SOC 2 Assurance

Report on Controls at a Service Organization Relevant to Security,

Availability, Processing Integrity, Confidentiality or Privacy
A reference guide to SOC 2 and our methodology
Table of Contents

SOC 2 Overview

SOC 2 in a nutshell 3

Benefits of a SOC 2 4

What does it take to develop and issue a SOC 2? 5

Components of a SOC 2 report 6

SOC 2 Trust Criteria Overview 7

SOC 2 for Supply Chain 9

Deloitte’s SOC 2 Services

Our Third-Party Assurance Services 13

Our engagement references 14

SOC 2 comparison to other standards

SOC 2 and ISAE3402 16

SOC 2 and PCI DSS 17

SOC 2 and ISO27001 18

Contact information 20

2
SOC 2 in a nutshell
There is an ever-increasing demand for companies to provide SOC 2 reports to their
customers and business partners. Many companies require a SOC 2 as part of a new
contract or contract renewal process (especially U.S. based companies). Customers are
requiring the formal documentation and independent assurance provided by a SOC 2
report and service organizations are seeing the commercial advantage of being able to
state that they have a SOC 2 report.

What is a SOC 2 Report?

A SOC 2 report is a type of audit report that
assesses a company's controls related to security,
availability, processing integrity, confidentiality,
and privacy of a service organization's systems
and services. The report is intended to provide
assurance to customers and other interested
parties that the service organization has
effectively designed and implemented controls to
meet the trust principles of security, availability,
processing integrity, confidentiality, and/or
privacy. SOC 2 reports are performed by
independent auditing firms and are based on the
AICPA's (American Institute of Certified Public
Accountants) SOC 2 Trust Services Criteria.
5 steps to SOC 2 Reporting
Who needs a SOC 2 Report?
A SOC 2 report is typically needed by Step 1: Get the scope right
Getting the scope right ensures that you get the report that the
organizations that handle sensitive data and are recipients need and includes only the relevant entities, locations and
subject to compliance requirements by their criteria. You need to pick which Trust Criteria you want covered, when
you need to issue the report, report type (1 or 2) and many other details
customers and regulators, such as: that will have an effect on the report process. The scope should be set
as clearly as possible from the start but may evolve over time.
• Managed IT service providers Step 2: Gap analysis and remediation
• Software as a Service providers We recommend starting off any SOC 2 engagement with a set of gap
• Cloud service providers analysis workshops. We meet with key personnel at the service
organization to walk through the requirements and identify potential
• Payment processors gaps or weaknesses in controls that need to be remediated.
• Healthcare providers Step 3: Type 1 reporting
• Legal and accounting firms Starting with the ambition to issue a Type 1 report first is recommended
• Government agencies to allow the service organization to get the control structure in place
and to identify and remediate significant gaps or weaknesses while
providing the recipient with a good ‘first step’. This will be the ‘baseline’
for which all future Type 2 reports can build and the controls in the Type
1 report whould be executed and documented to ensure compliance
with Type 2 testing requirements.

Step 4: Type 2 reporting

A Type 2 report tests the operational effectiveness of the controls over a
period of time (e.g., 1 year) and requires good audit evidence of the
control having been executed. The auditor will include a separate
section in the report detailing the tests performed and the results of the
tests.

Step 5: Reevaluation and streamlining

The control regime, scope of the report and its contents and the
methods and techniques used to test the controls should be reviewed at
least annually to ensure ongoing relevance and efficiency.

3
Benefits of a SOC 2
Obtaining a SOC 2 report requires investment both in terms of time and cost for an organization.
However, the advantages of getting a SOC 2 attestation are far more than the initial investment. Third
party organizations that successfully complete a SOC 2 audit can offer their clients reasonable assurance
that an independent reviewer has assessed their controls that relate to operations and compliance; and
they meet the criteria prescribed by AICPA for the five TSCs. The report helps to prioritize risks in order to
ensure that high quality services are being delivered to the clients. Essentially, a SOC 2 report is a tool
that can give organizations a competitive advantage and open up their market to new industries.

