|
|
|
|
|
|
by gnabgib
704 days ago
|
|
|
There are several parts of that article that are wrong.. that's not what the acronym SOC[0] stands for, for example. And while, the result of a SOC2 audit is a report, and it's primarily from the financial industry (not the security industry) - SOC2 is an audit and not a report. [0]: https://en.wikipedia.org/wiki/System_and_Organization_Contro... |
|
|
Regarding the rest of your comment:
- SOC2 Report: While it is true that SOC2 audits result in a report, it's important to clarify that the SOC2 framework was indeed developed by the American Institute of CPAs (AICPA) and is primarily focused on the security, availability, processing integrity, confidentiality, and privacy of a service organization’s systems. This makes it highly relevant to the security industry, even if it has roots in the financial industry.
- Audit vs. Report: The SOC2 process involves an audit where an external auditor assesses the controls in place. The outcome of this audit is a detailed report that evaluates how well an organization meets the trust service criteria. So, saying "SOC2 is an audit and not a report" is somewhat misleading, as the audit process culminates in the generation of the SOC2 report.
I hope this clarifies any confusion.