SOC 2 Compliance: What You Need to Know

Trust and transparency. Companies that rely on cloud-based services need to know their data is safe, and the technology secure. Now, an independent body has verified the rigorous IT-security practices and controls at Sphera [formerly riskmethods]. We rocked the SOC! Read on to learn what this means for you.

1. What is SOC2?
2. How does SOC 2 compliance affect our customers?
3. Why is SOC 2 compliance important?
4. What are the requirements?
5. What is the difference between SOC 1 and SOC 2?
6. What does Type 2 refer to?
7. Anything else Sphera [formerly riskmethods] customers need to know about SOC 2?

With the System and Organization Controls 2 Type 2 audit now successfully behind us, Sphera [formerly riskmethods] clearly and proudly demonstrates SOC 2 Type 2 compliance in all aspects of security practices and controls. Our customers know that they can rely on our security, availability, processing integrity, confidentiality, and privacy.

Yet what does SOC 2 compliance mean for you? We’ll take you on a backstage tour of the topic.

1. What is SOC 2?

SOC 2 is an audit conducted by an independent auditing firm, across five categories called Trust Services Criteria. The five categories, and their key aspects, are:

• Security refers to protection of information throughout its lifecycle
• Availability involves performance monitoring, disaster recovery, and security-incident handling
• Processing Integrity focuses on ensuring that data is processed in a predictable manner, free of accidental or unexplained errors
• Confidentiality covers ability to protect confidential information throughout its lifecycle, including collection, processing, and disposal
• Privacy focuses on Personally Identifiable Information (PII)

The auditor evaluates the evidence we supply for the controls in each category. When completed, we receive the official SOC 2 report that assures our customers and business partners that their data is handled securely.

2. How does SOC 2 compliance affect Sphera [formerly riskmethods] customers?

Specifically, the SOC 2 evaluates the organization’s technical management. It assures that our customers’ data is handled securely. At the same time, it verifies that the infrastructure, policies, procedures, and systems we have in place protect customer data within our company’s operational processes, as well as within Sphera Supply Chain Risk Management [formerly riskmethods].

3. Why is SOC 2 compliance important?

What is key is that an independent party verifies all the critical aspects of data security mentioned. The auditor provides an independent opinion, and proof that we have been consistent in following the standards. Sphera [formerly riskmethods] proactively protects the IT-security of our customers and their data. For example:

• Improved information security practices Sphera [formerly riskmethods] defends itself effectively against cyberattacks and prevents breaches
• Worry-free integration Our technology and security meet the requirements of IT departments who integrate Sphera Supply Chain Risk Management [formerly riskmethods]
• Safe data Customer information and data is hosted and handled securely

4. SOC 2 compliance: What are the requirements?

SOC 2 Type 2 has a set of over 300 requirements and controls in the categories of security, availability, processing integrity, confidentiality, and privacy. In addition to verifying the infrastructure, software, people, policies and procedures, the auditor gathers evidence of how we apply each and every of those requirements and controls for the review period.

5. What is the difference between SOC 1 and SOC 2?

Originally established by the American Institute of Certified Public Accountants, the SOC framework is increasingly globally recognized. SOC 1 is very focused on the operational financial health of an entity. It is used as a single indicator for the capability of a company to operate. In comparison, SOC 2 is rather a comprehensive audit for SaaS companies and solutions. As described, it covers the data-handling aspects of security, availability, processing integrity, confidentiality, and privacy. We opted for all of these in our audit.

6. What does Type 2 refer to?

The Type 2 audit covers a 12-month interval. In other words, Type 2 has an annual recurrence, covering how the SaaS company operated throughout the year. Type 1 is performed only once. This one-off audit might even cover the work of just one day!

7. Anything else Sphera [formerly riskmethods] customers need to know about SOC 2?

This is not new to us! We have long implemented all of those procedures, policies, and controls. This compliance audit enables us to prove that we have been following and practicing the right procedures and controls.

We value transparency, so we can earn our customers’ trust. Through SOC 2 Type 2 compliance, we can prove we are an IT and cloud-service provider who uses verified information-security practices to ensure operational and security excellence.

riskmethods was acquired by Sphera in October 2022. This content originally appeared on the riskmethods website and was slightly modified for sphera.com.