- Cyber Security Services
- Compliance Services
- IT Risk and Audit Services
- Contact Us
For organizations receiving pressure to obtain an SSAE 18 SOC Attestation Report, the path can be confusing to navigate and understand. First off, SSAE stands for Statement on Standards for Attestation Engagements, and SOC stands for System and Organization Controls. Changes in wording and titles are very common in this area of expertise. In May of 2017, SSAE 18 replaced SSAE 16, and prior to SSAE 16, SAS-70 was used (up until 2010). In addition, the five Trust Services Principles (TSP) used for SOC 2 and SOC 3 reports were renamed to the five Trust Services Criteria (TSC) in December of 2018, listed under TSP Section 100. The five Trust Services Criteria are as follows:
There have been some changes to these criteria. The controls that organizations have in place will need to align with these changes. At a high level, these criteria now have added focus on board and management oversight of controls, how risks are managed in the organization, how controls are monitored and maintained, and how organizations communicate internally and externally about their controls. These changes were brought upon as a result of the ever-changing security threat landscape.
When an organization is going to obtain a SOC 2 or SOC 3 Attestation Report, it’s up to them to select what Trust Services Criteria are in scope and appropriate based on the client needs, data handled, IT systems, etc. The only TSC that is required is the security criteria (common criteria). The other TSCs should be selected based on how the organization provides their services.
Compass IT Compliance partners with organizations across every industry to address their SOC Report needs and goals. We’re here to help you navigate the waters of SOC 1, SOC 2, and SOC 3 (Types I & II). Our team of security and compliance specialists can also help in identifying the criteria that are appropriate for your organization. Obtaining a SOC Report will show customers, clients, and vendors that suitable controls are in place and operating effectively within your organization. This can be a key differentiator in the decision-making process for both your clients and vendors. Contact us today to learn more!