SOC 2 Type 2 Audit and ISO Certification

Low code solutions using Claris FileMaker Cloud and Claris Connect Platform now meet a higher level of trust with user information and data. On December 15, 2021, Claris International Inc. announced the successful completion of the System and Organization Controls (SOC) 2® Type 2 audit for both its Claris FileMaker Cloud software and the Claris Connect platform. In addition, the company received International Organization for Standardization (ISO) certifications for both Claris FileMaker Cloud and Claris Connect. You can read the official press release here.

A business owner using these platforms now has added confidence that their data and that of their clients is safeguarded. This is a great selling point especially as our technology world gets more connected.

What Exactly is a SOC 2 Type 2 Audit?

This audit ensures a service organization is providing a safe operating environment where they can manage sensitive data, as well as the privacy of their clients. Developed by the American Institute of Certified Public Accountants (AICPA), SOC reports are the gold standard for evaluating the controls and practices of third-party service providers as it relates to both data and financial reporting.

There are two main types of SOC reports: SOC 1 and SOC 2.

SOC 1 examines internal controls over the company’s client’s financials. SOC 2 tests control modeled around a company’s policies, communication procedures, and monitoring. The True Service Criteria developed by AICPA is based on five categories:

• Security – A business’s data and computing systems are fully protected against any unauthorized access, unauthorized and inappropriate disclosure of information, and any possible damage to systems that might compromise the processing integrity, availability, confidentiality or privacy of data or systems that may affect the entity’s ability to meet its objectives.
• Availability – All information and computing systems are always ready and available for operation to meet the entity’s objectives.
• Processing Integrity – All system processing is complete, accurate, valid, timely, and authorized to ensure that the entity meets its objectives.
• Confidentiality – Any information designated as confidential remains secure to meet the entity’s objectives.
• Privacy – All personal information collected, used, retained, stored, disclosed, or disposed of must meet the entity’s objectives.

The primary types of companies that undergo a SOC 2 audit include those that provide services like data hosting, colocation, data processing, cloud storage, and Software-as-a-Service (SaaS).

What Exactly is ISO Certification?

Both FileMaker Cloud and Claris Connect achieved ISO certifications, under Apple’s certification process, from the British Standards Institute (BSI) for Information Security Management (ISO/IEC 27001) and Personal Data in the Cloud (ISO/IEC 27018).

ISO/IEC 27001 is an Information Security Management System standard specifying requirements for establishing, implementing, maintaining, and continuously improving an organization’s Information Security Management System. The ISO/IEC 27001 standard includes the following security domains:

• Information security policies
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development, and maintenance
• Information security incident management
• Business continuity management
• Compliance

ISO/IEC 27018 is a code of practice for the protection of personally identifiable information (PII) in public cloud environments. The ISO/IEC 27018 standard includes the following security domains:

• Consent and choice
• Purpose legitimacy and specification
• Collection limitation
• Data minimization
• Use, retention, and disclosure limitation
• Accuracy and quality
• Openness, transparency, and notice
• Individual participation and access
• Accountability
• Information security
• Privacy compliance

Why is This an Impressive Achievement?

The SOC 2 audit is not limited to testing security controls around core applications. It also includes policy-writing, onboarding and offboarding processes, governance, risk assessments, vendor management, and other non-technical elements. As a result, becoming compliant requires a significant investment of time and resources across multiple departments. If you are not SOC 2 compliant and you need a type 2 report, you may be looking at over a year before you can get it.

The reporting period (typically between three months and a year) should start no earlier than the day you become compliant (when all controls have been implemented and are operating effectively). If the reporting period starts before that date, you risk having many control exceptions, since your auditor may test controls going all the way back to day one.

This means companies that need a type 2 report put in the time and work to become compliant and then wait, sometimes for a whole year, before they can validate that compliance with a report.

The audit itself involves assessing 80 to 100 security controls. Simply gathering the control evidence can take 2 to 4 weeks.

The organization will need to involve leadership early, communicate effectively across the departments, and will require the involvement of various entities that support security program governance (i.e., HR, IT, Physical Security, etc.).

Separately, the timeline for ISO certification will depend on numerous factors including the understanding of the requirements, the preparedness of the organization, and the size and complexity of the organization. Most can expect to receive their ISO certification in three to six months.

How Does This Affect Me as a Claris Consumer?

Having a SOC 2 Type 2 audit complete and an ISO certificate puts an organization into the same category as world-class IT cloud products like Amazon AWS and Microsoft Azure. Both the SOC 2 Type 2 audit and ISO certificate should provide an end-user of Claris’ platforms the confidence that strict quality standards are being adhered to and independently verified by third parties.

In simple terms, you can rest assured that the SOC 2 Type 2 and ISO organization you are interfacing with maintains a high level of information security.