24. What is the AICPA Service Organization Control (SOC) reporting framework and why are information security policies and procedures so important?
The AICPA Service Organization Control (SOC) reporting platform consists of three reporting options for service organizations regarding reporting on controls – SOC 1, SOC 2, and SOC 3. After twenty years of faithful service, the SAS 70 auditing standard was finally superseded by a completely new and much needed reporting platform. And while the SOC 1 SSAE 16 reporting effectively replaced the aging SAS 70 auditing standard, AT 101 SOC 2 and SOC 3 reporting were also introduced, ultimately allowing service organizations to pick and choose their reporting for purpose of internal controls. As for the AICPA SOC platform, it’s worth noting the following:
- SOC 1 reporting utilizes the SSAE 16 professional standard, for which service organizations can opt for SSAE 16 Type 1 and Type 2 reports.
- SOC 2 and SOC 3 reporting utilizes the AT 101 professional, while also incorporating the following SysTrust and WebTrust Trust Services Principles (TSP): (1). Security. (2). Availability. (3). Processing Integrity. (4). Confidentiality. (5). Privacy.
One of the most fundamentally important concepts to note about SOC compliance is that need for documented operational and information security policies and procedures. From the SSAE 16 Type 1 and Type 2 reporting, to SOC 2 and SOC 3 SysTrust and WebTrust compliance, auditors look long and hard at an organization’s policies and procedures. After all, many of the general I.T. controls within the scope of an SSAE 16 report, along with the Trust Services Principles for SOC 2 and SOC 3 reporting will require policies and procedures to be in place. The Global Information Security Compliance Packet (GISCP) set of documented operational, business specific, and information security policies, procedures today from Flat Iron Technologies, LLC.
Learn more about our signature product, the Global Information Security Compliance Packet (GISCP), the world's most complete security policy packet containing over 2,850 + pages of in-depth information security policies, procedures, forms, checklists, templates, provisioning and hardening documents, and much more.
Learn more today about the GISCP by viewing sample policies, forms, hardening documents, and more.