SOC 2 Type II (System and Organization Controls)
System and Organization Controls (SOC) is a suite of service offerings in connection with system-level controls of a service organization. SOC helps users to assess and address the risks associated with an outsourced service. There are different levels and types, but Callzilla specifically holds the SOC 2 Type II certification.
SOC 2 follows a series of Trust Services Criteria (TSC). These control criteria are used to evaluate and report on controls over information and systems within your company or outsourcer. These are the TSC categories:
- Security- Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability- Information and systems are available for operation and use to meet the entity’s objectives.
- Processing integrity- System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality- Information designated as confidential is protected to meet the entity’s objectives.
- Privacy- Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.
The one key difference between SOC 2 Type I and Type 2 is the time period of the report. Type I attests to the control factors at a certain period of time, whereas Type II is an attestation over a period of at least 6 months. Both report on the description of controls provided by management and attest that they are properly designed and implemented, but Type II also attests to the operating effectiveness of those controls.