Benefits for Service Organization Benefits to SOC 2 report recipients

✓ Commercial advantage: In sales situations, TPA ✓ Confidence: Increased confidence that the vendor
reports can be one of the items which is meeting the internal control expectations of their
differentiate one service organization from its customers through independent and transparent
peers/competitors. It may also be seen as a reporting on operational effectiveness of controls
disadvantage if the OSP does not have such a at the supplier
report, but their competitor does.
✓ Internal reporting requirements: Ensuring that the
✓ Cost savings: Providing TPA reports, which company’s multi-purpose reporting requirements
require one audit team for a predictable period — including operational and financial—are met
of time, is generally more cost effective than
participating in customer audits. Customers ✓ Valuable insight/monitoring: Independent
receiving TPA reports are often required to pay assessments of whether the controls of the OSP
for the reports, further reducing the cost burden were in place, suitably designed and operating
of internal control testing. effectively, with a focus on continuous
improvement when controls are found to be lacking
✓ Broad assurance: Most TPA reports provide
reasonable assurance to a broad range of clients ✓ Cost savings: OSPs may charge customers for TPA
with a single report. reports, or they may not. The cost of being required
to pay for a TPA Attestation report should be
✓ Compliance requirements: Demonstrates to weighed against the cost of the customer having to
regulatory bodies that controls are in place and maintain their own staff or hiring staff to be able to
operating effectively. perform regular audits of the supplier(s).

✓ Improve overall control awareness: The process ✓ Compliance requirements: Maintaining compliance
of developing and issuing a TPA report at an OSP with industry, governmental and other relevant
often generates increased internal control regulatory requirements
awareness within the organization.

✓ Customer requirement: Future customers /

existing customers wishing to renew contracts
may require such reports and having the report
process in place may lead to increased ability to
win new customers or keep existing relationships.

4
What does it take to develop and issue a SOC 2?
Each of our SOC 2 engagements has roughly followed the same process. We have found that it is important
to spend enough time up-front to get the scoping of the report right, develop a detailed plan of action,
identify key stakeholders and make the practical arrangements. We have developed templates and,
although each client’s control environment is different, we have a good understanding of what types of
controls to look for.

Planning, walkthroughs and gap analysis reporting

Phases 1 and 2 of any new SOC 2 project includes planning the engagement, getting to know the key
stakeholders and getting them used to the SOC2 audit process and performing the initial process
walkthroughs to identify control gaps or weaknesses. If we can get this analysis done early, the client is
able to initiate remediation efforts to fill the control gaps and strengthen any weak controls early enough
so that the rest of the SOC 2 testing process is as smooth as possible, and the resulting SOC 2 report is as
free for ‘findings’ as possible.

Type 1 reporting
When the client is confident that any significant control gaps or weaknesses have been remediated, we
perform the final control walkthroughs and assessment of the design and implementation of the controls
necessary to produce the Type 1 version of the report. Most clients begin their SOC 2 process by issuing a
Type 1 report with Type 2 reports for the future periods starting with the as-of date of the Type 1.

Type 2 reporting
When issuing a Type 2 report, we perform tests of the controls covering a period of time (at least 6
months), general from 01. January through to 31.December. These detailed tests are performed using
internationally accepted audit sampling guidelines, which are designed to provide reasonable assurance
that errors would be identified in the sample, if relevant.

Ongoing improvement
Discussing lessons learned with the client, tracking areas for future improvement with the report or our
audit methods and regularly assessing the quality of our work ensures that our engagements and reports
are of the highest quality.

5
Components of a SOC 2 report

Report section Description

Section I: Section I of a type 2 SOC 2 report contains the service auditor’s opinion about whether:
Independent service • Management’s description of the service organization’s system is fairly presented
auditor’s report • The controls included in the description are suitably designed to meet the applicable trust
(opinion) services criteria stated in management’s description and were operating effectively to
meet the applicable trust services criteria
• For SOC 2 reports that address the privacy principle, management complied with the
commitments in its statement of privacy practices throughout the specified period

Section II: Management is required to provide a written assertion about whether, in all material
Management’s respects and based on suitable criteria:
assertion • Management’s description of the service organization’s system fairly presents the service
organization’s system that was designed and implemented as of a specified date
• The controls stated in management’s description of the service organization’s system
operated effectively throughout the specified period to meet the applicable trust services
criteria
• Management must have a reasonable basis for its assertion. Standards provide flexibility
in the actual procedures performed by management. Management may not rely solely on
the testing done by the service auditor.

