What It Is

SOC 2 (System and Organization Controls 2) is a voluntary attestation framework developed by the AICPA for service organizations. It evaluates controls based on Trust Services Criteria (TSC)—Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy—using a principles-based, risk-focused approach via independent CPA audits.

Key Components

• Common Criteria (CC1-CC9) under Security form the foundation, covering control environment, risk assessment, access, monitoring, and vendor management.
• Organizations select TSC based on services; ~85-100 controls mapped with redundancy (2-3 per category).
• Built on COSO principles; Type 1 (design) and Type 2 (operating effectiveness) reports.
• Annual CPA attestation with bridge letters for continuity.

Why Organizations Use It

• Accelerates enterprise sales by streamlining due diligence and RFPs.
• Builds trust for SaaS/cloud providers handling customer data.
• Mitigates breach risks, enhances resilience; maps to ISO 27001, NIST, HIPAA.
• Competitive moat unlocking higher ACV deals and investor confidence.

Implementation Overview

• Phased: scoping, gap analysis, remediation, 3-12 month monitoring, audit.
• Targets SaaS/fintech/healthtech; scalable for startups to enterprises.
• Automation tools (Vanta, Drata) collect evidence; costs $20-100K.

What It Is

Basel III is the international regulatory framework by the Basel Committee on Banking Supervision (BCBS) to enhance bank resilience post-2007 financial crisis. It raises capital quality/quantity, adds leverage/liquidity constraints, and improves supervision via a risk-based approach across global jurisdictions.

Key Components

• **Three PillarsPillar 1 (capital requirements), Pillar 2 (supervisory review/ICAAP), Pillar 3 (disclosures/market discipline).
• Core elements: CET1 (4.5%), leverage ratio (3%), LCR/NSFR liquidity metrics, buffers (conservation, countercyclical, G-SIB), output floor limiting internal models.
• Revised risk standards for credit, market, operational risks.

Why Organizations Use It

• Meets binding regulatory mandates to avoid fines, asset caps, restrictions.
• Builds resilience, optimizes balance sheets, enables strategic risk management.
• Enhances competitiveness via data governance, better pricing, stakeholder trust.

Implementation Overview

Phased enterprise program: governance/PMO setup, gap/QIS analysis, data/IT remediation, model validation, training. Targets internationally active banks; ongoing supervisory engagement, no central certification.