A SOC (Service Organisation Controls) report provides assurance to a third party (e.g. a client) that certain (IT) controls are operative. There are three kinds of SOC reports:
- SOC 1 report: provides assurance on finance related controls
- SOC 2 report: provides assurance on IT related controls
- SOC 3 report: a more generic version of SOC 2
Within information security, SOC 2 and 3 are relevant.
The TSP 100 add-on is relevant for service providers who wish to provide assurance on the five trust services criteria
SOC reports are based on five trust services criteria, as defined in TSP 100 (2017):
- Security (mandatory)
- Processing integrity
Relationship to ISO 27001
While ISO 27001 focuses on the implementation of a management system for information security, the main objective of SOC is to provide assurance that the controls are operative.
Achieving ISO 27001 certification can serve as the basis for SOC, as implementing it will make sure that all (relevant) procedures and policies are documented and validated.
The TSP 100 add-on maps the trust services criteria to ISO 27001 and Annex A controls.
- Contains 5 individual mapping tables, one for each trust service criteria (Security, Availability, Processing integrity, Confidentiality and Privacy)
- Each mapping table contains active hyperlinks to the relevant pages in Instant 27001
Excluding applicable taxes (read more)