A SOC (Service Organisation Controls) report provides assurance to a third party (e.g. a client) that certain (IT) controls are operative. There are three kinds of SOC reports:
- SOC 1 report: provides assurance on finance related controls
- SOC 2 report: provides assurance on IT related controls
- SOC 3 report: a more generic version of SOC 2
Within information security, SOC 2 and 3 are relevant.
The TSC 100 add-on is relevant for service providers who wish to provide assurance on the five trust services criteria
SOC reports are based on five trust services criteria, as defined in TSC 100 (2017):
- Security (mandatory)
Relationship with ISO 27001
Rather than looking at it as a whole new set of requirements, it is recommended to utilize the synergy with ISO 27001, as both frameworks cover the same ground. And, depending on the auditing firm you are contracting, the audits could even be combined!
While ISO 27001 focuses on the implementation of a management system for information security, the main objective of SOC is to provide assurance that the controls are operative.
Achieving ISO 27001 certification can serve as the basis for SOC, as implementing it will make sure that all (relevant) procedures and policies are documented and validated.
The TSC 100 add-on maps the trust services criteria to ISO 27001 and Annex A controls.
- Contains 9 mapping tables for the mandatory security criteria
- Contains 4 additional mapping tables for the optional criteria (Availability, Confidentiality, Integrity and Privacy)
- Each mapping table contains active hyperlinks to the relevant pages in Instant 27001
All prices are excluding applicable taxes (read more)