We are proud to share that as a part of our efforts toward continual improvement, reliability and adherence to standards of excellence ISG's data center has been certified as an SSAE 18 SOC 1 Type II, SOC 2 Type II and SOC 3. This annual audit and review helps ISG as an organization and most importantly provides our clients an independent auditors view of our internal controls over financial reporting, products and services including the core five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
To learn more about each SOC Report and the importance that your security provider have an independent auditors SOC 2 Type II Report annually, please see below.
Differences Between SOC 1, 2, and 3
A SOC 1 addresses internal controls that are relevant to a company’s internal control over financial reporting. By definition, a SOC 1 is designed to review a company’s financial and accounting controls.
There are two types of SOC 1 reports, a SOC 1 Type I and a SOC 2 Type II. A Type I report audits controls as of a single date or point in time. A Type II report covers controls that were in place and operating for a period of time. A Type II report is always better than a Type I because it tests control effectiveness over a period of time. A type I report, often times, does not test controls.
The SOC 2 may be the more important of the two reports and is definitely the report you want from an IT type vendor.
A SOC 2 report is an examination on a service organization’s controls over one or more of the following five Trust Services Criteria / Principles:
- Security: The system is protected against unauthorized access, both physical & logical
- Availability: The system is available for operation and use as committed or agreed
- Processing Integrity: System processing is complete, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
The Trust Service Criteria / Principles were designed with a focus on e-commerce systems due to the amount of private/confidential/financial information that flows across the internet daily. When a customer processes a transaction, builds a business on your service (SaaS providers), or submits private information, they want to know best practices are being followed by the company to guard against security leaks, lost sales, and damaged data. The most common reports based upon the trust principles are referred to as WebTrust and SysTrust.
A SOC 2 is the only report & audit that defines a consistent set of criteria specifically around the products/services a company provides to you. If you want a measure of how your vendor provides a secure, available, confidential and private solution, there’s only one way to get that assurance: ask for a copy of their independently audited SOC 2 report.
Like the SOC 1, SOC 2s come in two types. A Type I affirms controls are in place. A Type II confirms the controls are in place and are actually working. So, yes, SOC 2 Type II is the best representation of how well a vendor is doing when it comes to managing and safe-guarding your data.
It’s designed to be made available publicly (without the requirement of an NDA) it’s less detailed/less technical and will not contain the same level of otherwise critical information that a SOC 2 Type II contains. Basically, it’s a high-level summary of a SOC audit that comes with a seal of approval we can post on our website.
A SOC 3 is typically used during the initial early due diligence of a vendor until you have determined they are a serious contender.