SOC 2 Type 2 certification: what it is and why it matters

Cloud data security lock

Data security is essential in the digital age. With cyber threats just a few clicks away, businesses need stringent protocols in place to protect customers’ data. Fortunately, there are many reports, standards, and certifications to help you identify businesses committed to the protection and privacy of your personal data. 

One such report is the SOC2 Type 2 attestation report. This is an important tool for a business with cloud-hosted solutions that are serious about their data protection and privacy measures. At Gallagher, we are proud that our cloud-hosted solutions for Command Centre are SOC 2 Type 2 certified, providing you with peace of mind that we care about the privacy of your information. 

What is a SOC 2 Type 2 certification?

The System and Organization Controls 2 (referred to as SOC2) is a voluntary compliance standard for service organizations. SOC 2 is maintained by the American Institute of Certified Public Accountants (AICPA) and audits are completed by accredited businesses.

What is the purpose of a SOC 2 Type 2 certification?

The purpose of a SOC 2 audit is to test an organization’s internal controls for information security and privacy.  It ensures that the organization processes and stores client data securely and aligns with established best practices outlined in the American Institute of Certified Public Accountants (AICPA) Trust Service Criteria (TSC).

Beyond mere compliance, a SOC 2 Type 2 certification serves as a symbol of trust and transparency for organizations handling sensitive data in the constantly changing world of digital technology. The resulting report demonstrates that a business’s security and confidentiality controls, meet or exceed the requirements established by the AICPA.

SOC 2 Type 2 Principles

There are five principles in the SOC 2 framework:

  1. Security
  2. Availability
  3. Processing Integrity
  4. Confidentiality
  5. Privacy

A business can be audited against any combination of these principles. During the audit process, all systems are reviewed by a trusted external third party to ensure they comply with the AICPA trust principles. This audit captures how a company safeguards customer data and how well the controls are operating.

What are the types of SOC 2 Reports?

There are two main types of SOC 2 reports, each offering distinct insights:

  1. Type I Report: This report examines the design of a vendor's system. Specifically, it assesses whether the system is suitably designed to meet the relevant trust principles at a particular fixed point in time. It essentially answers the question, "Is the system structured to ensure security, availability, processing integrity, confidentiality, and privacy?"
  2. Type II Report: This goes a step further by evaluating the operational effectiveness of these systems over a certain period, usually a six to twelve-month time frame. It provides details on whether the controls in place are functioning as intended and effectively maintain the trust principles throughout the stated timeframe.

Benefits of SOC 2 Type 2 Certification

SOC 2 Type 2 certification is a must-have for organizations serious about their data protection measures. With data breaches increasing at an alarming rate, businesses are under constant pressure to provide their clients and customers with assurance that their information remains secure. By conducting a SOC2 Type 2 audit, companies demonstrate their commitment to data security and privacy.

Additionally, achieving SOC 2 Type 2 complements existing ISO 27001 standards and can be used to verify that businesses prioritize the security of their customer’s information and data through an independent validation audit. Both certifications determine that proper procedures are in place to ensure customers data is secure, private, and confidential while looking at a business’s service availability and processing integrity.

A SOC 2 Type 2 attestation report not only demonstrates that you have robust controls in place to protect your business and customers from data breaches, but it’s also a great competitive advantage when tendering for new projects and retaining customers.

How often should organizations undergo audits to ensure SOC 2 compliance?

Organizations aiming to maintain SOC 2 compliance must undergo regular audits. Industry standard of the frequency of these audits is annually, this helps businesses identify and address gaps before they become significant concerns.

Although the formal audit occurs annually, continuous monitoring and internal reviews should be in place to quickly identify and mitigate risks between audits.

Engaging third-party auditors can provide an objective assessment, ensuring that the organization meets all requirements.

Annual audits combined with continuous monitoring are essential for organizations to ensure they remain SOC 2-compliant year-round.

What does SOC 2 ensure for service providers?

SOC 2 focuses on ensuring that service providers maintain rigorous standards for data security and privacy. This auditing procedure shows that your service providers implement comprehensive measures to protect your organization's data and safeguard client information.

Key points that SOC 2 covers include:

  • Data Security: Ensures that service providers have robust controls in place to prevent unauthorized access and data breaches of systems and information.
  • Privacy Protection: Verifies that client data is handled with the highest level of confidentiality and used solely for its intended purpose.
  • Availability: Confirms that systems are operational and accessible as needed, maintaining consistent performance levels.
  • Processing Integrity: Ensures that data processing is accurate, timely, and authorized to achieve the intended objective.
  • Confidentiality: Ensures that sensitive information is protected from unauthorized disclosure.

By adhering to SOC 2 standards, service providers demonstrate their commitment to safeguarding your organization's data and upholding the trust and privacy of your clients. 

Why choosing a SOC 2 Certified solution is important for your organization?

Companies in many industries, such as financial services and healthcare, are expected to have SOC 2 certification by their clients. Depending on the complexity and sensitivity of data handled by the organization, some government agencies also demand SOC 2 Type 2 compliance.

SOC 2 Type 2 empowers businesses to comprehensively evaluate their existing controls against established market benchmarks regularly. This proactive audit is important for businesses looking to continuously improve their internal data security controls and identify any gaps or issues that may not have been otherwise identified. By embracing this leap towards transparency, businesses enable robust security measures that safeguard sensitive information while fostering a culture of accountability. A SOC 2 Type 2 is an invaluable tool for any businesses looking to actively demonstrate their commitment to the on-going protection of customer data.

What is included the Gallagher Security SOC 2 Type 2 Report?

Gallagher Security has conducted a SOC 2 Type 2 audit via an accredited third-party. The report covers applications that are grouped under the following Command Centre cloud-hosted services:

  • Mobile Connect
  • Command Centre Web
  • API Gateway, enabling access to Command Centre Mobile

First achieved in early 2023, the report outlines our internal controls for the development processes of these products and confirms that they adequately safeguard data internally within Gallagher as well as customer data in accordance with the trust services criteria. We achieved SOC 2 Type 2 recertification after a fresh audit of our cloud-hosted services on December 21, 2023.

At Gallagher, we believe that data security is of the utmost importance and conducting this audit is one way we can show our dedication to protecting our clients’ data. We are proud of the many regulations, standards, accreditations, and awards we’ve earned by being an industry-leading, cybersecurity responsible vendor. The SOC 2 Type 2 certification further demonstrates our commitment to being the most cyber secure physical security manufacturer.

Is data security important to you? Choose the only physical access control manufacturer, worldwide, with this set of certifications: ISO27001, CAPSS CPNI 2021, AACS 2022, EN50131-4, SOC 2 Type 2.

Meet our team of experts

We have assembled a team of security specialists who are passionate about sharing their knowledge and expertise.

SEE OUR AUTHORS


Do you have a question?

Let us put you in contact with one of our team members.

CONTACT US


Want to hear more from Gallagher?

Get the latest Gallagher news, updates, and event information delivered straight to your inbox.

SUBSCRIBE

Stay up to date with Gallagher

Get the latest Gallagher news, updates, and event information delivered straight to your inbox.