SOC 2 Type II report
Definition
An independent audit report on a service organisation's controls related to security, availability, processing integrity, confidentiality, and privacy. Type II reports cover a period of time (typically six to twelve months), offering stronger assurance than a point-in-time SOC 2 Type I report.
Related terms
- Audit rights clause
- A contractual provision giving the buying organisation the right to assess, inspect, or commission a third-party audit of the vendor's security controls....
- CAIQ (Consensus Assessments Initiative Questionnaire)
- A questionnaire published by the Cloud Security Alliance, designed specifically for cloud service providers. It maps to the CSA Cloud Controls Matrix...
- Fourth-party risk
- The risk arising from a vendor's own subcontractors and suppliers. If a critical vendor outsources key processes to a subcontractor, the organisation's...
- Inherent risk
- The level of risk a vendor relationship carries before any controls are applied. Inherent risk determines how deep an assessment must be:...
- SIG (Standardised Information Gathering)
- A vendor security questionnaire published by Shared Assessments. The SIG Core covers eighteen risk domains including access control, data security, and business...
Explained in
- Vendor Security Questionnaires and AssessmentsAn independent audit report on a service organisation's controls related to security, availability, processing integrity, confidentiality, and privacy. Type II...