Whether you’re looking to achieve SOC 2 compliance, or just want to learn more about it, your Googling is bound to lead you to a wealth of articles chock full of buzzwords and acronym soup. In this post, we will provide a guide with definitions, links and resources to gain a solid understanding of everything you need to know about SOC 2 audits.
What is SOC 2?
SOC 2 is a framework designed to help companies (typically software vendors) demonstrate the security controls they use to protect customer data in the cloud. These controls are called the Trust Services Principles and include security, availability, processing integrity, confidentiality, and privacy. SOC 2 comes in a few different types:
- Type 1 - this report examines security controls at a specific point in type
- Type 2 - this report assesses those same controls over a longer period of time (typically 6 months)
Also, it’s important to note that SOC 2 is different from SOC 1, which looks at a company’s financial statements and reporting. It’s also different from SOC 3, which takes the information from a SOC 2 report and presents it in a more “plain English” format to be consumed by a general audience.
For more information about SOC 2 and its history, see our post detailing What is SOC 2 Compliance?
What is the scope of a SOC 2 audit?
SOC 2 scope centers around the Trust Services Principles mentioned above. However, not all five principles will apply to every organization. For example, if you store data containing personal information, the privacy principle applies. If you have a data center and offer storage as a service to customers, the security and availability principle applies.
A good first step is to take inventory of the critical systems that deliver service to your customers and label each as in or out of scope. Remember that for any systems out of scope, you will need to provide written justification as to why the principles do not apply. Larger and more complicated businesses can find additional scope exclusions by figuring out which divisions or subsidiaries are critical to delivering customer services.
For more information check out our post defining Your SOC 2 Scope.
How much does it cost?
SOC 2 is a hefty investment - both in time and money. Here’s a high-level breakdown:
- SOC 2 Type 1 audit - this audit, which analyzes your security controls at a point in time, will cost between $12-17k and typically takes around 2 weeks to complete once scheduled.
- SOC 2 “owner” - this person will own the SOC 2 audit from start to finish, which takes around 6 months. Whether the individual is a 50% FTE or outside consultant, the cost will be in the $50-75k range.
- Internal review - as you go through the SOC 2 audit, your legal and HR teams will play a key role in reviewing and updating contracts you have with vendors, contractors and customers. This will cost around $10k, and will be a recurring cost as you go through SOC 2 annually.
- Tools - the findings in your SOC 2 audit will inevitably prompt the purchase of additional tools to satisfy compliance requirements. These can be anywhere in the $5k-50k range, and take 2-3 months to implement, if not more.
- Training - your staff must be trained on relevant security topics every year. It can be done in-house or through an external consultant for around $5k.
Head over to our post on how to budget for SOC 2 to learn more.
How do I staff for a SOC 2 audit?
A common misconception is that SOC 2 responsibilities can be handed off to IT and security teams to manage, but that’s simply not the case. To have a successful SOC 2 audit, you will need an executive sponsor, one or more project managers, a primary author to due a heavy amount of interviewing and writing, as well as legal resources to manage and update contracts. You will also need your IT and security teams to shoulder a large workload of technical tasks that are required during and after the audit.
Read more on How to Build Your SOC 2 Team.
As you can see, SOC 2 is a large undertaking from a staffing, time and budget perspective. Use this guide to help you navigate the various SOC 2 terms and requirements so you can get a better sense of your project’s size and scope - and ultimately have a more successful audit.
When it is time to move from policy creation to enforcement, schedule a demo to learn how strongDM makes staying compliant a breeze.