Third party organisations that successfully complete a SOC 2+ audit can offer their clients reasonable assurance to demonstrate that effective internal controls are in place and these controls pertain to the criteria covered in the AICPA Trust Service Principles, as well as many of the detailed requirements covered in other regulatory and industry-specific frameworks.
Service organisation controls (SOC) 2 is an internal controls offering that utilises the American Institute of Certified Public Accountants (AICPA) standards to provide an audit opinion on the security, availability, processing integrity, confidentiality and/or privacy of a service organisation’s controls.
SOC 2+ reports can be used to demonstrate assurance in areas that go beyond the Trust Services Principles (TSPs) to include compliance with a wide range of regulatory and industry frameworks such as the National Institute of Standards and Technology (NIST), the International Standardization Organization (ISO), Health Information Trust Alliance (HITRUST), Cloud Security Alliance (CSA) etc. SOC 2+ reports create substantial efficiencies for organizations.
The mapping allows one set of testing to provide assurance against multiple standards. Below are the mappings 2017 Trust Services Criteria (TSC) Mappings to Various Frameworks.