Section III: Section III: System Description Overview (provided by the service organization)
Description of the • This information will be provided by the service organization
system (provided by • A system consists of five key components organized to achieve a specified objective. The
the service five components are categorized as follows:
organization) o Infrastructure: The physical and hardware components of a system (facilities,
equipment, and networks)
o Software: The programs and operating software of a system (systems, applications,
and utilities)
o People: The personnel involved in the operation and use of a system (developers,
operators, users, and managers)
o Procedures: The automated and manual procedures involved in the operation of a
system
o Data: The information used and supported by a system (transaction streams, files,
databases, and tables)
• Applicability & Purpose of Report, System Overview, Entity level control information and
Complementary User-Entity Controls will also be included in Section III

Section IV: Trust • Trust services criteria, related controls (provided by the service organization), and tests of
services criteria, operating effectiveness (provided by the service auditor), testing matrix with mapping to
related controls and TSC
tests of operating • Topical Area System Descriptions (provided by the service organization), Testing and
effectiveness Results (provided by the service auditor)

Section V: Other Other Information Provided by the Service Organization (Optional)

information provided • Section V will contain information that the service organization would like to provide to
by the service the users of the report, which is NOT covered by our opinion.
organization

6
Section III: Trust Categories
A SOC2 report may include any of the trust services categories of security, availability, processing
integrity, confidentiality, or privacy, either individually or in combination with one or more of the other
trust services categories.

For each category addressed by the engagement, all the criteria for that category should usually be
addressed. However, in limited circumstances, one or more criteria may not be applicable to the
engagement. In such situations, the one or more criteria would not need to be addressed.

Further, the common criteria (included in the Security trust services category) should be applied
regardless of which trust services category is included within the scope of the engagement.

• Security - Information and systems are protected against unauthorized access, unauthorized disclosure
of information, and damage to systems that could compromise the availability, integrity,
confidentiality, and privacy of information or systems and affect the entity's ability to meet its
objectives.

• Availability - Information and systems are available for operation and use to meet the entity's
objectives.

• Processing Integrity - System processing is complete, valid, accurate, timely, and authorized to meet
the entity's objectives.

• Confidentiality - Information designated as confidential is protected to meet the entity's objectives.

• Privacy - Personal information is collected, used, retained, disclosed, and disposed to meet the entity's
objectives.

7
SOC 2 for supply chain
SOC 2 for supply chain
Manufacturers, producers, and distribution companies (referred to herein as “organizations”) must
manage a complex network of plants, service providers, and suppliers to operate efficiently and meet
commitments to customers. At the same time, the threats to and vulnerabilities of each supplier in the
chain have increased significantly. When a supply chain is disrupted, the organization is at risk of failing
to meet production or delivery commitments it has made to its customers.

Disruption to supply chains SOC 2 for supply chain

Causes of disruption to supply chains include the In recognition of the needs of commercial customers
following: and business partners of manufacturers,
producers, and distribution companies, the AICPA has
• Weather and other natural disasters (such as developed a framework for reporting on the
hurricanes or tornadoes) in a geographic area controls over a manufacturing, production, or
that is home to a supplier’s facility distribution system. Organizations can use the
• Threat of war or military action in a geographic reporting framework to communicate to stakeholders
area that is home to a supplier’s plant relevant information about their supply chain risk
• The lack of financial well-being of a key supplier management efforts and the processes and controls
or shipper they have in place to detect, prevent, and respond
• Wide-spread diseases (such as SARS, MERS, or to supply chain risks.
the COVID-19 coronavirus) that can affect the
entire supply chain The reporting framework also enables an attestation
provider to examine and report on management-
For these reasons, an organization’s ability to prepared system information and on the effectiveness
achieve its objectives is increasingly dependent on of controls within the system, thereby increasing the
events, processes, and controls that are not visible confidence that stakeholders may place in such
to the organization and are often beyond its control, information. A report that results from an examination
such as controls at the suppliers. of a manufacturing, production, or distribution system
and its controls is referred to as a SOC for Supply Chain
Failure to manage risks report.
Manufacturers, producers, and distribution
companies are looking for visibility across their
complex supply chain networks to better
understand the risks of doing business with
suppliers and the controls the suppliers have in
place to mitigate those risks. The failure to manage
these risks appropriately can result in:

• reputational damage,
• loss of intellectual property,
• disruption of key business operations,
• fines and penalties,
• litigation and remediation costs, and
• exclusion from strategic markets.

