What is SOC/ SSAE 18?
SSAE 18 is a standard from AICPA (American Institute of Certified Public Accountants) and SOC is System and Organization Controls. SOC for Service Organizations are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service. If you are a service organization and hold data belonging to others, you may need to comply and demonstrate that you have the necessary controls, policies and procedures and the required evidence to ensure customer data privacy.
- SOC 1 reports deal with internal controls for financial reporting.
- SOC 2 and 3 reports deal with Trust Services Criteria relevant to security, availability, processing integrity, confidentiality, or privacy.
The AICPA has also developed a Cybersecurity risk management framework that assists organizations as they communicate relevant and useful information about the effectiveness of their Cybersecurity risk management programs.