 1
allows your company time to remediate control gaps identified in Stage 1. The Information Request List (IRL) is then created and uploaded into A-SCEND. Once all requirements are fulfilled, a SOC 2 report is delivered.
Stage 2
A SOC 3 report is a public-facing version of your SOC 2 report for anyone looking for assurance regarding controls at your organization that are related to either security, availability, processing integrity, confidentiality, or privacy. When compared to a SOC 2 report, a SOC 3 version does not provide the details of the tests performed by the auditor.
Type 2 Report
SOC 3
Identify high-risk control gaps
Get recommendations for improving controls
Remediate issues prior to the official SOC 2 examination
A readiness or gap assessment gives you a good idea of how much work you’ll need to do to successfully pass your audit. This process reviews the controls you have in place and points out those that need to be improved or implemented outright. Gap assessments are a great way to start the compliance process because the pressure is off, so to speak – allowing you to take care of issues ahead of time, before that huge customer is on the line and your CEO is breathing down your neck.
In an ideal world, an organization would first go through a readiness assessment prior to completing a SOC 2 examination for the first time.
Getting Started:
Readiness Assessment
Controls that protect against unauthorized access, unauthorized disclosure, or damage to systems. Examples include endpoint protection and network monitoring.
Controls that protect confidential information throughout its lifecycle from collection and processing to disposal. Examples include encryption and identity and access management.
Controls that keep systems operational and available at a level that meets stated business objectives. Examples include performance monitoring and disaster recovery.
Controls that ensure systems perform in a predictable manner, free of accidental or unexplained errors. Examples include software development lifecycle management and quality assurance.
Controls specific to protecting personal information, especially that which you capture from customers. Examples include privacy policies and consent management.
Security / Common Criteria
Confidentiality
Availability
Processing Integrity
Privacy
Percentage of A-LIGN's customers
that evaluate each criteria
Project Kick-off
Evidence Collection
Audit Testing
Reporting
1
Project Kick-off
Working with your team to identify your audit objectives, identify the required control areas, and define the scope of your project, our team will look to ensure you have a successful SOC 2 assessment and introduce you to your SME (Subject Matter Expert).
Phase 2: Evidence Collection
Phase 1:
Project Kick-off
Week 1
Week 14
Week 10
Week 6
Phase 3: Audit Testing
Phase 4: Reporting
Working through the IRL (Information Request List), which identifies the type of audit evidence and documentation required to meet each individual request with your defined scope. A-LIGN welcomes the opportunity to educate your team as needed.
Evidence Collection
Project Kick-off
Evidence Collection
Audit Testing
Reporting
2
Phase 3: Audit Testing
Phase 4: Reporting
Week 2
Week 14
Week 10
Week 6
Phase 1: Project Kick-off
Phase 2:
Evidence Collection
A-LIGN’s documented review and audit testing of the evidence provided in the previous phase of the project. Each piece of evidence will be tested against the requirements outlined for each particular control.
Audit Testing
Project Kick-off
Evidence Collection
Audit Testing
Reporting
3
Week 2
Week 14
Week 10
Week 6
Phase 4: Reporting
Phase 1: Project Kick-off
Phase 3:
Audit Testing
Phase 2: Evidence Collection
Upon closing out of the audit testing, A-LIGN will then produce a final report which will outline the work performed and the compliance status of each requirement. It will also include an executive summary for management. The final report is what you will eventually provide to your customers.
Reporting
Project Kick-off
Evidence Collection
Audit Testing
Reporting
4
Week 2
Week 14
Week 10
Week 6
Phase 1: Project Kick-off
Phase 2: Evidence Collection
Phase 4:
Reporting
Phase 3: Audit Testing
A-SCEND
Developed by industry experts.
Inspired by our clients.
Designed to meet your audit needs.
A-SCEND provides end-to-end compliance management. This tool is used to collect evidence and throughout the audit – from readiness to report – eliminating the need to purchase stand-alone audit readiness software.
Take the tour
2,500+
customers
11,600+
audits completed
2M+
pieces of evidence
The A-LIGN difference
1
Accreditations
• Licensed SOC 1 and SOC 2
Assessor
• Accredited ISO 27001,
ISO 27701, and ISO 22301
Certification Body
• HITRUST CSF Assessor Firm
• Accredited FedRAMP 3PAO
• Candidate CMMC C3PAO
• Qualified Security Assessor
Company
• 11,600+ Audits &
Assessments
• 2,500 Clients Across
30 Countries
• Cost Efficient Fixed Fee
Pricing Structure
2
Single-Provider Approach
• 96% Client Satisfaction
Rating
• 24-Hour Response
Commitment
• Customized Solutions &
Partnership Approach
3
Customer
Focused
• Former “Big 4” Executives
• Over 20 Years Experience
• Top Issuer of SOC 2 Reports
in the World
4
Exceeding Expectations
traditional approach
Belay Approach
SOC 3
You manage or store data for
U.S.-based customers and business partners
You’re looking to improve your overall security posture
You want to increase the valuation of
your organization
You want to beat competitors, win more deals and accelerate growth
You want to demonstrate your commitment to security and
privacy
Your customers and partners want to know that you are going to protect their data, and they want to see that validated by an independent auditor. A SOC 2 report provides that trust, allowing you to get the edge over your competitors, close deals faster, and win more business. Plus, doing a SOC 2 report now could save you hours upon hours of headaches and fighting fires down the road when an important business transaction depends on it.
