There are several different levels of SOC (Service Organization Control) reports and types, so it is easy to get them confused. This post will focus on outlining the path to SOC 2 Type 2.
Getting Started With SOC 2
To pursue SOC 2 Type 2, you will first go through the Type 1 process. SOC 2 Type 1 starts with selecting a team to lead the project. This team will consist of an executive sponsor, one or more project managers, members of the IT and security department, as well as legal and HR resources to provide guidance and direction.
Then the team will define the scope of your upcoming SOC 2 Type 1 audit. The scope is driven by the AICPA’s Trust Services Principles (renamed to Trust Services Criteria in 2018), which are defined as:
Security - protects the system against unauthorized access, be it physical or logical
Availability - makes the system available for use as agreed upon in contracts with customers
Processing Integrity - ensures the complete and timely processing of information
Confidentiality - protects any information deemed confidential with appropriate controls
Privacy - handles any personal information per your organization’s privacy notice
Define SOC 2 Scope
Using these principles as a guide, your organization will establish your audit scope - often with the help of an external auditor. The auditor can help you figure out which of the Trust Services Principles apply. It may be that only one principle applies to your organization, thus the scope will be small.
After the scope is agreed upon, your team will spend a great deal of time developing and tuning policies. SOC 2 Type 2 requires that organizations create and follow strict information security policies and procedures that are based heavily in the Trust Services Principles. Ultimately these documents are intended to work together as a unified system that helps drive your security controls.
Complete a SOC 2 Gap Analysis
Once audit preparation is complete, your organization will go through a gap analysis. This exercise, which usually takes about two months, will help identify problematic and/or risky areas in your security practices. During this time you will also select an audit firm to conduct your SOC 2 Type 2. As your gap analysis nears completion you can schedule your audit and, at the same time, test and validate that your new policies and procedures are working effectively.
When the audit is in full swing, the audit team will engage in a variety of activities to test your organization’s security controls. These include, but are not limited to: an in-depth review of your policies and procedures, employee interviews and a walkthrough of your office and data center spaces. When the testing concludes, the auditor will review key findings and, if necessary, document any exceptions. Then the SOC 1 report will be issued and will attest to the suitability of the design of controls at a specific date.
Start Planning For SOC 2 Type 2
From here, you are on your way to achieving SOC 2 Type 2. Similar to Type 1, the Type 2 reports on the effectiveness of a service organization’s controls. But rather than represent a point-in-time snapshot, the SOC 2 Type 2 tests the controls over a period of time - 6 months or more being the standard. When the tests are complete, the auditor will issue an opinion based on the description management has provided versus the actual operating efficiency of the controls. We built an open source SOC 2 tool to help companies just starting out on their SOC 2 type 2 process.