SOC 2 Certification

Understanding the certification

What is SOC2 Compliance?

SOC 2, or Service Organization Control 2, is crucial for a Learning Management System (LMS) due to the inherent significance of security, confidentiality, integrity, and privacy in an educational environment. A SOC 2 report ensures that the LMS has implemented robust controls and safeguards to protect sensitive student data, such as personal information, grades, and learning progress. By adhering to SOC 2 standards, an LMS demonstrates its commitment to maintaining the privacy and security of student records and preventing unauthorized access or data breaches.

Why Thinking Cap LMS is certified

The importance of certification

This certification instills confidence in educational institutions, teachers, students, and parents, assuring them that the LMS platform they are using meets stringent industry standards for data protection. Additionally, SOC 2 compliance also promotes accountability and transparency, as it requires the LMS provider to regularly assess and improve their security practices, ensuring the ongoing protection of student information throughout their learning journey.

Thinking Cap serves diverse audiences that include sensitive corporate information as well as at-risk populations of Children and Patients. Thinking Cap has always been a leader in the EdTech community and our efforts in obtaining our SCO2 Type 1 underscore this commitment.

Our SOC2 is available to clients and prospects under NDA. For more information, please contact security@thinkingcap.com.

The many steps to achieving certification

SOC 2 Certification Process

Obtaining a SOC 2 certification involves several key steps. While the specific process may vary depending on the organization and the chosen certification body, here are some general steps typically involved in getting a SOC 2.

Define Scope

Determine the scope of the SOC 2 assessment, identifying the systems and services that will be evaluated for compliance.

Select Trust Services Criteria (TSC)

Choose the applicable Trust Services Criteria for the SOC 2 report. The TSC includes security, availability, processing integrity, confidentiality, and privacy.

Perform Gap Analysis

Conduct a thorough gap analysis to assess the current state of your organization's controls and identify areas that need improvement to meet the TSC requirements.

Develop Controls

Develop and implement controls and procedures to address any gaps identified during the gap analysis. These controls should align with the selected TSC.

Documentation and Policies

Create comprehensive documentation and policies that outline the controls, procedures, and processes implemented to meet the TSC requirements.

Testing and Evaluation

Perform testing and evaluation of the controls to ensure they are operating effectively and in compliance with the TSC. This may involve conducting internal audits or engaging a third-party auditor.

Remediation

Address any identified issues or deficiencies through remediation activities. This may include implementing additional controls or improving existing ones.

Readiness Assessment

Conduct a readiness assessment to evaluate the organization's preparedness for the SOC 2 audit. This step helps identify any remaining gaps or areas for improvement before the formal assessment.

Select an Auditor

Choose an independent, qualified auditor to perform the SOC 2 examination. The auditor should be experienced in conducting SOC 2 assessments and have the necessary expertise in the relevant industry.

SOC 2 Examination

Undergo the SOC 2 examination conducted by the chosen auditor. The examination involves testing the effectiveness of controls and verifying compliance with the selected TSC.

Receive SOC 2 Report

Once the examination is complete, the auditor will issue a SOC 2 report. This report includes an opinion on the organization's controls and their compliance with the TSC. There are two types of SOC 2 reports:Type I, which assesses the design of controls, and Type II, which evaluates the operating effectiveness of controls over a specified period.Type I, which assesses the design of controls, and Type II, which evaluates the operating effectiveness of controls over a specified period.