Benefits of a
SOC 2 Report
SOC 2 Type II audits attest to both the design and the operating effectiveness of those controls over a period of time, typically between 3-12 months. This type of SOC audit provides assurance of not just how your systems are set up, but how they are used on a day-to-day basis. A SOC 2 Type II will generally provide a greater level of trust to a customer or business partner due to the increased visibility of systems in action.
Type 2 Report
A-LIGN offers a Belay Approach audit for those not interested in taking the Readiness Assessment route in completing their SOC 2 audit. The Belay Approach is an actual SOC 2 examination resulting in the client receiving a SOC 2 report, but it is broken down into a
two-stage approach.
Type 1 Report
Belay Approach
helps your organization understand the SOC 2 criteria and report, identifies key controls and relevant policies and procedures, and uncovers potential issues that may arise.
Stage 1
allows your company time to remediate control gaps identified in Stage 1. The Information Request List (IRL) is then created and uploaded into A-SCEND. Once all requirements are fulfilled, a SOC 2 report is delivered.
Stage 2
A SOC 3 report is a public-facing version of your SOC 2 report for anyone looking for assurance regarding controls at your organization that are related to either security, availability, processing integrity, confidentiality, or privacy. When compared to a SOC 2 report, a SOC 3 version does not provide the details of the tests performed by the auditor.
Type 2 Report
SOC 3
A readiness or gap assessment gives you a good idea of how much work you’ll need to do to successfully pass your audit. This process reviews the controls you have in place and points out those that need to be improved or implemented outright. Gap assessments are a great way to start the compliance process because the pressure is off, so to speak – allowing you to take care of issues ahead of time, before that huge customer is on the line and your CEO is breathing down your neck.
In an ideal world, an organization would first go through a readiness assessment prior to completing a SOC 2 examination for the first time.
Readiness Assessment
Tap on each criteria to view more
Phase 1
Week 2
Week 4
Week 14
Week 10
Phase 3: Audit Testing
Phase 4: Reporting
Working through the IRL (Information Request List), which identifies the type of audit evidence and documentation required to meet each individual request with your defined scope.
A-LIGN welcomes the opportunity to educate your team as needed.
Evidence Collection
Phase 2
Week 2
Week 4
Week 14
Week 10
Week 6
Phase 2: Evidence Collection
Phase 3: Audit Testing
Phase 4: Reporting
Phase 1:
Project Kick-off
Phase 1: Project Kick-off
Phase 2:
Evidence Collection
Week 6
Week 2
Week 4
Week 6
Week 14
Week 10
Phase 1: Project Kick-off
Phase 2: Evidence Collection
Phase 4: Reporting
Phase 3:
Audit Testing
A-LIGN’s documented review and audit testing of the evidence provided in the previous phase of the project. Each piece of evidence will be tested against the requirements outlined for each particular control.
Audit Testing
Phase 3
Week 8
Week 2
Week 4
Week 8
Week 6
Week 14
Week 10
Phase 1: Project Kick-off
Phase 2: Evidence Collection
Phase 3: Audit Testing
Phase 4:
Reporting
Upon closing out of the audit testing, A-LIGN will then produce a final report which will outline the work performed and the compliance status of each requirement. It will also include an executive summary for management. The final report is what you will eventually provide to your customers.
Reporting
Phase 4
Week 12
The 5 Trust
Services Criteria
A-SCEND
Developed by industry experts.
Inspired by our clients.
Designed to meet your audit needs.
A-SCEND provides end-to-end compliance management. This tool is used to collect evidence and throughout the audit – from readiness to report – eliminating the need to purchase stand-alone audit readiness software.
Take the tour
• 11,600+ Audits & Assessments
• 2,500 Clients Across 30 Countries
• Cost Efficient Fixed Fee
Pricing Structure
Single-Provider Approach
• 96% Client Satisfaction Rating
• 24-Hour Response Commitment
• Customized Solutions & Partnership
Approach
Customer Focused
• Former “Big 4” Executives
• Over 20 Years Experience
• Top Issuer of SOC 2 Reports in the World
Exceeding Expectations
USA
EMEA
EMAIL
+1 (888) 702-5446
+44 (0) 330-124-3754
info@a-lign.com
USA
+1 (888) 702-5446
EMEA
+44 (0) 330-124-3754
EMAIL
info@a-lign.com
Applies to organizations that:
Have limited to no formalized policies and procedures
Have never undergone a prior information security compliance assessment
Are looking for a prescriptive gap analysis with findings and recommendations from a SOC 2 SME
Applies to organizations that:
Have limited to no formalized policies and procedures
Have never undergone a prior information security compliance assessment
Are looking for a prescriptive gap analysis with findings and recommendations from a SOC 2 SME
The Five Trust Services Criteria
