For any partner worth their name, that means preparing and being put under audit.
A SOC 1 audit is an evaluation of the internal controls which a service organization, such as Intwo, has implemented to protect client data. Upon successful completion, a report is created which covers the internal management processes the company has. This ensures, for example, that the proper security measures, availability and correct data safeguards are in place.
We complete these audits every year to show we are 100% committed to service availability, security, and data protections for our customers.
For any company functioning as a managed services provider, security should be the top priority. Creating a secure service for our customers and our employees involves a lot of distinct areas that are covered in the audit. This particular audit covers nine essential controls which prove we hold our organization to high standards as a promise to our customers.
In order to make sure we are functioning as well as can be, we not only identify control objectives that must be met, but also the methods of how to achieve them and means to fix points that aren’t reaching our standards. After all, performing an audit without the means or plans to address any improvements that come out of it is virtually meaningless.
So, what do we consider the most important points to nail in our business practices? Here are our top 9 Control Objectives:
This control objective provides reasonable assurance that relevant risks to confidentiality, integrity and availability of provided IT services are addressed and responsibilities of the security organization are clearly defined. This includes measures such as having a security council, annual security awareness seminars, and annual risk assessments.
This control objective provides reasonable assurance that employees are adequately trained, are aware of their responsibilities and behave in line with company policies.
This control objective provides reasonable assurance that physical access to data is restricted only to authorized persons.
This control objective provides reasonable assurance that logical access to data is restricted only to authorized persons, which is determined by our internal authorization matrix. In addition to making sure there is anti-virus software installed on all workstations, we ensure our network infrastructure is unreachable by outside sources.
This objective provides reasonable assurance that the configuration of the infrastructure is based on guidelines defined in our security policy to protect the confidentiality, integrity and availability of data. We tackle this objective with firewall management, vendor-supplied security patches when necessary, company wide anti-virus software, Intrusion Detection Systems, and secure disposal of all company media and materials.
This control objective provides reasonable assurance that any suppliers used for IT service delivery adhere to internal controls, risk management and security practices.
This control objective provides reasonable assurance that incidents that impact the availability of provided IT services are detected and solved in a timely and controlled manner.
This objective provides reasonable assurance that changes to provided IT services are authorized and implemented in a controlled manner. This way, we always ensure that every piece of the puzzle fits together as it should.
This objective provides reasonable assurance that in case of a calamity caused by damage and/or interference of facilities, equipment or software are recoverable in the agreed time frame.
While some of these Control Objectives may not stand out on their own, together they make the entire process of what we are achieving, possible: delivering a high standard of managed cloud services for our customers. Running the annual audit based on these points is the most essential way to making sure that we are doing what we say we can. We make our audit reports available to partners and customers upon request, but we also leverage the findings to get useful and relevant observations of our business practices, and as another way to showcase that, if you’re working with Intwo, you’re in good hands.
Continually optimizing security management means treating cybersecurity as an ongoing process rather than a one-time setup. Threats evolve constantly, and so should your defenses. It involves regularly reviewing your security policies, updating controls, testing for vulnerabilities, training employees, and adapting to new risks as they emerge. Businesses that set up security measures and never revisit them leave themselves exposed to threats that did not exist when those measures were first put in place. Continuous optimization keeps your protection current, effective, and aligned with best practices.
Technology alone cannot protect a business. Security is a mindset that must be embedded into how every person in the organization thinks and works. From the CEO to the newest hire, everyone plays a role in keeping data and systems safe. This means following secure practices in daily work, reporting suspicious activity, and understanding that one careless action can open the door to a breach. When security becomes part of your company culture rather than just a set of tools, your entire organization becomes more resilient against threats.
A SOC 1 Type II audit is an independent evaluation of a company’s internal controls over a period of time. Type II specifically examines both the design of the controls and whether they are operating effectively in practice. Intwo conducts this audit annually to validate that their security processes and services meet the highest standards. It gives customers confidence that Intwo treats security as an essential priority, not an afterthought. The audit report is available to customers upon request, providing transparent proof of Intwo’s commitment to security.
Intwo’s global Security Council is responsible for overseeing and continuously improving the company’s security posture. The council, chaired by Intwo’s Security Officer, regularly reviews policies, software, infrastructure, and resources to ensure they meet best practice security standards. They assess and approve all services, monitor compliance with certifications, and are available to intervene 24/7 if a security incident occurs. Having a dedicated Security Council ensures that security decisions are made by experienced professionals and that the organization stays ahead of emerging threats at all times.
Security starts with people, and Intwo recognizes this by building security checks into their hiring process. Every employee is carefully reviewed before being brought on board. Once hired, team members receive regular training on the latest security developments and awareness best practices. This ensures that everyone working with customer data understands their responsibilities and follows secure practices in their daily work. By investing in the security knowledge of their own people, Intwo reduces the risk of internal mistakes and strengthens the human layer of their overall security framework.
Cloud platforms like Microsoft Azure invest billions of dollars annually in security infrastructure, employ thousands of dedicated security experts, and continuously update their defenses against the latest threats. Most businesses simply cannot match that level of investment on their own. Cloud platforms also offer built-in features like data encryption, automated backup, disaster recovery, and compliance tools that are difficult and expensive to replicate with on-premises systems. If something happens to your physical location, cloud-stored data remains safe and recoverable, while on-premises data may be damaged or destroyed.
Intwo holds SOC 1 Type II certification and is actively pursuing SOC 2 and ISO 27001 certifications to further strengthen their global security posture. They also support compliance with major regulatory frameworks including GDPR, HIPAA, and other industry-specific standards. Intwo provides customers with GDPR Data Sub-Processor and Data Processor Agreements that clearly define responsibilities for handling personal data. These certifications and agreements demonstrate that Intwo meets rigorous, independently verified security standards and takes its obligations to protect customer data seriously.
Zero-trust principles are based on the idea that no user, device, or system should be automatically trusted. Intwo applies three core zero-trust concepts across their operations. First, verify explicitly, meaning every access request is authenticated using all available data points like identity, location, and device health. Second, least privilege, meaning users only get the minimum access they need to do their jobs. Third, assume breach, meaning systems are designed to limit damage even if an attacker gets in. This approach ensures that security is enforced at every level of the organization.
Intwo provides customers with formal GDPR Data Sub-Processor and Data Processor Agreements that outline exactly how personal data is handled, processed, and protected. These agreements reflect Intwo’s responsibilities and set clear guidelines for data management in compliance with European data protection regulations. Beyond agreements, Intwo implements technical measures like data encryption, access controls, secure backup, and continuous monitoring to protect customer data at every stage. For businesses operating in the EU or handling EU citizen data, this level of compliance support is essential for avoiding regulatory penalties.
Businesses that partner with Intwo gain access to a security framework that never stands still. Intwo’s Security Council continuously reviews and updates policies, controls, and processes to stay ahead of evolving threats. Annual SOC audits verify that everything works as intended. Employee training keeps the human layer strong. Zero-trust principles ensure that access is tightly controlled at all times. For businesses that lack the resources to build and maintain this level of security internally, Intwo provides the expertise, certifications, and 24/7 oversight needed to keep their cloud environments secure, compliant, and resilient.
Rest assured. We've got you.
Let's get in touch and tackle your business challenges together.