LRN completes successful SOC 2 Type 2 assessment

We continually invest in security best practices at LRN to ensure that our client’s data stays safe and secure. As a part of that ongoing effort, we are happy to announce that we’ve successfully completed our SOC 2 report. The examination was conducted with the aid of A-LIGN, a technology-enabled security and compliance assessment firm trusted by more than 2,500 global organizations to help mitigate cybersecurity risks.   

What is a SOC 2 report?  

 A SOC 2 report addresses risks associated with the handling and access of data. It provides assurance that the organization has appropriate controls in place to mitigate risk and protect sensitive information. The report is provided by an independent auditor to evaluate the internal controls of a service organization. The standards for SOC 2 compliance are set by the AICPA, the American Institute of Certified Public Accountants. The AICPA released an updated guide to reporting on an examination of system and organization controls in the fall of last year. The guide, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, is used by practitioners providing SOC 2 assessments and can serve as a reference for organizations that issue SOC 2 reports. Rather than a cybersecurity assessment that evaluates specific technical configurations, a SOC 2 report focuses more on how an organization implements and manages controls to mitigate the identified risks to the different parts of an organization. 

What does a SOC 2 audit entail? 

The SOC 2 audit testing framework is based off of the Trust Services Criteria (TSC), which are used to identify various risks (points of focus) an organization should consider addressing. Based on the TSCs the organization selects to be in-scope, the third-party compliance and audit firm (in our case, A-LIGN) evaluates whether the organization has the appropriate policies, procedures and controls in place to manage the identified risks effectively. Out of  five Trust Services Criteria mentioned above, at LRN we chose to include the following three TSCs in the SOC 2 reporting Out of five possible Trust Services Criteria we chose the following three TSCs in the SOC 2 report: 

  • Security (required) 
  • Availability (optional) 
  • Confidentiality (optional) 

In order to pass a SOC 2 examination and receive a letter of attestation successfully, it means we are addressing controls in areas such as information security, access control, vendor management, system backup, business continuity and disaster relief, and more.     

How does SOC 2 differ from ISO 27001? 

ISO/IEC 27001 is a global standard set by the International Organization of Standardization. It is the world’s best-known standard for information security management systems (ISMS) and their requirements. LRN is also ISO 27001 certified. Additional best practice in data protection and cyber resilience are covered by more than a dozen standards in the ISO/IEC 27000 family. These standards enable organizations to manage the security of assets such as financial information, intellectual property, employee data and information entrusted by our clients and third parties. Like SOC 2, an ISO 27001 certification requires an outside audit. Both frameworks are recognized globally and demonstrate rigor in our secure handling of information. 

Your data is secure with LRN 

LRN is SOC 2 Type 2, compliant and is ISO 27001 certified.We maintain these standards on an ongoing basis. You can learn more about our security policies and initiatives on our website.  For our clients and prospects, we hope the steps we have taken help you and your IT teams remain confident in knowing that your data is secure with us.