This is why supply chain risk management has

become such a significant issue to many
organizations and their stakeholders. Suppliers are
also increasingly interested in communicating how
they manage the production and distribution risks in
their own systems as a way of reassuring the
organizations with whom they do business.

9
SOC 2 for supply chain (continued)
Managing supply chain risk of suppliers Objective of the SOC for Supply Chain reporting
Because of their dependence on suppliers, framework
organizations are responsible for understanding The objective of the SOC for Supply Chain reporting
the risks of doing business with suppliers and for framework is to provide a means by which
designing, implementing, and operating controls manufacturers, producers, and distribution companies
to mitigate those risks. For that reason, can communicate useful information about their
organizations are interested in, among other systems and the controls within the systems to
things, customers and business partners. CPAs can examine
and report on such information, thereby increasing the
confidence that customers and business partners can
• obtaining an understanding about the risks
place in the information.
identified by a supplier that affect the
supplier’s
• production, manufacturing, or distributions of
goods.
• comparing the supplier’s objectives for the
production, manufacturing, or distribution of
goods with customers’ needs.
• obtaining an understanding of the production,
manufacturing, or distribution process of a
• supplier to better understand the risks to the
customer of doing business with the supplier
and the controls that the supplier has
implemented to mitigate those risks.
• when establishing IT connectivity with a
supplier or business partner, understanding
the information security controls implemented
by the supplier or business partner in order to
more effectively integrate the security controls
of the two entities.

Currently, organizations interested in the systems

and controls of their suppliers have to assemble
desired information from many different sources,
including the following:

• Supplier-provided information
• Site visits, inspections, and other procedures
performed by the supplier’s internal audit
functions
• Assurance programs (such as International
organization for Standardization [ISO]
certifications) performed by third-party
assessors

A more efficient way to building supplier trust

With the introduction of a SOC for Supply Chain
framework, however, organizations may find that
obtaining a SOC for Supply Chain report from
their suppliers is the most efficient way to get the
information they need to understand the risks of
doing business with suppliers.
10
SOC 2 for supply chain (continued)
What does the SOC 2 for supply chain report do?
The reporting framework and the report resulting from its use do the following:

• Provide a set of common criteria for disclosures about a manufacturing, production, or distribution
company’s system — Through the use of a common set of description criteria that set forth disclosures
about the system, the SOC for Supply Chain report reduces the information burden on organizations by
providing customers and business partners with useful information about the system and its controls to
help users better understand the associated risks and make better decisions.
• Provide a set of common criteria for assessing control effectiveness —The SOC for Supply Chain report
provides an independent assessment of the effectiveness of a manufacturer, producer, or distribution
company’s controls using the AICPA’s 2017 trust services criteria for one or more of the following
categories: security, availability, processing integrity, confidentiality, or privacy.
• Reduce the communication and compliance burden on organizations — The SOC for Supply Chain
report reduces the number of information requests from customers and the amount of information
sought if such requests are made.
• Provide useful information to customers and business partners while minimizing the risk of creating
vulnerabilities to the organization— Information provided in the SOC for Supply Chain report is
designed to meet the needs of customers and business partners without disclosing critical defenses
that might be targeted by malicious actors.
• Provide comparability — The SOC for Supply Chain report would provide customers and business
partners with information that could be used to track the progress of the organization’s supply chain
efforts across time and to benchmark those efforts against other organizations.
• Provide scalability and flexibility — The SOC for Supply Chain framework is useful to manufacturers,
producers, and distribution companies of varying sizes and across all industries.
• Evolve to meet changes — The SOC for Supply Chain framework will be updated and modified over
time based on experience, changes to the environment, and organization and stakeholder needs.

