How we’re building assurance with SOC 2 Type 2 compliance

How we’re building assurance with SOC 2 Type 2 compliance

At Picus, protecting the security and privacy of our customers will always be a top priority. It’s why we’re committed to ensuring that our controls, policies and procedures meet the highest standards and continue to evolve as our business grows.

Today, we’re pleased to announce that we have successfully completed another key milestone on our information security roadmap by achieving compliance with SOC 2 Type 2 - widely regarded as a gold standard for information security.

What is SOC 2 and what does it mean for Picus customers?

System and Organization Controls 2, commonly known as SOC 2, is a security audit and attestation framework created by the American Institute of Certified Public Accountants for SaaS companies and service providers that process customer data. SOC 2 evaluates whether an organization has designed and implemented effective controls to protect data throughout its lifecycle, from collection and storage to transmission and deletion. Independent auditors review policies, technical safeguards, and day to day practices to verify that the program is more than a checklist and that it operates as intended.

Compliance with SOC 2 confirms that Picus and our cloud native Complete Security Control Validation Platform align with the AICPA Trust Services Criteria. The TSC includes five principles that guide the assessment: Security, Availability, Processing Integrity, Confidentiality, and Privacy. In practice, this covers areas such as access control, encryption, vulnerability and patch management, change management, logging and monitoring, incident response, vendor risk, and business continuity. Many buyers request a SOC 2 report during procurement to streamline due diligence, reduce third party risk, and build customer trust. By meeting SOC 2 requirements, organizations can demonstrate a mature security posture, show consistent operational controls, and provide stakeholders with assurance that sensitive data is handled responsibly.

. 

Meeting the principles of SOC 2, as part of a compliance program that also includes ISO 27001, ISO 20000 and ISO 22301, demonstrates how highly we prioritize security and privacy as well as building products that instil trust and confidence. 

SOC 2 Type 1 vs. SOC 2 Type 2

There are two types of SOC 2 audit reports Type 1 and Type 2. Picus achieved attestation with SOC 2 Type 1 in November 2021 and has now completed attestation with Type 2.

A SOC 2 Type 1 report describes the design of a service provider’s controls to meet AICPA’s trust criteria as of a specific point in time;  a SOC 2 Type 2 report details the operational effectiveness of these controls over an extended period.

Picus Security achieved SOC 2 Type 2 compliance in April 2022 following an independent audit by Prescient Assurance. To main compliance, Picus will be audited annually.

Request a copy of our SOC 2 report

If you are an existing customer or partner of Picus and would like a copy of our SOC 2 Type 1 and Type 2 reports, please feel free to reach out to a member of our team. 

If you are not a current customer but would like to read the reports then we’d be happy to provide a copy under an NDA.

If you have any questions, please let us know!

Request a copy

Click here to learn more about Picus and how our breach and attack simulation technology can help you to validate and enhance your organization’s security posture.