SOC 2

SOC 2, which stands for System and Organization Controls, is a framework which is used to assess an organisation’s information security practices. It was created by the American Institute of Certified Public Accountants (AICPA) as a way of helping an organisation reduce the risk of a security breach.

Although more common for US businesses and cloud service providers, SOC 2 is fast becoming a standard certification in Europe due to it’s robust requirements which are assessed over a period of time (for a SOC 2 type 2 report), unlike other certifications.

SOC 2 is a fantastic way of demonstrating that your organisation takes security seriously and wishes to reduce the likelihood of a breach to demonstrate to clients, partners and investors.

A set of hexagons with one labelled Audit, indicating a SOC 2 audit

Two business people discussing a SOC 2 audit

SOC 2 services

Grey Elephant has helped many companies prepare for their SOC 2 audit. Whether you need a complete end-to-end service, or assistance with just part of the process, we can help you every step of the way.

There are two main types of SOC 2 report; type 1 and type 2. Type 1 reports are a “point in time” report, which validates the effectiveness of the systems on the day they were tested. Type 2 is more common, due to its requirement for compliance to be demonstrated over a period of time before the audit takes place.

There are five Trust Services Criteria (TSCs) and we are able to advise you of which you should consider meeting for the audit and how your organisation is compliant with them:

Security (CC) - Your systems and data are protected against unauthorised access.
Availability (A) - Your information and systems are available for their intended use by their intended users.
Confidentiality (C) - Information is kept confidential and accessed only by the intended users.
Processing integrity (PI) - Data processing is complete, valid, accurate, and timely.
Privacy (P) - Consumer data is protected and consumers are informed about the collection, use retention, and disposal of their data.

We are also able to advise on which type of report (type 1 or type 2) is most appropriate for your organisation.

As a SOC 2 audit report is a sensitive document, a SOC 3 report, which details the findings of the audit without the sensitive content, is also issued at the same time.

Whether you require assistance meeting SOC 2 requirements, addressing issues from a failed audit or maintaining a successful certification, Grey Elephant’s expert consultants can help you manage the process quickly and cost effectively.

Contact Us

Get in touch for further information on our services or to arrange a call to discuss your individual requirements.

Contact Us

Get in touch for further information on our services or to arrange a call to discuss your individual requirements.

SOC 2

SOC 2 services

Contact Us

Contact Us

Grey Elephant Consulting Ltd

Pages