There are several different levels of SOC (Service Organization Control) reports and types, so it is easy to get them confused. This post will focus on outlining the path to SOC 2 Type 2.
A SOC 2 Type 1 report looks at an organization’s operating controls at a point in time. The SOC 2 Type 2 report measures those same controls over a more extended period. SOC 2 Type 1 builds on the reporting basis of SOC 1 but focuses on security controls rather than financial controls.
The SOC 2 Type 2 examines the effectiveness of those controls over a six-month period. There is also a SOC 3 report, which is essentially the same data found in a SOC 2 but written for public consumption.
What Is A SOC 2 Report
Although SOC 1 and SOC 2 differ in many ways, they were both created by the AICPA (American Institute of Certified Public Accountants). Initially, service providers would use the SAS 70 (Statement on Auditing Standards 70) as a way to measure the effectiveness of an organization’s security controls. Eventually, audit firms used these controls to attest to the security posture of organizations as well, which was not the intended purpose of SAS 70. In 2011, the Statement on Standards for Attestation Engagements no. 16 (SSAE 16) was created to replace SAS 70, which allowed SOC 2 to become a framework centered on security controls.
Getting Started With SOC 2
To pursue SOC 2 Type 2, you will first go through the Type 1 process. Type 1 starts with selecting a team to lead the project. This team will consist of an executive sponsor, one or more project managers, members of the IT and security department, as well as legal and HR resources to provide guidance and direction.
Then the team will define the scope of your upcoming SOC 2 Type 1 audit. The scope is driven by the AICPA’s Trust Services Principles (renamed to Trust Services Criteria in 2018), which are defined as:
Security - protects the system against unauthorized access, be it physical or logical
Availability - makes the system available for use as agreed upon in contracts with customers
Processing Integrity - ensures the complete and timely processing of information
Confidentiality - protects any information deemed confidential with appropriate controls
Privacy - handles any personal information per your organization’s privacy notice
Define SOC 2 Scope
Using these principles as a guide, your organization will establish your audit scope - often with the help of an external auditor. The auditor can help you figure out which of the Trust Services Principles apply. It may be that only one principle applies to your organization, thus the scope will be small.
After the scope is agreed upon, your team will spend a great deal of time developing and tuning policies. SOC 2 Type 2 requires that organizations create and follow strict information security policies and procedures that are based heavily in the Trust Services Principles. Ultimately these documents are intended to work together as a unified system that helps drive your security controls.
Complete A SOC 2 Gap Analysis
Once audit preparation is complete, your organization will go through a gap analysis. This exercise, which usually takes about two months, will help identify problematic and/or risky areas in your security practices. During this time you will also select an audit firm to conduct your SOC 2 Type 2. As your gap analysis nears completion you can schedule your audit and, at the same time, test and validate that your new policies and procedures are working effectively.
When the audit is in full swing, the audit team will engage in a variety of activities to test your organization’s security controls. These include, but are not limited to: an in-depth review of your policies and procedures, employee interviews and a walkthrough of your office and data center spaces. When the testing concludes, the auditor will review key findings and, if necessary, document any exceptions. Then the SOC 1 report will be issued and will attest to the suitability of the design of controls at a specific date.
Start Planning For SOC 2 Type 2
From here, you are on your way to achieving the SOC 2 Type 2 report. Similar to Type 1, the Type 2 reports on the effectiveness of a service organization’s controls. But rather than represent a point-in-time snapshot, the SOC 2 Type 2 tests the controls over a period of time - 6 months or more being the standard. When the tests are complete, the auditor will issue an opinion based on the description management has provided versus the actual operating efficiency of the controls. We built an open source tool to help companies just starting out on their SOC 2 type 2 process.