A baseline configuration of information technology/industrial control systems is created and maintained CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10 PR.IP-2: A System Development Life Cycle to manage systems is implemented PR.IP-3: Configuration change control processes are.

Before we explain SOC 2® Type II compliance, let’s get a baseline on SOC and the foundational SOC 1 report. What is SOC 1?SOC is an abbreviation for Systems and Organizations Controls developed by the. A with the accent mark. SOC reports are in effect a product of the services that auditors provide their clients. A SOC 1 report is specifically for internal controls over financial reporting.For example, if you have a customer that is undergoing a financial audit, and you are providing that customer your services, the auditors of your customer will need a SOC 1 report from your service organization. Would attest that your service organization is suitably designed to achieve financial controls.

A SOC 1 Type II report would attest to the design and the operating effectiveness over a specified period of time. SOC 2 and SOC 2 Type II Compliance DefinedSOC 2 reports are attestations that your service organization has controls around the systems and processes that touch sensitive information that does not affect a customer’s financial reporting (remember that SOC 1 is for internal controls for financial reporting).Similar to SOC 1, SOC 2 has two report types. The type 1 report tests and reports on the design of the organization’s controls. The SOC 2 type 2 report tests and verifies that the design was operationally effective for a specified period of time.SOC II reports cover what are referred to as the of security, availability, processing integrity, confidentiality, and privacy. The criteria, or principles, are elaborated as:.Security - information is protected from unauthorized access and damage, and the system that store and process that information, are also protected.Availability - that the systems are accessible for operation, are monitored and maintained.Processing Integrity - that systems achieve their intended aim and are unimpaired and are not error-prone.Confidentiality - that the information is protected as required by regulatory law, or by legal contract, or even commitments made between parties.