Since it was introduced six years ago, SOC2 reporting has gained considerable adoption as a preferred mechanism for providing assurance over a service provider's security, availability and confidentiality practices. SOC2 reporting has become a de facto requirement for cloud services and is increasingly used in the technology, financial services and healthcare sectors. There have also been considerable efforts to align SOC2 with other industry standards and frameworks in response to user requirements. For example, there are efforts underway to establish an expanded version of SOC2 reporting that incorporates key elements of the NIST Cybersecurity Framework.
Service providers frequently use SOC2 to address customer requirements and as a foundation to demonstrate alignment with industry-specific requirements and support other compliance efforts such as ISO 27001 certification. Still, a number of service providers have not yet taken advantage of SOC2 to help reduce the burden of other compliance activities.
Many enterprises customers have used these reports to assist with their due diligence, governance, risk management, compliance and information security efforts. However, these users of service providers often do not fully appreciate the benefits, and in some cases limitations, of the SOC2 reports they may obtain.
Join leaders from KPMG’s Risk Consulting practice as they discuss the current third party assurance landscape, emerging industry trends, how service providers are scoping and approaching their SOC2 efforts, and how enterprises are evaluating and leveraging SOC2 reports in their vendor risk management programs.