SOC 2 Examinations for Colocation Service Providers

The framework and criteria for a SOC 2 examination are flexible and can be applied to many entities, including service organizations who work with an entity to provide a particular type of services (e.g. data backup services, cloud hosting services, managed IT services, incident management services, change management services, network security services, etc.). A colocation service provider delivers its customers the physical security controls and processes needed to protect their infrastructure and systems. These colocation services also include providing the physical space, power, cooling and network equipment.

Typical characteristics of a colocation service provider include power (UPS, generators, batteries), HVACs, fire suppression systems or equipment, server racks and badge access systems. The scope of a SOC 2 examination generally includes the Security and Availability Trust Services Categories, which focuses on these controls:

  • Physical security controls:
    • Fire prevention and fire detection (handheld extinguishers, pre-action dry pipe fire suppression systems)
    • Preventative equipment inspections
    • Video surveillance
  • Power loss controls
    • UPS/batteries
    • Generators
  • Physical access controls
    • Badge access system
    • Visitor access
    • Provisioning and de-provisioning physical access

Navigating the Scope

Unlike other types of IT service providers, such as managed service providers (MSPs), the services rendered by a colocation service provider are limited, which reduces the number of applicable requirements in certain trust services criteria. The scope of a SOC 2 examination not only includes the security controls protecting the actual service or system but also includes assessing the security controls in place at the entity or organizational level.

The entity-level control areas covered in a SOC 2 examination include:

  • Integrity and ethical commitments
  • Executive independence and oversight
  • Reporting lines and levels of authority
  • Attracting and developing competent employees
  • Communication of commitments and responsibilities internally
  • Communication of commitments and responsibilities externally
  • Control activity monitoring activities
  • Risk assessments
  • Internal control activities

Customizable Criteria

As mentioned above, the SOC 2 criteria are flexible, and certain trust services criteria may not apply depending on the type of service provided. Colocation services are typically limited to physical security-related controls. As a result, the following SOC 2 Trust Services Criteria may not be applicable:

CC6.6

The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

CC6.7

The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.

CC6.8

The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.

CC8.1

The entity authorizes, designs, develops or acquires, configures, documents, tests, approves and implements changes to infrastructure, data, software and procedures to meet its objectives.

trust-services-criteria-colocation-provider

* Only a component of this criteria is applicable for a colocation service provider. Customer-facing systems, the badge access system and any applications used in support of the colocation services should be tested for these criteria. However, no other layers (e.g. infrastructure, operating systems, databases) should be tested for these criteria as these layers are not considered in-scope for a colocation service provider.

** While these criteria are in-scope, the controls implemented to meet these criteria are typically the responsibility of a user entity (i.e. complementary user entity control).

*** While these criteria are in-scope, the scope of incident management testing should be limited to physical security and environmental protection-related incidents.

The A-LIGN Difference

When you partner with A-LIGN, you are getting a team of security and compliance professionals with extensive experience performing SOC 2 assessments for colocation service providers, setting your organization on a path to build your credibility and trust with your customers.

 

Interested in learning more about SOC 2 for colocation providers? Have your questions answered by an A-LIGN representative by emailing info@a-lign.com or calling 888.702.5446.