AICPA SOC Service Organizations - Certrec

SOC 2 Type II – Five Different Criteria of Controls

Certrec takes extensive measures to ensure that client information is safeguarded. One of those methods is by completing SOC 2 Type II which details the operational effectiveness of our Information Security Management System (ISMS). This audit sets Certrec apart from direct competitors who have not proved that they possess this capability to mitigate the ever-increasing global cyber security threats.

The five different criteria of controls are as follows:


This category includes controls that protect against unauthorized access, unauthorized disclosure, theft, misuse of software, or damage to systems. Examples of this category include endpoint protection and network monitoring.

IT security tools help prevent security breaches before they lead to unauthorized access to systems and data. Tools such as network and web application firewalls (WAFs), two-factor authentication, and intrusion detection are useful.


These controls keep systems operational and available at a level that meets the stated business objectives. Performance monitoring and disaster recovery are examples of this.

This principle does not address system functionality and usability. Rather, it involves security-related criteria that may affect the availability of the system, products, or services as stipulated by a contract or service level agreement.

Processing Integrity:

Processing integrity includes controls that ensure systems perform predictably, free of accidental or unexplained errors. Examples include software development lifecycle management and quality assurance.

However, processing integrity is not the same as data integrity. For example, if data contains errors prior to being input into the system, the processing entity is not usually responsible for detecting them. Monitoring of data processing, when combined with quality assurance procedures, helps ensure greater processing integrity.


This includes controls that protect confidential information throughout its lifecycle from collection and processing to disposal. Examples are encryption and identity, and access management.

Encryption is a vital control for protecting confidentiality. Network and application firewalls, together with rigorous access controls, safeguard information being processed or stored on computer systems.


These controls are specific to protecting personal information, especially that which you capture from customers. Examples include consent management and privacy policies

Personally identifiable information are details that distinguish an individual such as name, Social Security number, and address. Health, race, sexuality, and religion are also considered sensitive information and generally require extra levels of protection. Controls must be put in place to protect this information from unauthorized access.

Out of the five control measures, Certrec’s ISMS was most recently tested on the security, availability, and confidentiality principles during the period of June 2021 to June 2022.