The SOC for Supply Chain framework leverages the core competencies of attestation providers as
providers of examination services, applying them to an organization’s supply chain efforts in accordance
with the AICPA’s Code of Professional Conduct and attestation standards.

Transparent information to stakeholders to build trust

A manufacturer, producer, or distributor and its customers and business partners will be best served if
there is a defined set of information intended to enhance understanding of controls over manufacturing,
production, and distribution systems. The information in the SOC for Supply Chain report is intended to
provide useful information to stakeholders while also being:

• transparent,
• consistent across time,
• comparable between entities,
• reasonably complete,
• scalable, and
• flexible.

The SOC for Supply Chain examination could go far in meeting the information needs of customers and
business partners of manufacturers, producers, or distributors.

11
 Deloitte’s Services
and
Reference Engagements
 Deloitte’s Third-Party Assurance Services

Combined
SOC 1 &
ISAE 3402
Reports

SOC
SOC 2
Readiness
Reports
Assessments

Third Party Assurance

Services

ISAE 3000 Third Party Risk

Management
Sustainability
(TPRM) and Vendor
Attestations Reviews

ISAE 3000
GDPR – DPA
Attestations

We have experience in providing the following Third-Party Assurance services:

• SOC1 & ISAE 3402 attestation – We deliver numerous ISAE3402 reports for customers each year and even have clients
where we issue a combined ISAE3402 and SOC1 report, increasing the useability of the report for their US customer base.

• SOC2 attestation – performed in accordance with AICPA issued Trust Service Criteria for Confidentiality, Availability,
Security, Processing Integrity and Privacy, we issue more than 10 SOC2 reports for Norwegian companies annually.

• ISAE 3000 Data Processing Agreement Attestation (GDPR Compliance) – we provide attestations to customers which are
used to evidence compliance with the terms outlined in their Data Processing Agreements.

• Third Party Risk Management (TPRM)– assisting clients in formalizing their third-party risk evaluation and mitigation efforts,
including methods to inventory third-party relations, classify the risk of each existing and any future third-party relations,
developing self-assessment questionnaires for covering varying risk themes (e.g., cyber, financial, climate and sustainability),
methods for reviewing responses and defining and executing audit procedures necessary resulting from the assessments.

• Vendor Reviews – using our vast experience in both auditing and assisting vendors with their internal control needs, we can
perform reviews of your vendors for you to provide you with assurance for specific risks you have identified or just follow
one of our specific vendor audit programs for specific topics.

• Sustainability Reporting attestation – we provide attestation reports on companies’ sustainability reporting as well as other
Climate and Sustainability related topics.

• SOC Readiness Assessments – We perform gap analyses and readiness assessments for all of the above topics. 13
 Note: The names of our references
are made anonymous for this
brochure.
Deloitte engagement references

Our core team of Third-Party Assurance experts each has significant

experience in providing attestation services.

Our client experience

Our team of more than 90+ TPA resources in the Nordic region, supported by subject matter experts
from our IT audit, Cyber Security, Financial Audit, Legal and Consulting departments, deliver more
than 200 attestation reports to more than 100 clients in the region. We work on some of Nordic’s
most challenging and exciting attestation engagements.

