SOC 2 Compliance Guide

Technology service providers, SaaS providers and any organization that stores and processes customer data.

1. Regulatory oversight: Once you are SOC 2 Compliant, you are aligned with AICPA’s regulatory controls. A SOC 2 certificate is proof of that.
2. Supervision of the organization: SOC 2 compliance mandates supervising all aspects of information security across all processes internally along with setting the benchmarks for vendors who manage customer data. In order to accomplish this, a robust process is designed, and its effectiveness is verified once an organization is SOC 2 Certified.
3. New Clients: You can sign more deals and increase the number of clients once you prove your ability to effectively manage customer data with a SOC 2 Certificate
4. Existing Customers: You can prove to your existing customers that your company not only manages their customer data with the highest level of information security, but that this has also been verified by an authorized CPA firm after a rigorous SOC 2 audit.
5. Vendor Management programs: You can set the benchmarks for vendors and ensure compliance with the highest level of information security.
6. Internal corporate governance and risk management processes: You can design and monitor risk management processes and internal corporate governance in accordance with the SOC 2 framework.

A SOC 2 report is given by the auditor after a SOC 2 audit. It meets the unique needs of each organization. You can design controls that follow the SOC 2 framework, depending on your industry and business practices. These internal reports provide the company, their regulators, business partners, and suppliers, with critical information about how you manage data. There are 2 types of SOC 2 reports.

A SOC 2 Type 1 report describes the company’s systems and whether the system design adheres to the trust principles for an organization managing sensitive data, at a point in time. These trust service principles have several controls which are tested as part of the SOC 2 audit. A type 1 audit usually takes 1-2 months.

A SOC 2 Type 2 report explains the design and operational efficiency of the company’s system and controls, throughout a period of time. A type 2 report also includes a detailed description of the service auditor’s tests of controls and the results of those tests. A SOC 2 Type 2 audit is conducted over 3-12 months. The duration depends on the organization’s preference and the needs of the users (readers) of the report. During the audit, the system design and performance of controls are tested. Most of your customers and business partners usually require a SOC 2 Type 2 audit conducted in the last 3-12 months to get assurance on how an organization is managing customer data over a period of time. The subsequent reporting periods are typically 12 months, after the first SOC 2® Type 2 Report.

If an organization claims that they are SOC 2 Compliant, it demonstrates their ability to meet the requirements of AICPA’s Trust Service Criteria. However, a SOC 2 report also called a SOC 2 certificate, is the opinion of the auditor about the controls followed by an organization. During the audit period, the performance of the controls are tested and documented. A thorough review of a SOC 2 report would in general provide assurance to anyone who wants to conduct business with a SOC 2 recipient. Unlike other certifications, SOC 2 report is not reviewed or approved by the AICPA.

SOC 1 focuses on internal controls over financial reporting especially conducted by public organizations or organizations being acquired by other organizations. Whereas a SOC 2 audit focuses on trust services principles for any organization managing sensitive data. These trust service principles have several controls which are tested as part of the SOC 2 audit. However, SOC 3 reports are prepared for more generic public use, and it is not very popular in the industry. All SOC reports  are to be issued by licensed independent CPAs or CPA (Certified Public Accountant) firms that specialize in the organization’s specific industry.

A SOC 2 Type 1 report describes the company’s systems and whether the system design adheres to the trust principles for an organization managing sensitive data, at a point in time. These trust service principles have several controls which are tested as part of the SOC 2 audit. A type 1 audit usually takes 1-2 months.

A SOC 2 Type 2 report explains the design and operational efficiency of the company’s system and controls, throughout a period of time. A type 2 report also includes a detailed description of the service auditor’s tests of controls and the results of those tests. A SOC 2 Type 2 audit is conducted over 3-12 months. The duration depends on the organization’s preference and the needs of the users (readers) of the report. During the audit, the system design and performance of controls are tested. Most of your customers and business partners usually require a SOC 2 Type 2 audit conducted in the last 3-12 months to get assurance on how an organization is managing customer data over a period of time. The subsequent reporting periods are typically 12 months, after the first SOC 2® Type 2 Report.

The SOC 2 framework is the SOC 2 certification criteria. These are also called SOC 2 requirements. This framework is based on AICPA’s Trust Services Criteria: security, availability, processing integrity, confidentiality and privacy of customer data. They are:

1. Security focuses on the protection of information and systems from unauthorized access. Organizations are expected to ensure that all aspects of access control – authorization, authentication, accessing, management and auditing are mapped and they prevent the possibility of theft, system abuse, unauthorized disclosure, modification or removal of data and misuse of software. This can be achieved by employing security tools, technologies and processes that are focused on protecting the network, systems, applications and other assets. Web application firewalls (WAFs), two-factor authentication, intrusion detection, restricted access via VPN are some of the additional technical security controls required to be implemented.

