Everything you need to know about SOC 2 in one place
TL;DR: In this article, we’ll take a comprehensive look at SOC 2 and the requirements for certification. You’ll learn what SOC 2 is, who it applies to, why it’s important, and how it benefits an organization. By the end of this article, you’ll have a clear understanding of the differences between Type 1 and Type 2 assessments, the SOC 2 Trust Principles underlying these assessments, and the criteria auditors use to evaluate and report on the associated controls.
SOC 2 stands for “Systems and Organizations Controls 2” and is sometimes referred to as SOC II. It is a framework designed to help software vendors and other companies demonstrate the security controls they use to protect customer data in the cloud. These controls are called the Trust Services Principles and include security, availability, processing integrity, confidentiality, and privacy.
For organizations evaluating SaaS or cloud services providers, compliance with SOC 2 is a minimum requirement. This is because it confirms to the customer that you have a certain level of maturity around security best practices.
What SOC 2 is not
It’s important to note that SOC 2 compliance is neither a legal requirement nor a proxy for actual security best practices. While the assessment covers the core departments and processes that interact with sensitive data, it’s not driven by HIPAA compliance or other regulations and standards.
Certification is performed by external auditors and not by the government, and the resulting report merely confirms that the processes you self declare are actually being followed in practice.
Nevertheless, the significance of the role of SOC 2 in data security cannot be underestimated. Understanding its origins can help to explain why.
SOC 2 evolved from the Statement on Auditing Standards (SAS) 70, an old audit that Certified Public Accountants (CPAs) used to assess the effectiveness of an organization’s internal controls.
While security was included under the umbrella of internal controls, it came to the attention of the American Institute of Certified Public Accountants (AICPA) that some organizations were offering SAS 70 reports as proof they were safe to work with. In response, AICPA replaced SAS 70 with the Statement on Standards for Attestation Engagements (SSAE) 16 report, which was later renamed Systems and Organizations Controls 1 (SOC 1).
Then in 2009, AICPA introduced SOC 2 as an audit report with a strict security focus and issued the five Trust Services Principles. These principles were defined as “a set of professional attestation and advisory services based on a core set of principles and criteria that address the risks and opportunities of IT-enabled systems and privacy programs.”
Simply stated, the principles represent the criteria to be used to evaluate and report on an organization’s controls over the security, availability, processing integrity, confidentiality, or privacy of information and systems.
AICPA further stipulated that it was not necessary to address all the Trust Service Principles, and that an organization should select only those relevant to their own services.
SOC 2 is specifically designed for service providers that store customer data in the cloud, as a way to help them demonstrate the security controls they use to protect that data. As such, it applies to nearly every SaaS company and cloud vendor, as well as any company that uses the cloud to store customer information.
If you’re reading this, there’s a pretty good chance SOC 2 applies to you.
From the point of view of a potential customer, working with a vendor that has fulfilled the SOC 2 requirements is a guarantee of sorts. It means you can provide the information and assurances they need regarding how you process users’ data and keep it private.
But facilitating organizational oversight isn’t the only point of SOC 2 compliance.
According to AICPA, the reports produced during the process of achieving compliance can also play an important role in:
At a fundamental level, SOC reports show potential customers that you’re serious about integrity, ethics, and security throughout your operations. Being able to demonstrate that you have the proper people, policies, and procedures in place to handle a security incident and respond accordingly places you firmly on the candidate list—which is the first step towards being selected as the preferred provider.
Showing compliance can also speed up your sales cycle. Pitching new business can be easier on your sales team because they will very likely be spared the burden of completing endless RFIs during the sales process. Instead, they can simply submit the company's SOC 2 reports.
Perhaps the most important benefit arises from the work required in terms of preparation for the SOC 2 Type 2 assessment. This is covered in more detail below, but it essentially requires you to install long-term, ongoing internal practices that will ensure the security of customer information. By their very nature, these practices will ensure the long-term success of your business.
Becoming compliant typically takes six months and requires the completion of two audits by third-party assessors. The SOC 2 Type 1 audit is designed to assess the design of your security processes at a particular point in time, while the subsequent SOC 2 Type 2 audit involves verifying the operating effectiveness of your internal controls over the longer term. Completion of the Type 1 audit is a prerequisite for Type 2.
You’ll begin by forming a multidisciplinary team, electing an executive sponsor, and identifying an author who can collaborate with each team lead and translate their business needs into policies.
Using the AICPA Trust Services Principles as your base and selecting only those that apply to your services, you’ll then define the scope of the audit and write and refine the appropriate policies.
You can expect this to take around two months to implement, test, and fine tune the policies before you’re ready to book a formal assessment. The assessment typically includes interviews with staff, walkthroughs of your physical space, and a thorough review of your documentation. Once the auditor has worked with you to clarify any necessary exceptions, the SOC 2 Type 1 report will be generated.
To take a deeper dive, check out: SOC 2 Type 1 Guide: Everything You Need To Know
You can’t embark on the preparations for the Type 2 audit until you’ve been through the Type 1 process. This is because while the Type 1 audit assesses processes and policies, the Type 2 audit verifies the effectiveness over time of the controls you’ve instituted to ensure those processes and policies are followed.
To walk through the complete path to a Type 2 audit, read: SOC 2 Type 2 Guide: Everything You Need To Know
The 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy documents the control criteria which have been established by the Assurance Services Executive Committee (ASEC) of the AICPA. These are the criteria your selected auditor will use to evaluate and report on the controls you have put in place to ensure the security, availability, processing integrity, confidentiality, or privacy of information and systems.
The Trust Services Criteria consist of:
To attain SOC 2 certification, you must ensure compliance across the Trust Services Criteria. Five main principles are used to measure and report upon this, which include:
Not every SOC 2 report must include all five principles, so figuring out which Trust Services Principles apply is key to defining the system boundaries and the scope of the audit—and to maintaining your sanity.
For example, if you run a data center and offer data storage to customers, but your client does all the data processing on their own systems, then the security and availability principles—but not the processing integrity principle—would apply. If the stored data contains personal information, then the privacy principle would also be in scope for your service organization.
We promised to provide all the definitions, links, and resources you need to gain a solid understanding of SOC 2. Our aim is to be a single port of call for all things SOC 2 and our complete guide would not be complete unless we invited you to dig into the strongDM knowledge base for more information.
"When strongDM said deployment would take an hour, I assumed they were full of it and blocked out a full day. We finished in 45 minutes." - Peter Tormey, Manager DataOps, SoFi
No credit card required.