How to Determine Whether to Include the Privacy Category in a SOC 2 Report

white paper

By: Jami Kilcoyne | CPA, CISA | Managing Director, Coalfire Controls & Jeff Cook | CPA, CITP, CCSK, CISA, SOC Director, Coalfire

How to Determine Whether to Include the Privacy Category in a SOC 2 Report

Overview - One of the challenges many service organizations face is determining whether the privacy principle should be in scope for their Service Organization Control (SOC) 2. It is not uncommon for organizations that handle personal information to automatically conclude that privacy should be in scope for their SOC 2. However, companies should gain a thorough understanding of the privacy principle and its requirements before reaching such a conclusion. Once they take time to evaluate the privacy principle, some companies that handle personal information determine that some or all of the criteria under the privacy principle are not applicable to their business model. Or they conclude that the criteria are too comprehensive for them to address and maintain, given their position in their business life cycle. The purpose of this white paper is to help companies: a) understand the complex nature and various components of the privacy principle and b) determine whether privacy should be in scope for their SOC 2.

This document requires registration. Please fill out the form to receive access.