- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: In this article, we’ll look at SOC 2 Type 2 reports and compare them to ISO/IEC 27001 and HITRUST. You’ll learn the significant differences between compliance assessments, the scope, who benefits, when you should consider an assessment, and how long certification lasts. By the end of this article, you’ll understand what the SOC 2 Type 2 report covers, the key benefits, and the steps you’ll need to take to get started with your assessment.
What is a SOC 2 Type 2 Report?
A SOC 2 Type 2 Report is a Service Organization Control (SOC) audit on how a cloud-based service provider handles sensitive information. It covers both the suitability of a company’s controls and its operating effectiveness.
For cloud and data storage companies, having an independent assessment of their security safeguards is a cornerstone of trust, covering five total trust service principles (TSPs): security, availability, processing integrity, confidentiality, and privacy. As part of the assessment, a cloud-based vendor hosts independent inspectors, provide them with documentation of controls, and allows their systems to be sampled and tested.
🎉 Have you heard? StrongDM offers a free and completely self-paced online SOC 2 Course.
SOC 2 Type 2 vs. ISO/IEC 27001 vs. HITRUST
Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 Type 2, sometimes called SOC 2 Type II, is one of three prevalent types of security frameworks. All aim to address cybersecurity concerns in cloud-based systems. ISO/IEC 27001 is an international standard established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). HITRUST was introduced to address problems related to securing health records and uses a risk-based rather than a compliance-based framework.
SOC 2 Type 2 vs. ISO/IEC 27001
These security certifications are closely related, but they’re not identical. SOC 2 Type 2 reports prove a company’s controls, and the final report offers an attestation — not a certification. ISO/IEC 27001 does certify companies. It also requires an Informational Security Management System (ISMS) — a framework focused on risk management, detailing the specifications you’ll take on an ongoing basis to mitigate risk and address security concerns.
ISO/IEC 27001 is used more than SOC 2 outside North America. Global companies will eventually grow into needing both SOC and ISO/IED 27001 reports. Another difference between the two assessments is that a licensed CPA firm attests to SOC 2 reports. ISO 27001 uses accredited independent registrars to certify their reports.
SOC 2 Type 2 vs. HITRUST
All three security frameworks use different scoping factors. HITRUST’s framework uses 19 categories, encompassing 156 controls aligned with the Health Insurance Portability and Accountability Act (HIPAA). HITRUST works across industries, but it focuses on handling electronic protected health information (ePHI).
How assessors evaluate a company’s controls is also different. HITRUST uses a maturity rating for each control requirement; SOC 2 Type 2 tests the design and operating effectiveness of the control. As part of the assessment, HITRUST also identifies Corrective Action Plans (CAPs) to help achieve certification. If customers want both kinds of reviews, companies can choose to combine a SOC 2 Type 2 report plus HITRUST and HITRUST certification into a single report after both exams.
HITRUST certification is good for two years, though the assessor will test a sample of at least one control from 19 categories for continued certification in the second year. A SOC 2 Type 2 report requires a full-scope examination annually.
Why is SOC 2 Type 2 Important?
Soc 2 Type 2 reports are essential for both security and profitability. First, a SOC 2 Type 2 assessment offers evidence that an organization is implementing the security controls they say they are and that those controls are working correctly to protect sensitive data. Without eyes and ears across the cloud, it is difficult to assess how secure information is in the hands of third-party vendors. A SOC 2 Type 2 report offers peace of mind.
Reassurance is a great sales tool, but increasingly, the SOC 2 Type 2 report also improves profitability by opening doors into enterprises that would be otherwise unreachable. Increasingly, companies do due diligence with their cloud vendors and implement internal requirements to monitor third-party vendor security. Proving compliance can be a prerequisite to landing these accounts.
Who Benefits from SOC 2 Type 2 Audits?
Cloud-based vendors hunting for enterprise accounts can certainly benefit from SOC 2 compliance, which is often required to compete for the business of data-sensitive companies. But an assessment helps other companies, too.
For companies with data breaches in their histories, an assessment demonstrates a commitment to airtight security practices. It provides a layer of protection that can assure partners that security problems are a thing of the past.
