Yep. We earned a SOC 2 because we wanted to have an independent third party validate that the ByteChek engine is processing your controls completely and accurately. Reach out to our business development team to get a copy of our SOC 2 report.
ByteChek itself is not a CPA firm. However, ByteChek has an affiliated company, ByteChek Assurance that is an independently owned and registered CPA firm that issues SOC 2 reports. At ByteChek, we can help you with SOC 2 from start to finish and make the whole process suck less!
When the AICPA published the Trust Services Criteria, they adopted the COSO idea of having points of focus that relate to each of the criteria. They define it as, “important characteristics of the criteria.” The way to think about these is that they are meant as a “guide” for meeting criteria. They are not required, you don’t have to have controls that match their verbiage, and you likely won’t need controls that relate to every point of focus in order to meet criteria.
Yes. The most savings (for both dollars and time) will come by combining the testing efforts. Many framework criteria overlap (such as logical access), therefore if you test logical access once, you can meet the requirements of different frameworks.
For reporting, you can use your SOC 2 report as the basis, but can add on the reporting to other frameworks in an unaudited section 5 mapping (most common), or by doing a SOC 2+ report, which combines the criteria of SOC 2 and the other framework in a single opinion (less common due to increased level of effort).
Because of the sensitive nature of the SOC 2 report and intended users of the report, a SOC 2 report is considered a restricted use report and should only be provided to readers under a non-disclosure agreement or other confidentiality agreements. In the event, your company needs or wants a report that is for general use, they can opt to undergo a SOC 3 examination.
No. SOC 2 is a reporting framework and an attestation report with a CPA opinion. When people say they are “SOC 2 Compliant” they usually are referring to an “Unqualified” opinion from a CPA.
No. There are 4 sections of the SOC 2 report, and each is important. Controls and testing are only one of those sections (section 4). Equally important is the system description (section 3), management’s assertion (section 2) about the system, and the auditor’s opinion (section 1) which shows if the report is clean or there are any modifications.
For this one, it depends. In SOC 2, privacy deals primarily with controls around the information of data subjects. If you are a data processor only, you likely cannot manipulate the PII, therefore the privacy criteria will be mostly N/A for you. If you are a data controller, you more likely have direct impacts on data subject information, and therefore would have privacy in scope.
You can select any combination of the 5 Trust Services Categories based on what commitments you are making to customers for your service. Typically security is in every SOC 2, the other 4 are added on as needed based on those commitments and system requirements.
Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the information or systems and affect a company’s ability to meet its objectives.
Availability – Information and systems are available for the operation to meet the company’s objectives.
Confidentiality – Information designated as confidential is protected to meet the company’s objectives.
- Processing Integrity – System processing is complete, valid, accurate, timely, and authorized to meet the company’s objectives.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.