Menu
1. Schedule a 30-minute Discovery Session
2. We determine IF and HOW we can help
3. We provide a Tailored Proposal
4. Together, we review the Proposal
Developed by the AICPA, SOC 2 is specifically designed for technology service providers that store client data in the cloud. SOC 2 applies to nearly every SaaS (Software-as-a-Service) company, as well as any company that uses the cloud to store client information. To become SOC 2 compliant, companies must conduct a cybersecurity audit. This audit analyzes five controls, known as the Trust Service Principles (TSP): security, availability, processing integrity, confidentiality, and privacy. Auditors assure that these five controls are relevant to the industry. We recommend penetration testing once a quarter as part of SOC 2 compliance.
There are two types of SOC 2 Audits – Type I and Type II. A SOC 2 Type I audit is more of a documentation review, whereas a SOC 2 Type II audit is a review of operations – control implementation effectiveness.
Penetration testing is primarily used to test control effectiveness in SOC 2 Type II audits.
SOC 2 Type II – an audit of management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls. A SOC 2 Type II audit looks at how the controls are described and used over a minimum of a 6-month time-frame. The intent is to determine if the controls are functioning as described by the management. An auditor will test the controls and provide an opinion (attestation) based on the description by management versus the operating effectiveness (test results) of the controls.
Although SOC 2 only specifies a penetration test every 180 days, we recommend a quarterly program that includes validation testing.
If we do not find at least one vulnerability with a risk rating of Low or greater, we will refund 100% of your money, minus any incurred expenses.
The number of cybersecurity incidents continues to climb. The variety of attacks continues to grow. It is no longer a question of if you will have a cyber event.