The following is a list of some of the engagements our Norwegian Team has worked on or are
currently delivering. We support engagements across the Nordic region, as indicated (NO, SE, DK).
• Payroll processing (ISAE3402 Type 2 - Payroll) • IT security services (SOC2 Type 2 – IT Services)
• SaaS provider (SOC 2 Type 2 – SaaS)) • Airline (ISAE3000 Type 1 – Process integrity)
• SaaS provider (ISAE3000 GDPR – SaaS) (DK) • SaaS provider (SOC2 Type 2 – SaaS)
• Telecom (ISAE3402 – Transaction processing) • SaaS provider (SOC2 Type 2 – SaaS)
• SaaS provider (ISAE3000 Type 1 – SaaS) (DK) • IT services (SOC2 Type 2, ISAE3402 Type 2 and
ISAE3000 GDPR – Managed IT))
• SaaS provider (ISAE3000 GDPR – SaaS) (DK)
• Financial services (SOC2+ with CSA CCM – Financial
• IT services provider (SOC2 Type 2 – IT)
services) (DK)
• SaaS provider (ISAE3402 Type 2 – SaaS) (DK)
• SaaS provider (ISAE3402 Type 1 – SaaS) (DK)
• Transportation services (ISAE3402 Type 2 – Ticket
• SaaS provider (SOC2 Type 2, ISAE3000 GDPR and
income distribution)
ISAE3000 for MitID and NSIS - SaaS)
• IT services (SOC2 Type 2 – IT) (DK)
• IT services provider (ISAE3402 / SOC1 combined
• Financial services (ISAE3402 Type 2 – IT) (DK) and SOC2 Type 2 – Data center services)
• Educational Institution (ISAE3402 Type 2 and • SaaS provider (ISAE3402 Type 2 and 3 ISAE3000
ISAE3000 GDPR (DK) GCPR – SaaS) (DK)
• SaaS provider (SOC2 Type 2 - SaaS) • IT services (Multiple ISAE3000 reports – Managed IT
• Financial services (ISAE3402 and multiple SOC2 Services)
reports – Financial services) (SE) • SaaS provider (ISAE3402 Type 2)
• IT services provider (ISAE3402 Type 2 – Managed
IT)
• SaaS provider (ISAE3402 Type 2 – SaaS)

Our customers will vouch for us

Considering using our services but uncertain? We can
provide you with multiple client references that you
can feel free to contact to discuss our team, our
services and our quality. These references can be
provided as part of a request for proposal discussion.

14
SOC 2 Comparison
to
other standards
 SOC 2 and ISAE 3402

SOC 2 and ISAE3402 (SOC 1) Use

SOC 2 and ISAE3402 reports are two widely used The ISAE 3402 report is typically used by organizations
frameworks for assessing and reporting on the control that provide services to customers, such as data
objectives and activities of an organization, with regards centers, cloud services, and software-as-a-service
to information security and data protection. However, providers. The report is used to demonstrate their
there are several differences between the two that commitment to security and data protection and to
determine their focus, scope, use, and target audience. provide assurance to customers that their information
is being handled appropriately. On the other hand,
Focus SOC 2 reports are used by organizations to
SOC 2 focuses on the overall security and privacy of an demonstrate their overall security posture and to
organization's information systems, including their provide assurance to stakeholders and customers that
infrastructure, network, data, and applications. their information systems are secure and their data is
protected.
ISAE3402 focuses on the manual and IT-based controls
put in place by a service organization that are relevant to Target Audience
the processing of financial transactions on behalf of their The ISAE 3402 report is intended for customers,
customers. It also takes into account the management of stakeholders, and auditors who require assurance on
risks that may impact the services they provide. the security and data protection measures put in place
by the service organization. The report provides
Scope information on the service organization's internal
The scope of a SOC 2 report is broad and covers all controls and the measures they have taken to manage
customer-facing information systems and activities risks. On the other hand, the SOC 2 report is intended
related to security, availability, processing integrity, for customers, stakeholders, and auditors who require
confidentiality, and privacy, with the main focus of the assurance on the overall security and data protection
report being security. of an organization.

The scope of an ISAE3402 report is more focused on the These two report types serve different purposes and
risks and internal controls related to the business have different focuses, scopes, uses, and target
processes and controls and general IT controls in place to audiences. Choosing the correct framework that best
ensure the complete and accurate processing of financial fits the needs of your customers, stakeholders and
transactions for their clients. their auditors is important. We have extensive
experience in making the right choice.
16
SOC 2 and PCI DSS
While both PCI DSS and SOC 2 audits are designed to ensure that
organizations protect sensitive data, they have different scoping, testing
strategies and levels of assurance. PCI DSS is geared towards compliance
with specific requirements for credit card data handling, while SOC 2 is
focused on the overall control environment of the organization, including
security, availability, processing integrity, confidentiality, and privacy.

