26. What is SOC 2 reporting and why are policies and procedures important for SOC 2 compliance and do you offer such documentation?

SOC 2 is a reporting option under the AICPA Service Organization Control (SOC) framework, which consists of SOC 1, SOC 2, and SOC 3 reporting. As for SOC 2, both a Type 1 and a Type 2 report can be issued, with the professional standard being AT 101 for issuing SOC 2 reports. Moreover, SOC 2 reporting incorporates the Trust Services Principles (TSP), five (5) broad-based principles that define and outline best practices relating to security, availability, processing integrity, confidentiality, integrity and privacy. What’s important to note about SOC 2 compliance and the TSP is two-fold. First, a SOC 2 report can include any number of the TSP’s for reporting purposes. Second, all of the TSP require numerous policy and procedure documents to be in place for compliance, and this often poses a challenge for service organizations as they’ve traditionally not had a solid resource to rely on for these much-needed documents, until now.

SOC 2 Compliance Required Policies and Procedures

Say hello to the FLANK21 set of operational, business specific and information security policies, procedures, and more. Not only will you receive much needed operational, and I.T. documents for helping comply with SOC 2 reporting, also numerous other policies, procedures, forms, checklists, templates, provisioning and hardening documents, and more. 

SOC 2 | Policies and Procedures are a Must for the Trust Service Principles

As for the five (5) Trust Services Principles (TSP) that form the basis for SOC 2 (and SOC 3) reporting, there’s strict requirements for numerous policies and procedures throughout the four “broad areas” of the TSP themselves. More specifically, these “broad areas” are the following: (1). Policies. (2). Communication. (3). Procedures. (4). Monitoring. For example, under the TSP “Security”, you’ll find requirements for each of the just mentioned four (4) “broad areas”. Clearly, with “policies” and “procedures” being two (2) of the four (4) “broad areas”, it’s easy to see why documented policies and procedures are a must for SOC 2 compliance. The FLANK21 set of operational and information security policies and procedures from FLANK will go a long way in helping develop these much needed documents for SOC 2 reporting.