Frequently Asked Questions

Cybersecurity assurance is the practice of providing evidence and confirmation that an organization's information systems are secure. This includes evaluating the effectiveness of security measures and compliance with relevant standards.

A conformity audit assesses an organization's adherence to specific guidelines, standards, or regulations. It aims to ensure that processes and systems align with established requirements.

Cybersecure Canada is a national certification program aimed at Canadian small and medium-sized enterprises (SMEs). It focuses on improving cybersecurity measures by emphasizing aspects like data protection and system access controls.

ISO 27001 is an internationally recognized standard for information security management systems (ISMS). It provides a framework for establishing, maintaining, and continually improving information security within an organization.

SOC 2 (System and Organization Controls) attestation is a certification provided by a third-party licensed CPA auditor. It confirms that an organization meets specified criteria for managing customer data based on five "trust service principles": security, availability, processing integrity, confidentiality, and privacy.

SOC 2 Defined: SOC 2 is an audit framework for verifying the security controls of service organizations that handle customer data in the cloud. It focuses on five Trust Services Principles: security, availability, processing integrity, confidentiality, and privacy.

What SOC 2 is Not: Compliance is not legally mandated. The framework is not governed by any regulatory body like HIPAA. Certification is performed by external auditors.

History: SOC 2 originated from SAS 70 and was introduced by AICPA in 2009. It was designed to focus strictly on security.

SOC 1 Vs. SOC 2: While SOC 1 focuses on financial controls, SOC 2 emphasizes security controls. SOC 1 is useful for auditing the impact of controls on customers' financial data. In contrast, SOC 2 reports offer insights into a company's security posture.

Who Uses It: Primarily SaaS companies, cloud vendors, and organizations that store customer data in the cloud find SOC 2 relevant.

Importance: SOC 2 reports build credibility, aid in faster sales cycles, and facilitate governance and risk management.

Types: SOC 2 compliance involves two types of audits. Type 1 assesses design at a specific point in time. Type 2 verifies operational effectiveness over time.

Controls: SOC 2 assessment relies on the 2017 Trust Services Criteria, which outlines control categories like organizational structure (CC1), communication (CC2), risk management (CC3), and others.

Attestation: To get a SOC 2 report, organizations need to comply with the selected Trust Services Principles, following an audit by a third-party licensed CPA firm.

Impartial audit services involve an unbiased evaluation of an organization's processes, systems, or compliance. The auditor operates independently to provide an objective assessment, free from any conflicts of interest.

CSA STAR Certification is a rigorous third-party assessment of the security of a cloud service provider, aiming to provide a higher level of assurance.