Does ByteChek have a SOC 2 report?

Yep. We earned a SOC 2 because we wanted to have an independent third party validate that the ByteChek engine is processing your controls completely and accurately. Reach out to our business development team to get a copy of our SOC 2 report.

What are the SOC2 “Points of Focus” I hear about?

When the AICPA published the Trust Services Criteria, they adopted the COSO idea of having points of focus that relate to each of the criteria. They define it as, “important characteristics of the criteria.” The way to think about these is that they are meant as a “guide” for meeting criteria. They are not required, you don’t have to have controls that match their verbiage, and you likely won’t need controls that relate to every point of focus in order to meet criteria.

Can I combine my SOC 2 effort with other framework efforts I am pursuing (ISO, HIPAA, PCI, etc.)?

Yes. The most savings (for both dollars and time) will come by combining the testing efforts. Many framework criteria overlap (such as logical access), therefore if you test logical access once, you can meet the requirements of different frameworks.

For reporting, you can use your SOC 2 report as the basis, but can add on the reporting to other frameworks in an unaudited section 5 mapping (most common), or by doing a SOC 2+ report, which combines the criteria of SOC 2 and the other framework in a single opinion (less common due to increased level of effort).

Is a SOC 2 confidential?

Because of the sensitive nature of the SOC 2 report and intended users of the report, a SOC 2 report is considered a restricted use report and should only be provided to readers under a non-disclosure agreement or other confidentiality agreements. In the event, your company needs or wants a report that is for general use, they can opt to undergo a SOC 3 examination.

Is SOC 2 a certification?

No. SOC 2 is a reporting framework and an attestation report with a CPA opinion. When people say they are “SOC 2 Compliant” they usually are referring to an “Unqualified” opinion from a CPA.

Are controls and testing the only thing that matters in a SOC 2 report?

No. There are 4 sections of the SOC 2 report, and each is important. Controls and testing are only one of those sections (section 4). Equally important is the system description (section 3), management’s assertion (section 2) about the system, and the auditor’s opinion (section 1) which shows if the report is clean or there are any modifications.

I hear a lot about privacy these days. Should I include privacy in my SOC 2?

For this one, it depends. In SOC 2, privacy deals primarily with controls around the information of data subjects. If you are a data processor only, you likely cannot manipulate the PII, therefore the privacy criteria will be mostly N/A for you. If you are a data controller, you more likely have direct impacts on data subject information, and therefore would have privacy in scope.

What are the 5 Trust Services Categories?

  • Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the information or systems and affect a company’s ability to meet its objectives.

  • Availability – Information and systems are available for the operation to meet the company’s objectives.

  • Confidentiality – Information designated as confidential is protected to meet the company’s objectives.

  • Processing Integrity – System processing is complete, valid, accurate, timely, and authorized to meet the company’s objectives.
  • Privacy – Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

ByteChek's platform helps companies of all sizes establish security programs, automate cybersecurity readiness assessments, and complete cyber security assessments faster – all from a single platform.

With ByteChek, companies can quickly build their information security policy from the ground up utilizing the ByteChek information security policy generator. The ByteChek platform then connects with the applications companies use every day to eliminate evidence collection and vague auditor requests.