Companies with uncertified competitors can also benefit. They’ll prove they’re serious about security and that they can anticipate clients' needs for transparent processes.
Defining the Scope of the SOC 2 Type 2 Report
A SOC 2 Type 2 report uses the American Institute of Certified Public Accountants (AICPA) TSPs, from security to privacy. A certified CPA will first determine which criteria will be included in the scope of your report by asking what kind of customer data you collect, what your storage methods are, and your business needs and operations.
To complete a SOC 2 assessment, companies need only undergo an audit of a single category: security. But that doesn’t make the process simple. Security alone can include nearly 100 controls, like password security, employee onboarding, training, physical access controls, background checks, security training, incident response, and multifactor authentication. SOC 2 Type 2 is flexible in that you’ll only assess those that apply to your business at the levels needed.
What is the Difference Between SOC 2 Type 1 and Type 2?
For each TSP you choose to assess, like security, there is a list of AICPA requirements that you designed controls to handle. A SOC 2 Type 1 report describes the internal control policies you have in place at a single point in time and describes their suitability. But the scope of a SOC 2 Type 2 report is greater, testing those systems over time (typically six months).
Preparation for both assessments includes drafting system descriptions, control mapping, research, and conducting a risk assessment for each area. Then, in a SOC 2 Type 2 assessment, auditors conduct fieldwork to observe controls, select samples, and test processes over weeks or months.
When Should You Conduct a SOC 2 Type 2 Audit?
According to AICPA, companies should consider a SOC 2 Type 2 report when:
- Their customers need to understand their processes and controls
- Their stakeholders need to gain confidence and trust in a company’s security processes
Getting certified is not always a requirement for doing business, but it can be a requirement for winning contracts with enterprises. While many companies wait until a customer requires assessment, those with an enterprise sales goal benefit from getting an audit early, when there is still plenty of flexibility to change processes and controls and implement training easily.
When Should You Start Planning for Your SOC 2 Type 2 Audit?
A SOC 2 Type 2 Report has multiple parts. It starts with scoping the categories you’ll assess, performing a gap analysis, conducting the assessment, and finally, writing the report. But there’s no checklist to guide you since every business is different.
Because the process is lengthy, start planning a few months in advance. You’ll need to design and implement internal controls, define which services will be included in the report, document controls in your internal procedures guides, conduct a readiness assessment, and familiarize yourself with federal and local regulations that you’ll need to address for compliance.
How Much Does a SOC 2 Type 2 Audit Cost?
A SOC 2 Type 2 assessment is a lengthy undertaking that can cost $10,000 to $50,000. Add preparation to the mix, and the investment in both time and money is large. SOC 2 assessment can also have hidden costs, from completing a readiness assessment to filling security gaps with new tools and solutions and training workers on new policies.
Because SOC 2 Type 2 assessment must be completed annually, these costs recur. Starting with a readiness assessment and documenting processes can reduce costs.
How Long is a SOC 2 Type 2 Report Valid for?
A SOC 2 Type 2 assessment is good for 12 months from the issue date. The short validation period means companies with complex IT needs can be undergoing evaluation for nearly a year, only to find they will quickly need to get started on the recertification process.
The need to recertify annually means your organization will want to keep gathering documents, back up data, build compliance and training norms, and keep security at the forefront. After all, you’ll be a step ahead as you prepare for next year’s audit.
Let’s Get Started
Companies are increasingly reliant on a host of cloud-based services to store data in a landscape where breaches are rising. From phishing to ransomware, the vocabulary of cybersecurity has caught the attention of companies that must increasingly prove they’re vigilant about protecting themselves and their customers. But for companies looking to secure their cloud-based services, getting started can be confusing. How can they demonstrate they’re a trustworthy partner? Which protocol should they use? Which controls will they need?
It can seem like there’s an overwhelming number of frameworks and choices. But at their foundation, assessments like SOC 2 Type 2 are all designed to help companies describe their controls and show those controls are working on-site.
To learn more about how StrongDM helps companies with SOC 2 compliance, check out our SOC 2 Compliance Use Case.
About the Author
Brian Johnson, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.
Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.