In the near future, many companies will be required to manage their IT security suppliers and audit their entire supply chain. This obligation can place a significant strain on the internal resources of each of the companies concerned.
Larger companies often realise that if they have to audit dozens of their business partners or go through an audit themselves, it can put a significant time burden on their internal teams.
In the context of current regulatory requirements, such as the NIS2 legislation or the DORA regulation, it is worth considering whether there is an instrument where a single audit report could demonstrate the implementation of all required procedures. For this purpose, the so-called SOC2 audit has been used for many years, especially in the US markets.
SOC2 reporting is a robust audit that comprehensively verifies a vendor's information security, providing an independent assessment by an audit firm. This also ensures that the company's systems and processes are designed to guarantee data security, confidentiality, availability and integrity.
By covering the regulatory requirements in many areas, a large part of the requirements are already met. Extensions can then be made in the form of a SOC2+ report and supplemented with any other requirements, such as HIPAA, Dora, NIS2, NIST, etc.
The choice between SOC2 Type I and Type II depends on whether it is realistic to audit the entire audit period. If the security measures are freshly implemented, it is preferable to start with Type I, with the possibility of moving to SOC2 Type II later.
autor: Martin Hořický
Larger companies often realise that if they have to audit dozens of their business partners or go through an audit themselves, it can put a significant time burden on their internal teams.
In the context of current regulatory requirements, such as the NIS2 legislation or the DORA regulation, it is worth considering whether there is an instrument where a single audit report could demonstrate the implementation of all required procedures. For this purpose, the so-called SOC2 audit has been used for many years, especially in the US markets.
SOC2 reporting is a robust audit that comprehensively verifies a vendor's information security, providing an independent assessment by an audit firm. This also ensures that the company's systems and processes are designed to guarantee data security, confidentiality, availability and integrity.
The entire audit verifies the mandatory assessment of the "Security" domain, where the following areas are covered:
- CC1 - Control environment
- CC2 - Communication and Information
- CC3 - Risk assessment
- CC4 - Monitoring controls
- CC5 - Control activities
- CC6 - Logical and physical access controls
- CC7 - System operation
- CC8 - Change Management
- CC9 - Risk reduction
Then, depending on the nature of the services supplied, the following can be optionally extended:
- Availability
- Confidentiality
- Privacy
- Process Integrity
By covering the regulatory requirements in many areas, a large part of the requirements are already met. Extensions can then be made in the form of a SOC2+ report and supplemented with any other requirements, such as HIPAA, Dora, NIS2, NIST, etc.
What is SOC2?
SOC2 (Service Organizations Control) is a standard defined by the American Institute of Certified Public Accountants (AICPA) that evaluates the information security of companies. This audit verifies that a company has measures in place in five key areas: security, availability, confidentiality, process integrity and privacy. Companies that successfully pass the audit receive a report with a statement that serves as evidence of their ability to protect their customers' data.SOC2 Type I vs. SOC2 Type II
There are two types of SOC2 audit. SOC2 Type I evaluates the design of security controls at a specific point in time, allowing you to quickly verify that the set processes are in order. SOC2 Type II goes a step further and examines whether these controls are working properly over a longer period of time, usually 3 to 12 months in the past. The Type II report provides a more detailed view of the long-term performance of security mechanisms and processes.The choice between SOC2 Type I and Type II depends on whether it is realistic to audit the entire audit period. If the security measures are freshly implemented, it is preferable to start with Type I, with the possibility of moving to SOC2 Type II later.
SOC2 and cloud computing in e-government
Cloud computing is now an integral part of information systems, especially in public administration. In order to be listed in the eGC catalogue, as required by Decree No. 316/2021 Coll., cloud providers must meet strict security criteria, which often includes obtaining SOC2 Type II. SOC2 thus plays an important role in ensuring compliance with cybersecurity requirements for cloud services.Risk and supplier management with SOC2
The SOC2 report helps organizations not only demonstrate that they have processes in place to protect data, but also that they are effectively managing the risks associated with their vendors. This audit verifies that the company conducts regular risk analysis, monitors vendor performance and quality, and has an exit strategy in place to ensure data confidentiality and integrity.Want to prepare for future regulations?
Completing a SOC2 audit gives you a clear view of how well your processes, systems and security are set up. SOC2 will prepare you for requirements around data security and operational risks, which will also be essential for upcoming regulations such as NIS2 and DORA. These new regulations place an emphasis on cybersecurity and risk management, and if you already have SOC2 procedures in place, you'll be well ahead of the curve in ensuring compliance with these legislations.autor: Martin Hořický