<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

What is a SOC 2 Report: A Breakdown

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

A SOC 2 report (Service Organization Control report 2) focuses on the controls a company uses to protect customer data, as well as the operational effectiveness of those controls.

‍A SOC 2 report should not be confused with a SOC 1 report, which focuses on a company’s financial reporting, nor should it be confused with a SOC 3 report, which has similar output to a SOC 2 report but in more natural language.

This blog post will focus on the SOC 2 report and an overview of its seven main components. The SOC 2 report itself is based in five Trust Service Principles as defined by the AICPA (American Institute of CPAs):

  • Security - provides customer assurance that their data is secured against unauthorized access
  • Availability - assures that the systems needed to store and process data will be available for use
  • Processing integrity - requires the processing of data to be accurate and complete
  • Confidentiality - ensures information labeled sensitive/confidential is protected as such
  • Privacy - aligns data handling practices with your organization’s privacy policy to ensure personal information is appropriately handled and stored

You have some flexibility as far as which principles to adhere to, unlike HIPAA compliance or PCI-DSS, which have more rigid requirements. And because each SOC 2 audit can have different criteria, each SOC 2 report is different - and therefore yours will be unique to your organization.

Once you have been through the SOC 2 audit, the CPA (Certified Public Accountant) will write the final SOC 2 report. This can take 1-5 weeks, but a 2-4 week turnaround is average. The timing depends on the firm, the scope of your assessment, the large amount of audit evidence that requires review, and a volume of tasks required to meet strict AICPA (American Institute of CPAs) standards.

🎉 Have you heard? StrongDM offers a free and completely self-paced online SOC 2 Course.

When the report is issued, it will be broken down into seven sections:

Assertion

In this section, the auditor will determine as to whether your description of the system you provide as a service to customers is fairly represented in the audit report. Specifically, the description is measured against the Trust Services Principles.

Independent Service Auditor’s Report

This section summarizes the auditor’s opinion of how effective your controls are when mapped to the Trust Services Criteria.

System Overview

In this section, a background on the service organization is provided, including a description and purpose of the system in scope, as well as the company’s physical location and industry.

Infrastructure

This section provides detailed descriptions of the people, policies, software, processes, and data used by the organization. If you use a third-party hosting provider for your data center needs, this infrastructure section would provide information about that provider such as the physical location, area square footage, and status of any SOC audits the provider is pursuing or has completed. Additionally, this section gives a high-level overview of the technologies used in the environment, such as the virtualization software, networking hardware, database types, backup configuration, and system redundancy.

Relevant Aspects of the Control Environment

In this section, the auditor will report on your control environment, information/communication systems, risk assessment processes and monitoring of controls.

Complementary User-Entity Controls

This section provides a detailed description of how your controls are implemented.

Trust Services Principles, Criteria Related Controls, and Tests of Controls

This final section of the report details the controls you have in place, as well as the effectiveness of those controls when measured against the Trust Services Criteria.

It’s important to know that the SOC 2 audit does not grade as pass or fail. Your auditor provides an opinion on how your organization adheres to the Trust Service Principles in scope. And if the assessor’s opinion agrees with management’s assertion, you will receive what is called an unmodified (clean) opinion, essentially stating that you can be trusted as a service organization. You might also have some minor exceptions on some of your controls and still receive a “clean” report. But if there are more significant exceptions, such as failing to provide adequate evidence of a control or not following a control altogether, your audit may claim a qualified or adverse opinion. The desired result is to receive an opinion from the auditor stating that you can be trusted as a service organization.

Your SOC 2 report is now ready to share with your user entities, giving them confidence that your organization uses effective controls to process and protect their data.

To learn more on how StrongDM helps companies with SOC 2 compliance, make sure to check out our SOC 2 Compliance Use Case.


About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

ISO 27001 vs SOC 2
ISO 27001 vs. SOC 2: Understanding the Difference
SOC 2 and ISO 27001 both provide companies with strategic frameworks and standards to measure their security controls and systems against. But what’s the difference between SOC 2 vs. ISO 27001? In this article, we’ll provide an ISO 27001 and SOC 2 comparison, including what they are, what they have in common, which one is right for you, and how you can use these certifications to improve your overall cybersecurity posture.
Answering auditor questions in a SOC 2 review
Answering Auditors’ Questions in a SOC 2 Review
We recently completed our own SOC 2 audit, so we thought we’d review how we dogfooded our own product. We’ll share tips and tricks to make the audit process a little easier, whether you’re wrapping up your own or about to dive into the coming year’s audit. Here are the questions auditors asked us during our own SOC 2 audit and the commands and strongDM tooling we used to gather the evidence they requested.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Audit
Everything You Need to Know About SOC 2 Audits
Whether you’re looking to achieve SOC 2 compliance, or just want to learn more about it, your Googling is bound to lead you to a wealth of articles chock full of buzzwords and acronym soup. ‍In this post, we will provide a guide with definitions, links and resources to gain a solid understanding of everything you need to know about SOC 2 audits.
SOC 2 Policies Guide
A Definitive Guide to SOC 2 Policies
In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual SOC 2 policy.