Main differences SOC 2

PCI DSS (Payment Card Industry Data Security SOC 2, on the other hand, is a broader audit
Standards) and SOC 2 (Service Organization that looks at an organization's overall control
Control 2) are two different types of audits environment, including security, availability,
that organizations can undergo to ensure processing integrity, confidentiality, and
compliance with security and data protection privacy.
standards. The main differences between the
two audits lie in their scoping and testing Scope
strategies, as well as the level of assurance The scope of the SOC 2 audit is typically much
they provide. wider, covering all aspects of the organization's
operations and systems, including those that
PCI DSS do not handle sensitive data.
PCI DSS is a set of standards developed by
major credit card companies to ensure that Testing
merchants and service providers who process, The testing for SOC 2 is geared towards
store, or transmit credit car<d information assessing the design and effectiveness of the
maintain a secure environment. The audit for organization's controls, rather than identifying
PCI DSS is typically more focused on the specific vulnerabilities.
specific systems and processes that handle
credit card data, such as point-of-sale Level of assurance
terminals and online payment portals. The In terms of the level of assurance provided, PCI
scope of the audit is typically limited to the DSS is typically considered to be more specific
parts of the organization that handle credit and prescriptive, while SOC 2 is considered to
card data, and the testing is geared towards be more general and principles-based. PCI DSS
identifying vulnerabilities and non-compliance is focused on compliance with a specific set of
with the PCI DSS requirements. requirements, while SOC 2 is focused on the
overall control environment of the
organization.

Target audiences
A PCI DSS audit is focused on organizations that process credit card transactions and The target
audience for this type of audit would typically include companies in the retail, hospitality, and
financial services industries.

A SOC 2 audit is focused on organizations that handle sensitive data and provide services, such
as cloud providers and managed service providers. The target audience for this type of audit
would typically include technology and service companies. 17
SOC 2 and ISO27001

Isn’t my ISO 27001 certification enough?

We get this question a lot. The answer is, ‘enough for what What’s the difference?
purpose?’ Purpose:
ISO 27000 is focused on information security
ISO 27000 and SOC 2 are two distinct standards for management within an organization, while SOC
information security and data protection. Both are widely 2 is focused on providing assurance to
recognized and respected in their respective fields, but they customers that a service provider has
serve different purposes and have different requirements. implemented appropriate controls to protect
their sensitive information.
ISO 27000
Audience:
ISO 27000 is a series of international standards for
ISO 27000 certification is intended for
information security management. The standard provides a
organizations of all sizes and types, while SOC 2
framework for managing sensitive information and includes is primarily intended for service providers.
guidelines for risk management, incident management, and
compliance. To achieve ISO 27000 certification, an Scope:
organization must demonstrate that it has implemented the ISO 27000 covers a wide range of information
necessary controls and processes to protect sensitive security management topics, while SOC 2 is
information. focused specifically on security, availability,
processing integrity, confidentiality, and privacy.
SOC 2
SOC 2, on the other hand, is an attestation standard for Compliance:
ISO 27000 certification is based on self-
service providers. It is designed to provide assurance to
assessment and internal audit with controls
customers that the service provider has implemented
tested on a rotation basis over 3 years, while
appropriate controls to protect their sensitive information. SOC 2 compliance provides a higher level of
SOC 2 focuses on five trust principles: security, availability, audit assurance with all controls tested
processing integrity, confidentiality, and privacy. To achieve annually, is based on independent testing and
SOC 2 compliance, a service provider must undergo an the production of a comprehensive report to
independent audit and provide a report to its customers. share with customers.

18
Contact Information
Contact information

Kevin F. McCloskey
Associate Partner, Third-Party Assurance Services
CISA, CIA, CIPP/e, CRMA
Mobile: +47 913 68 848
Email: [email protected]

Lasse Vangstein
Partner, State Authorized Auditor
Mobile: +47 975 84 086
Email: [email protected]

Jouni Viljanen
Partner, Risk Advisory
Mobile: +35 820 755 5312
Email: [email protected]

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee
("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally
separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to
clients. Please see www.deloitte.no for a more detailed description of DTTL and its member firms.

Deloitte Norway conducts business through two legally separate and independent limited liability companies;
Deloitte AS, providing audit, consulting, financial advisory and risk management services, and Deloitte
Advokatfirma AS, providing tax and legal services.

© 2023 Deloitte AS

20