Compliant? Says Who?

THINK TRUTH. Think CoventBridge Group.

Compliant?SaysWho? WhatItMeansToBeSOC2 TypeI Compliantvs.Certified

The Global Leader in Full-Service Investigations

What It Means To Be SOC 2 Type II Compliant vs. Certi f ied Many organizations state that they are SOC 2 Type II compliant, but being compliant is not a certification. While they sound similar, these terms are easy to differentiate. Organizations that hold the title of SOC 2 Type II certified have been verified through an independent certified third party auditor who has determined they have implemented well-defined and verifiable policies, procedures, and practices over an extended period of time— not just ticking the compliance checkboxes.

Organizations that state they are simply just compliant have no defined process for review and are not verified by an independent party to validate that they are, in fact, actually compliant or even meeting the minimum standard.

What Does Being SOC 2 Type II Certi f ied Really Mean?

SOC 2 (Service Organization Controls) is a designation that certifies the security, processing integrity, availability, confidentiality, and privacy of the organizations hosted systems and the data in which they store and process. This certification requires that organizations security controls go through a rigorous standard of testing and meet controlled requirements. Type _II is the classification that verifies certification is over a period of time, not just a point-in-time. Type II reports are more valuable, as they validate the operating effectiveness of these controls through the year. Outsourcing the needs of your organization exposes it to risks, and with the increase in data breaches year-over-year you need to ensure you are protecting your organization. You can do that by asking the right questions to your partners.

• Are you SOC 2 Type II compliant or certified? If not, why? If so, do you have verification of certification?

• If they mention the SOC 1 report, know that is a report that is more for evaluating the financial reporting protocols of the organization, not the system security or availability, which SOC 2 is meant for.

• Who certified your organization?

You can rest assured that CoventBridge has its SOC 2 Type II safeguards and procedures in place. If you have any questions regarding our SOC 2 Type II certifications, please reach out to our security experts via email at

The global Leader in Full-Service Investigations

Page 1 Page 2

Made with FlippingBook - Online catalogs