Today, information security is of greater concern and importance than ever before, and that’s saying a lot! Every day there are new data breaches reported costing companies billions of dollars in combined losses. IBM recently published the 2023 Cost of a Breach article and notes the cost of a breach to be an average of 4.45 million dollars. Companies are playing catch-up with attackers and in many cases have insufficient internal controls to identify breaches and mitigate the risk of a breach of customer data.
In the U.S., many information security regulations are sectoral and industry-specific (e.g., PCI, HIPAA, FedRAMP).
SOC 2 compliance is the closest we have to a general information security standard in the US.
What is SOC 2? What Does it Stand For?
A SOC 2 is a System and Organization Control 2 report. There are three types of SOC reports. See the AICPA website comparing the reports. Some companies struggle with the differences between SOC 1 and 2 reports, and whether they should get a SOC 1, SOC 2, or SOC 3. We start by asking prospective clients about the type of clients and stakeholders asking for the report as well as the type of services provided to clients. This allows us to assess whether prospective clients may impact the internal controls over financial reporting (ICFR) of our prospective clients’ user organizations.
If a service organization can impact the ICFR of its user organizations, a SOC 1 report may be the best report option. If a service organization cannot impact its user organizations’ ICFR, but they can impact the security, availability, processing integrity, confidentiality, or privacy of their user organizations, then a SOC 2 report may be the best report for the service organization’s clients.
What Is SOC 2 Compliance? What Does It Entail?
“SOC 2 compliance” or “SOC 2 compliant” are terms used to describe companies that are meeting one or more of the SOC 2 Trust Services Criteria. A SOC 2 can also include criteria related to Availability, Confidentiality, Processing Integrity, and Privacy. Each category of criteria has a number of requirements associated with it. For example, CC6.2 states:
Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
This means that to comply with SOC 2 criteria CC6.2, a company must have a process grant system access to individuals that need it to perform their job duties. Companies could meet this requirement in a number of ways, including access provisioning and de-provisioning requests, role-based access guidelines, and greater levels of authorization for greater levels of access provisioned. SOC 2 criteria are worded generally, so the controls a company implements to meet each criterion could be unique to them.
What Is the Purpose of SOC 2 Compliance?
The trend towards cloud computing and outsourcing, in general, has fueled the need for SOC 2 reports in the U.S. SOC 2 compliance allows a service organization to provide assurance to its stakeholders that the service is being provided in a secure and reliable manner.
Learn more in our article, Leveraging the AWS SOC 2: How to Build a SOC 2 Compliant SaaS.
How Does SOC 2 Compliance Ensure Data Security?
SOC 2 compliance does not ensure data security. There is no silver bullet to achieve data security. SOC 2 compliance means that an auditor has tested internal controls that meet the SOC 2 criteria covered in a SOC 2 examination. It is a general-use security analysis and demonstrates whether companies are achieving the basics with an information security program.
SOC 2 stands for System and Organization Control 2. There are three types of SOC reports. See the AICPA website comparing them. Some companies struggle with the differences between SOC 1 and SOC 2, and whether they should get a SOC 1, SOC 2, or SOC 3. We start by asking prospective clients about the type of clients and stakeholders involved, as well as the type of services provided to clients. This allows us to assess whether prospective clients may impact the internal controls over financial reporting (ICFR) of our prospective clients’ user organizations.
If a service organization can impact the ICFR of its user organizations, SOC 1 may be the best option. If a service organization cannot impact its user organizations’ ICFR, but they can impact the security, availability, processing integrity, confidentiality, or privacy of their user organizations, then demonstrating SOC 2 compliance may be best for the service organization’s clients.
What Are the Benefits of SOC 2 Compliance?
SOC 2 compliance demonstrates that your company has adequate controls in place governing information security in your environment. A SOC 2 is stronger than giving your word that you are compliant since it’s an independent audit performed by a third-party CPA firm.
Listed below are a few reasons why companies choose to demonstrate SOC 2 compliance:
- Differentiate yourself from your competitors.
- Identify controls relevant to your clients and test those controls to validate the controls’ design and operation.
- Develop more controlled and consistent processes.
- In some cases you can’t enter a particular market without a SOC 2. For example, if you are selling to financial institutions, they will almost certainly require a Type II SOC 2.
How Does SOC 2 Compliance Differ From Other Compliance Standards?
SOC 2 compliance requirements are general and not specific in nature. Other standards and frameworks such as PCI, HITRUST, FedRAMP, and ISO have more specific requirements. As a result, not all SOC 2 examintations cover the same set of controls. It’s up to an auditor working with a company to identify the most relevant controls in place to meet the relevant SOC 2 criteria.
What is SOC 2 Certification?
Although a SOC 2 is technically an attestation report, it’s very common for people to call a SOC 2 a certification. See the AICPA page for more information, as well as this past blog post on qualified opinions.
Who Needs to Be SOC 2 Compliant?
Typically, service organizations that process or store sensitive data for their clients seek SOC 2 compliance. For example, many SaaS companies, data centers, and managed service providers. SOC 2 has been widely accepted as a U.S. standard for information security. As a result, some non-traditional service providers are demonstrating SOC 2 compliance, such as law firms, consultancies, and cryptocurrency services.
Other Common Questions About SOC 2 Compliance
The following are a couple of questions that we hear often related to SOC 2.
Is There a SOC 2 Compliance Checklist or Shortcut?
There is no checklist, but the AICPA’s SOC 2 criteria can be obtained and reviewed. So how do you get it? You can buy it from the AICPA or contact us for a consultation. The criteria contains requirements related to each of the TSCs outlined above. The requirements may be met in a variety of ways, so there is not a one size fits all checklist for SOC 2 compliance. It is dependent on the services provided by a service organization. The SOC 2 criteria also went through a recent update.
What Is SOC 2 Type 2?
SOC 2 can be Type 1 (aka Type I) or Type 2 (aka Type II).
Type I is dated as of a particular date and are sometimes referred to as “point-in-time”. Type I includes a description of a service organization’s system and a test of the design of the service organization’s relevant controls. Type I tests the design of a service organization’s controls, but not the operating effectiveness.
Type II covers a period of time (usually 12 months), includes a description of the service organization’s system, and tests the design and operating effectiveness of key internal controls over a period of time.
How Do I Become SOC 2 Compliant?
SOC 2 compliance does not have to be difficult. If you have questions on which TSCs to include in your SOC 2 or what the process for receiving a SOC 1 audit or SOC 2 audit entails, please contact us to request a consultation.
This article was originally published on 11/22/2017 and was updated on 8/16/2023.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.