2. Availability focuses on the resiliency of infrastructure, software and information. This includes operational controls and continuous monitoring to improve the availability of the systems for its users. It checks the level of accessibility of the services, as promised in the Service Level Agreement (SLA) by the company and contracts. A company’s minimal acceptable network performance levels are also assessed to ensure they are sufficient to mitigate potential external threats. While it does not verify usability and system functionality, it primarily focuses on all aspects of security which affect availability – network performance, backup, disaster recovery, business continuity, site failover and security incident handling, among others.

3. Processing integrity verifies if the systems achieve their purpose – delivery of the accurate and complete data, within the correct timeframe and level of access. This includes assessing if the systems are error-free and protected from manipulation and unauthorized access. This section requires the organization to implement encryption of data during transit, at-rest and in processing.

4. Confidentiality refers to the ability of the company to restrict access and allow disclosure of data only to authorized personnel or organizations. Common examples include business plans, pricing decisions and internal price lists, intellectual property, contracts, sensitive financial and legal information. This information is only intended for select personnel. Organizations can use encryption to protect the confidentiality of data during transmission. To protect data that is stored or being processed on computer systems, they can use stringent access controls along with network and application firewalls.

5. Privacy addresses the ability of the organization to protect Personally Identifiable Information (PII) which can identify an individual. Details like the name, address, Social Security number, credit card information, health information, race, ethnicity etc. form an integral part of the PII which must be protected from unauthorized access. The controls used by the organization are assessed under this principle including the collection, use, disclosure, retention and disposal of such information in accordance with their Privacy Policy and the criteria set forth in the AICPA’s generally accepted privacy principles (GAPP). The security incident response system is also evaluated in the case of a data breach.

Organizations that are SOC 2 compliant adhere to strict information security policies and procedures, which ensure these criteria are met.

The SOC 2 framework is the SOC 2 certification criteria. These are also called SOC 2 requirements.

Most organizations host their infrastructure platform on popular Cloud Solution Providers (CSP) like AWS, Microsoft Azure or Google Cloud Platform. Most of the services offered by these CSPs go through vigorous third-party independent audits and CSPs share their SOC 2 Type 2 reports. However, SaaS organizations operate under the shared responsibility model where only the cloud infrastructure is covered by the CSP’s SOC 2 report. The responsibility of the SaaS vendor including software development, hosting, configuration and data management is based on SaaS vendors’ processes, tools and technologies. That’s why many in the industry require both the CSPs and SaaS vendors to obtain SOC 2 reports since security and privacy is only as good as the “weakest link” in the entire setup. It is safer to secure the entire ecosystem.

There is no Pass/Fail in a SOC 2 audit. It is the auditor’s opinion of the effectiveness of a company’s controls. A SOC 2 report is expected to capture the effective and ineffective controls and shared in a transparent way. An auditor’s opinion is based on in-depth observation during the audit period, and they have the authority to dive deeper into the evidence or ascertain from initial reports if the company’s controls are operating effectively.

The audit period only begins when all the controls are in place and all aspects of information security are performing as designed. The company finalizes the CPA firm or independent auditors and in collaboration, they decide the start date and the duration of the audit period. The first SOC 2 examination period is usually 3-6 months. The company cannot modify any process during the audit period. The start date of a SOC 2 audit is in the future and it is shared with the CPA firm. Evaluating performance outside of the audit or examination period is not part of the audit.

The audit, or testing of the controls, starts immediately after the period of time ends. It begins with the auditors collecting evidence for all the controls and for some controls with populations, selecting a random sample from a population of data, based on scientific sampling principles. The purpose of the SOC 2® audit is to allow auditors to observe security controls in action as they relate to the random sample. The company is expected to showcase evidence and confirm that all the controls have been designed and implemented per intent. If controls are implemented correctly and the company is SOC 2 ready, customer data is protected, and no violation is observed. The absence of activity during the audit is a sign of success since it implies that all aspects of data protection are in place.

As the audit period is in progress, experts at databrackets make use of the time to do random testing of the controls to make sure everything is working. We also develop the other required information that will be part of the audit – the overall management objectives for security and compliance and the description criteria. These are shared with the CPA firm.