A SOC (Service Organisation Controls) report provides assurance to a third party (e.g. a client) that certain (IT) controls are operative. There are three kinds of SOC reports:

  • SOC 1 report: provides assurance on finance related controls
  • SOC 2 report: provides assurance on IT related controls
  • SOC 3 report: a more generic version of SOC 2

Within information security, SOC 2 and 3 are relevant.

The TSP 100 add-on is relevant for service providers who wish to provide assurance on the five trust services criteria

SOC reports are based on five trust services criteria, as defined in TSP 100 (2017):

  • Security (mandatory)
  • Availability
  • Confidentiality
  • Integrity
  • Privacy

Relationship with ISO 27001

Rather than looking at it as a whole new set of requirements, it is recommended to utilize the synergy with ISO 27001, as both frameworks cover the same ground. And, depending on the auditing firm you are contracting, the audits could even be combined!

While ISO 27001 focuses on the implementation of a management system for information security, the main objective of SOC is to provide assurance that the controls are operative.

Achieving ISO 27001 certification can serve as the basis for SOC, as implementing it will make sure that all (relevant) procedures and policies are documented and validated.

Benefits

The TSP 100 add-on maps the trust services criteria to ISO 27001 and Annex A controls.

  • Contains 9 mapping tables for the mandatory security criteria
  • Contains 4 additional mapping tables for the optional criteria (Availability, Confidentiality, Integrity and Privacy)
  • Each mapping table contains active hyperlinks to the relevant pages in Instant 27001

Pricing

€ 495

Excluding applicable taxes (read more)

What about ISAE 3402?

All our clients have passed certification the first time.
Join them today!

Order now   Book a demo