Guide to SOC-2 Compliance

Information Security Compliance Standard

What is SOC-2 Compliance?

SOC-2 Compliance is a standard for vendors that process the information of their client’s key business operations.

SOC was developed by the American Institute of Certified Public Accountants or AICPA. It was created to secure the financial information of clients and has since been expanded.

Who should be SOC-2 Compliant?


Any software used by vendors for the processing of data must be SOC compliant as to protect client information.

Accounting Firms

Accounting firms process high volumes of client financial data.

Cloud & Data Services

Cloud computing and Data Services used to process information must be SOC compliant as they are used by other industries for sensitive data.

What does SOC-2 Compliance consist of?

Unlike other compliance standards which require rigid requirements, SOC-2 compliance allows each organization to determine its own controls as they align with the five trust principles. 

The Five Trust Principles of SOC-2 Compliance


  • Access Control
  • Two-Factor Authentication
  • Encryption


  • Network / Application Firewalls
  • Intrusion Detection


  • Performance Monitoring
  • Disaster Recovery
  • Incident Response

Processing Integrity

  • Quality Assurance
  • Monitoring


  • Encryption
  • Network Firewalls
  • Identity Management

The privacy trust principle involves an organization’s collection, use, storage, disclosure and disposal of personal information. Each organization should have an active privacy notice and maintain information in compliance with their notice as well as the criteria in the AICPA’s generally accepted privacy principles or GAPP.

Personal identifiable information or PII refers to any data that can distinguish an individual. This includes name, phone number, address, etc. Any additional information that relates to a person’s health, sexuality, race or religion is subject to an extra level of protection. Your system must include controls that protect all PII.


The security trust principle refers to the access, use, and protection of an organization’s system and data. An organization must prevent potential system abuse, theft or unauthorized use of data, misuse of software, and improper alteration or disclosure of information.


The availability principle involves monitoring network performance and availability, the use and availability of infrastructure redundancy, and security and incident response and recovery.

Processing Integrity

Processing Integrity involves information being used and processed properly. This includes authorization, timeliness, accuracy, and validation.

Processing integrity does not imply data integrity. 


The confidentiality principle assures that company data is restricted to a specific organization or persons. This includes business plans, intellectual property, internal price lists and other types of sensitive financial information.

What is our approach to compliance?

Compliance Audit

Our team conducts a series of interviews and a network audit to determine data access and usage.

Gap Analysis

A Gap Analysis identifies the missing pieces necessary to achieve compliance.

Remediation Plan

A remediation plan is put forth and executed with action steps towards compliance based on priority level.


ITonDemand then monitors system usage and provides the service and support to maintain compliance.

Compliance+ in Action / Florida Manufacturing Firm

A small north Florida manufactures CNC close tolerance machined parts, custom components, and assemblies for the defense sector. Given the sensitive nature of the parts being manufactured, it was vital that communications and manufacturing specifications were secure while organizational infrastructure was put in place and maintained to NIST Compliance.

Read how ITonDemand made it happen.

Contact Us

HIPAA Compliance

The Health Insurance Portability and Accountability Act or HIPAA is the standard for protecting sensitive patient data. Any company that deals with electronic protected health information or (ePHI) must have physical, network, and process security measures in place and enforce them to ensure HIPAA Compliance.

Who should be HIPAA Compliant?

Health Plans

Those using online portals should ensure XYZ blah blah blah

Health Care Clearinghouses

Businesses receiving payment via credit card

Health Care Providers

business blah


Are you Aware?

When an EMR system is deployed by a medical facility, patient data is stored in the cloud. Unless the documents are encrypted and sent directly to the cloud server without any other system, JPEG’s and PDF’s can be stored locally in the cache, unsecured.

To remediate this, use a local on-site server in addition and implement the same security protocols to that server to prevent the breach of printable ePHI.

PCI Compliance

Secure payment systems ensure your customers that you can be trusted with their payment information. PCI Compliance puts measures in place to prevent a data breach or loss of consumer financial information.

The 12 Points to meet PCI Compliance

PCI Compliance can be achieved by meeting 12 points that follow the usage, storage, and transportation of information.

SOC-2 Compliance

SOC-2 compliance is a necessary security 

Who should be SOC-2 Compliant?


Those using online portals should ensure XYZ blah blah blah


Businesses receiving payment via credit card

Service Providers

business blah