What is the process for my data center to become SOC 2 compliant? Many times, this question is asked of to audit firms when potential clients or current clients request to review a SOC 2 report conducted on your private services.
This article will explain a high-level and straightforward overview of SOC 2 compliance as well as address questions a firm might have regarding what effort and involvement is required from your firm in order for your data center to become SOC 2 compliant.
What is a SOC 2 Audit?
A SOC 2 audit is intended to report on controls around the services you provide to your customers that are relevant to one or more of the following SOC 2 Trust Services Criteria/Principles: Security, Availability, Processing Integrity, Confidentiality, or Privacy. The AICPA criteria selected to be evaluated in a SOC 2 are determined by the services provided by your organization to your clients. A high-level summary of each of the SOC 2 categories is as follows:
Security refers to facilities (including offices and data centers), systems and information that are protected against unauthorized access. Therefore, controls must be in place to ensure both physical and logical access is restricted to only those individuals that are authorized.
Availability refers to controls that are in place to ensure the systems are up and running for use as committed. Learn more about the Availability TSP.
Processing Integrity refers to the accuracy and completeness of your systems processing. Controls related to processing integrity would ensure the system performs its functions free from error and without delay. Learn more about the Processing Integrity TSP.
Confidentiality addresses the service organization’s ability to protect information designated as confidential from unauthorized disclosure. Information is confidential if the information is restricted to a set of specified users. Confidentiality requirements are typically documented by laws or regulations or within contracts or agreements with your customers. Learn more about the Confidentiality TSP.
Privacy information refers to personally identifiable information (PII). Controls related to privacy would ensure that PII is collected, utilized, contained, disclosed, and disposed of to meet the entities requirements. Learn more about the Privacy TSP.
Type 1 vs. Type 2 Report
The SOC 2 Type 1 will report on the design of the controls only, while a SOC 2 Type 2 will report on the design as well as operating effectiveness of the controls over a period of time (typically either a period of 6 months or one year). For further clarification, since Type 2 evaluates both design and the operating effectiveness of the controls over a period of time, Type 2 will take more time and effort than a Type 1. For more information, read our article on Type 1 vs Type 2 SOC Reports.
What Organizational Involvement is Required During a SOC 2 Audit?
To achieve the status of a “SOC 2 compliant data center,” staff representatives from the following areas will typically be required to participate in helping an audit organization complete a SOC 2: Human Resources and various IT groups including those responsible for Risk Management, Information Security, Software development, etc.
Data center and organizational staff representatives will be required to participate in meetings and interviews with the auditors allowing the audit firm to understand and document the key controls your organization has in place around the data center.
The organization will also be required to provide evidentiary matter to the auditors that the controls are in place and have been operating effectively for a specified period of time (typically 6 months or one year).
The listing of evidence requests required to be provided by your organization will typically be provided by the Audit firm prior to the scheduled-on site meetings and interviews. This will allow sufficient time for your organization to gather the required evidence in preparation of the on-site interviews and meetings with the audit firm for the audit of the data center.
How Long Does it Take to Become SOC 2 Compliant?
Depending on how prepared the organization is with providing the requested evidence prior to the on-site meetings and interviews with the Audit organization, a SOC 2 can take anywhere from generally about three to six months. Typically, a SOC 2 readiness assessment is conducted prior to the SOC 2 examination, in order for an organization to understand their key controls they have in place, implement those controls they do not have it place to meet the criteria, and to be fully prepared to demonstrate evidence of the key controls during the SOC 2 audit of the data center.
In summary, completing a SOC 2 examination and obtaining compliance will require involvement from various representatives throughout the organization, mainly IT. Collaboratively, the audit firm and your organization will identify the key controls in place that meet the criteria to help your data center become a “SOC 2 compliant” data center.
Once key controls are identified, typically, via the SOC 2 readiness assessment, your organization will be required to provide the Audit firm evidence that the controls are in place for your data center and have been operating effectively for the review period designated for the SOC 2 (typically either 6 months or a year).
In short, the audit firm would guide an organization through the entire audit process on what is required to complete a SOC 2 for a data center. If you would like to learn more about SOC 2 examinations, please contact us.
Olivia Refile (CISSP, CISA, CRISC, GSEC, ISO lead Auditor) specializes in SOC examinations for Linford & Co., LLP. She completed her Bachelors of Business Administration, with a concentration in Management Information Systems from Temple University’s Fox School of Business in 2010. Olivia started her career in IT Risk Management in 2010 specializing in internal, external audits as well as IT security risk assessments. Following her time in risk management Olivia moved solely into external IT Audit and is currently dedicated to performing SOC 1 and SOC 2 examinations.