When determining a cloud hosting or colocation provider, customers want to have assurance that they are utilizing a safe, secure, and competent provider. As such, data center providers can undertake a number of IT audits or examinations in order to demonstrate to customers and prospects that they have controls in place to protect client data and/or their equipment. One of these examinations or audits data centers may be evaluated against is a SOC 2 examination.
In this article, I will explain at a high level what SOC 2 compliance is, as well as address questions a data center provider might have regarding the effort and involvement required in order to become a SOC 2 compliant data center.
What is a SOC 2 Audit? What is SOC 2 Compliance?
First, I do want to point out that when a SOC 2 audit is conducted successfully, the auditee does not become “SOC 2 Certified.” There is no SOC 2 certification received after a SOC 2 audit. The completion of a SOC 2 audit demonstrates that the service organization meets the AICPA guidelines for compliance with the outlined SOC 2 requirements.
Further, a SOC 2 audit is intended to report on controls around the services provided to the customers by the organization that are relevant to one or more of the following SOC 2 Trust Services Criteria/Principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
The AICPA trust services criteria selected to be evaluated in a SOC 2 are determined by the services the organization provides to its clients (note: the Security/Common criteria is included in all SOC 2 examinations as the base criteria). The CPA firm auditing a service organization will be able to discuss and determine the appropriate criteria that may need to be evaluated in the examination.
A Quick Look at SOC 2 TSPs
A high-level summary of each of the SOC 2 categories is as follows:
Security refers to facilities (including offices and data centers), systems, and information that are protected against unauthorized access. Therefore, controls must be in place to ensure both physical and logical access is restricted to only those individuals that are authorized. Learn about the Security TSP. Again, the security criteria is included in all SOC 2 examinations.
Availability refers to controls that are in place to ensure the systems are up and running for use as committed. Learn more about the Availability TSP.
Processing Integrity refers to the accuracy and completeness of your system’s processing. Controls related to processing integrity would ensure the system performs its functions free from error and without delay. Learn more about the Processing Integrity TSP.
Confidentiality addresses the service organization’s ability to protect information designated as confidential from unauthorized disclosure. Information is confidential if the information is restricted to a set of specified users. Confidentiality requirements are typically documented by laws or regulations or within contracts or agreements with your customers. Learn more about the Confidentiality TSP.
Privacy information refers to personally identifiable information (PII). Controls related to privacy would ensure that PII is collected, utilized, contained, disclosed, and disposed of to meet the entity’s requirements. Learn more about the Privacy TSP
A Quick Look at Type 1 vs. Type 2 SOC Audit Reports
The SOC 2 Type 1 will report on the design of the controls only, while a SOC 2 Type 2 will report on the design as well as operating effectiveness of the controls over a period of time (typically either a period of 6 months or one year). For further clarification, since the Type 2 evaluates both design and the operating effectiveness of the controls over a period of time, a Type 2 will take more time and effort than a Type 1. For more information, read our article on Type 1 vs Type 2 SOC Reports.
What is a SOC 2 Data Center? What is the Process for a Data Center to Become SOC 2 Compliant?
What Organizational Involvement is Required During a SOC 2 Audit?
To achieve the status of a “SOC 2 compliant data center,” staff representatives from the following areas will typically be required to participate in helping an audit organization complete a SOC 2 engagement:
- Human Resources
- Various IT groups with the organization, including those responsible for the following:
- Risk Management
- Information Security
- Incident Response
- Facilities, etc.
Appropriate staff representatives will be required to participate in meetings and interviews with the auditor allowing the audit firm to understand and document the key controls the service provider has in place related to the physical, environmental, and daily operational practices of the data center.
The organization will also be required to provide evidentiary matter to the auditors that the controls discussed and identified in the interviews are indeed in place and have been operating effectively for a specified period of time (typically 6 months or one year) if conducting a Type II SOC 2 examination.
The listing of generalized or standard evidence requests or an ‘evidence request list’ required to be provided by the service organization will typically be provided by the audit firm prior to the scheduled-on site meetings and interviews. This will allow time for your organization to gather the needed evidence prior to the on-site interviews and meetings with the audit firm auditing the data center.
How Long Does It Take to Become SOC 2 Compliant?
The timeline will depend on how prepared and how responsive the data center provider is with providing the requested evidence. Additionally, if any of the requested evidence is gathered prior to the on-site meetings and interviews with the audit firm this will help speed up the evidence review process. That said, the SOC 2 on-site fieldwork meetings to cover the SOC 2 areas generally can be completed within a week. The timeline will also depend on the scope of the examination and the availability of staff to meet with auditors within that same week.
As part of these meetings, a walkthrough of the data center will need to be conducted to inspect and observe the physical and environmental controls in place. Further, once all required evidence is provided to the audit firm, the draft report generally can be turned around and delivered to the client within 3-4 weeks afterward and/or 3-4 weeks after the end of the examination review period. Additionally, a SOC 2 readiness assessment is typically conducted prior to the SOC 2 examination. This is done in order to ensure the following:
- To make sure the service provider understands the key controls they have in place.
- To implement those controls they do not have in place to meet the criteria.
- And finally, to be fully prepared to demonstrate evidence of the key controls during the SOC 2 examination following the readiness.
In summary, completing a SOC 2 examination and obtaining compliance for a data center will require involvement from various representatives throughout the organization, mainly HR and IT. Collaboratively, the audit firm and your organization will identify the key controls in place that meet the criteria to help a data center provider become a “SOC 2 compliant” data center (and not a SOC 2 Certified data center).
Once the key controls are identified, typically, via a SOC 2 readiness assessment, your organization will be required to provide the audit firm with evidence that the controls are in place for your data center and have been operating effectively for the review period designated for the SOC 2 (typically either 6 months or a year). In short, the audit firm would guide the data center service provider through the entire data center audit process regarding what is required to complete a SOC 2 for a data center.
This article was originally published on 4/24/2019 and was updated on 9/1/2021.
Olivia Refile (CISSP, CISA, CRISC, GSEC, ISO lead Auditor) specializes in SOC examinations for Linford & Co., LLP. She completed her Bachelors of Business Administration, with a concentration in Management Information Systems from Temple University’s Fox School of Business in 2010. Olivia started her career in IT Risk Management in 2010 specializing in internal, external audits as well as IT security risk assessments. Following her time in risk management Olivia moved solely into external IT Audit and is currently dedicated to performing SOC 1 and SOC 2 examinations.