Today, when the digital environment affects the daily functioning of companies and individuals, data protection and information security is a key priority for successful business. As the use of cloud services and IT outsourcing increases, so does the need for thorough risk management associated with these service providers. In this context, the SOC2 report plays an important role as a risk mitigation and vendor management tool.
In the context of the current legislative and regulatory environment in the area of e-government cloud (eGC) and other regulations, such as NIS2 and its transposition into the new draft Cybersecurity Act, including implementing regulations, DORA regulation, etc., SOC2 takes on even greater importance. All of these regulations require organisations to have effective risk and vendor management processes in place. Ensuring compliance with these requirements is key to protecting sensitive data and meeting legal and regulatory requirements. A SOC2 report can be a useful tool to demonstrate this compliance and provide assurance on the security, confidentiality, availability and integrity of systems, both internal and those provided externally.
SOC2 type I
SOC2 Type I evaluates an organization's cybersecurity controls at a single point in time. The goal is to determine whether internal controls are in place sufficiently and properly designed to provide the right protection for customer data. Type I audits and reports can be completed in a matter of weeks.
SOC2 type II
A SOC2 Type II report examines how well the systems and controls of a service organisation have been operating over a period of time (usually 3-12 months). It examines operational activity and whether systems are working as originally intended throughout the period under review. The time required to carry out this audit is usually between 3-6 months.
SOC2 type I vs. SOC2 type II
Both types of SOC2 require an audit by an audit firm.
When selecting a report, it is always essential whether it is realistic to carry out a verification for the whole audit period or whether it is a first verification and compliance with all requirements is not ensured. If it is not possible to carry out verification for the whole period (for example, controls have only recently been introduced), it is preferable to select Type I and then implement Type II.
The second example is the performance of the first SOC2 audit. If the client knows that they have controls in place and need to confirm them before the actual Type II implementation, a Type I report is prepared.
The third option is to perform a verification of the existence of controls by default. In this case, we recommend that clients perform a preassessment of the compliance of internal controls with SOC2 requirements.
More information can be found on the WEB HERE.
Decree No. 316/2021 Coll., on certain requirements for entry into the cloud computing catalogue, issued by the National Office for Cyber and Information Security (NCIS), came into force in 2021.
To be listed in the eGC catalogue, it is required to meet defined strict security and technical criteria, which include measures for security, data protection, encryption, backup, availability of services, protection against attacks and threats, etc., where it is also necessary to provide SOC2 Type II reports.
An organisation can demonstrate through a SOC2 report that it has developed and implemented processes and procedures that ensure security in the areas required by the eGC.
All these requirements are verified and tested during the SOC2 process through a thorough audit by an independent auditor.
Our client, O2 Czech Republic, has achieved SOC2 Type II certification. This project was preceded by more than a year of preparatory work, which was followed by an independent audit for the period ending 30 November 2023.
Thanks to this verification, O2 Czech Republic can also offer its services to the public administration. As one of the few Czech companies, it meets the requirements of the law.
"The security and protection of customer data is a priority for O2. The SOC 2 certificate confirms that we adhere to strict security standards within the O2 Cloud and our regular internal controls are in line with the highest security requirements for data protection, explains Tomáš Křešt'ák, Director of Fixed Network Products. Read the full press release HERE.
A big thank you to the whole team, led by Dominika Adamcova.
In the context of the current legislative and regulatory environment in the area of e-government cloud (eGC) and other regulations, such as NIS2 and its transposition into the new draft Cybersecurity Act, including implementing regulations, DORA regulation, etc., SOC2 takes on even greater importance. All of these regulations require organisations to have effective risk and vendor management processes in place. Ensuring compliance with these requirements is key to protecting sensitive data and meeting legal and regulatory requirements. A SOC2 report can be a useful tool to demonstrate this compliance and provide assurance on the security, confidentiality, availability and integrity of systems, both internal and those provided externally.
What is SOC2
Service Organizations Controls (SOC2) is a type of information security certification provided to companies that guarantees compliance with certain security standards. The certificate is issued following an audit that assesses whether the organization meets the principles and objectives defined by the American Institute of Certified Public Accountants (AICPA) standard. These principles include the areas of security, availability, confidentiality, procedural integrity and privacy.SOC2 type I
SOC2 Type I evaluates an organization's cybersecurity controls at a single point in time. The goal is to determine whether internal controls are in place sufficiently and properly designed to provide the right protection for customer data. Type I audits and reports can be completed in a matter of weeks.
SOC2 type II
A SOC2 Type II report examines how well the systems and controls of a service organisation have been operating over a period of time (usually 3-12 months). It examines operational activity and whether systems are working as originally intended throughout the period under review. The time required to carry out this audit is usually between 3-6 months.
SOC2 type I vs. SOC2 type II
Both types of SOC2 require an audit by an audit firm.
When selecting a report, it is always essential whether it is realistic to carry out a verification for the whole audit period or whether it is a first verification and compliance with all requirements is not ensured. If it is not possible to carry out verification for the whole period (for example, controls have only recently been introduced), it is preferable to select Type I and then implement Type II.
The second example is the performance of the first SOC2 audit. If the client knows that they have controls in place and need to confirm them before the actual Type II implementation, a Type I report is prepared.
The third option is to perform a verification of the existence of controls by default. In this case, we recommend that clients perform a preassessment of the compliance of internal controls with SOC2 requirements.
More information can be found on the WEB HERE.
Cloud computing, e-government cloud and SOC2
Cloud computing is a method of ensuring the operation of a public administration information system or its part, through remote access to a shared technical or software resource that is made available by the cloud computing provider and configurable by the administrator of the public administration information system. The eGC services include three main categories of cloud services:- IaaS (Infrastructure as a Service)
- PaaS (Platform as a Service)
- SaaS (Software as a Service)
Decree No. 316/2021 Coll., on certain requirements for entry into the cloud computing catalogue, issued by the National Office for Cyber and Information Security (NCIS), came into force in 2021.
To be listed in the eGC catalogue, it is required to meet defined strict security and technical criteria, which include measures for security, data protection, encryption, backup, availability of services, protection against attacks and threats, etc., where it is also necessary to provide SOC2 Type II reports.
An organisation can demonstrate through a SOC2 report that it has developed and implemented processes and procedures that ensure security in the areas required by the eGC.
Risk management, suppliers and SOC2 report
SOC2 defines security requirements in the areas of risk management and supplier management. An organization that has received a SOC2 report has developed and implemented procedures for evaluating and selecting suppliers, analyzing supplier risks, monitoring, evaluating and controlling compliance with the requirements. It also has defined procedures for supplier termination with respect to ensuring data confidentiality and has developed an exit strategy to ensure the availability of its services. A risk management system has been designed and implemented within the organisation which is process efficient and enables the organisation to respond to risks and minimise their negative impact.All these requirements are verified and tested during the SOC2 process through a thorough audit by an independent auditor.
Our client, O2 Czech Republic, has achieved SOC2 Type II certification. This project was preceded by more than a year of preparatory work, which was followed by an independent audit for the period ending 30 November 2023.
Thanks to this verification, O2 Czech Republic can also offer its services to the public administration. As one of the few Czech companies, it meets the requirements of the law.
"The security and protection of customer data is a priority for O2. The SOC 2 certificate confirms that we adhere to strict security standards within the O2 Cloud and our regular internal controls are in line with the highest security requirements for data protection, explains Tomáš Křešt'ák, Director of Fixed Network Products. Read the full press release HERE.
A big thank you to the whole team, led by Dominika Adamcova.