SOC 2 voor IT-serviceorganisaties

More and more companies are using IT service organizations for their automated data processing, ranging from a web application to full automation outsourcing. For these IT service organizations, the ability to provide an independent opinion on security, availability, integrity, confidentiality and/or privacy is of added value for the trust of their customers.

IT service organizations can use the internationally recognized Service Organization Control standard (SOC 2) for this purpose.

What is SOC 2?

SOC 2 provides an IT service organization with a uniform opportunity to provide customers and customers' auditors with insight into the control measures and processes, applicable to the service. In a SOC 2 examination, an independent audit organization assesses the service organization's control objectives and measures. A formal SOC 2 assurance report includes a statement from the auditor. This gives existing and potential customers insight into the quality of the IT services you provide to your users. This demonstrates that you are SOC 2 compliant.

SOC 2 assurance reporting differs from other, traditional certifications because SOC 2 assurance reporting is more comprehensive and it is conducted annually through an audit. SOC 2 distinguishes two types of reporting, SOC 2 Type 1 & SOC 2 Type 2.

Read more about SOC 2 Type 1 and Type 2 statements here.

SOC 2 audit support

We have years of experience with SOC 2 processes at IT service organizations. Our organization consists of an enthusiastic team of NOREA registered IT auditors (REs), who guide you from start to finish in obtaining SOC 2 Type 1 and SOC 2 Type 2 certification. We supervise SOC2 audits for start ups and scale ups.

Benefits SOC 2 for IT service organization

  • The quality of the processes outsourced to you is guaranteed to your customers.
  • You get confirmation from an external party that your organization is well controlled.
  • The auditor of a user organization can rely on this report to audit financial statements.
  • It is no longer necessary for clients to send auditors to you.
  • Your organization is 'in control' and you communicate this to (potential) customers.

SOC 2 Approach 2-Control.

Our objective is to achieve an assurance statement on security (mandatory), availability, integrity, confidentiality and/or privacy, as outlined in the SOC 2 guidelines, issued by the Assurance Services Executive Committee (ASEC) of the AICPA.

To meet this objective, we go through the following phases with you:

  1. Zero measurement:
    a. Alignment of scope;
    b. Alignment of standards.

  2. Assessment of description and design of control measures: SOC 2 type 1 audit
    a. Verify true picture of system description;
    b. Determine design of control measures by such means as interviews, study of documentation and measures, observation, testing and sampling;
    c. Comparing reality with standards;
    d. Quality assessment and report on description and design (SOC type 1 statement).

  3. Assessment of effective operation of management measures: SOC 2 type 2 audit
    a. Periodic determination of operation of control measures through interviews, observation, testing and sampling, among others;
    b. Compare reality with standards;
    c. Quality assessment and reporting (SOC 2 type 2 statement).

Differences SOC 2 and ISO 27001

  • ISO 27001 is a security standard, this standard includes guidelines for an organization's information security. SOC 2 is an audit standard about outsourced IT processes. ISO 27001 therefore has limited added value for an auditor.
  • ISO 27001 also has no assessment framework, as SOC 2 does.
  • An ISO audit ultimately leads to a certificate and SOC 2 to an assurance report.
  • A SOC 2 assurance report gives the customer insight into the organization, resources and processes that guarantee the quality of automated data processing at the IT service organization. Based on an ISO certificate, this insight is lacking.

Differences SOC 2 and ISAE 3402

  • ISAE 3402 is primarily used to provide an opinion on processes that impact financial reporting. Examples include the outsourcing of administration, credit management, asset management, property management, payroll & HR services and pension administration. SOC 2 is used by IT service organizations to provide confidence to customers about security, availability, integrity, confidentiality and/or privacy.
  • It is immediately clear to readers of a SOC 2 assurance report on the basis of which criteria this confidence is given. In SOC 2, the auditor must use the so-called prescribed Trust Service Criteria as the framework for assessment. Readers of an ISAE 3402 assurance report can only determine from the details of the report on the basis of which criteria trust is given. With ISAE 3402, the review criteria are form-free.

Ultimately, however, it is often the question of the client (the user organization) that determines which report is chosen. What does the client require and what does the client want assurance about and for what purpose? An assurance report is never an obligation, but it can lead to more effective cooperation and greater trust between supplier and client.

SOC 2 Report

SOC 2 distinguishes Type 1 and Type 2 statements. Type 1 audit assesses an IT service organization's design of processes and controls. Type 2 audit, an annual audit, assesses whether the organization actually operated according to these processes and controls.

SOC 2 report


+31 (0) 76-5019470

Please contact us

Do you have any questions or comments about our IT audit services? We are happy to hear from you. Please enter your details in the form below and we will get back to you as soon as possible. You can also contact us directly at the phone number on the left.

Our dedicated team is ready to assist you with any questions or concerns. We strive to provide you with the best service possible.

Fill in our contact form