SOC2 — An Introduction to
Two-thirds of the Earth’s surface is covered with water. The other third is covered with auditors from headquarters — Ralph Norman Augustine
Service Organization Control 2(SOC 2), pronounced as sock two, is an auditing procedure that ensures that service providers securely manage your data to protect your organization’s interests and the privacy of its clients. SOC 2 compliance is a minimal requirement for security-conscious businesses when considering a SaaS provider and is industry agnostic. SOC 2 is ubiquitous in the B2B space and provides information security and privacy assurance to 3rd party providers. The majority of companies write SOC 2 compliance as part of the Statement Of Work(SOW) or Master Service Agreement(MSA) with their vendors or service providers. In todays’ world, SOC 2 report drives both revenue and timelines.
The American Institute of Certified Public Accountants or the AICPA, in short established and governs the SOC 2 auditing process. Only a CPA firm is allowed to issue the report. What’s crucial to know is that SOC 2 is not a security framework. AICPA puts forward what a company needs to do to become SOC 2 compliant. Still, it’s up to the organization to define controls and policies to become compliant, offering flexibility to organizations. The business needs to meet the criteria at a high level, and it would become SOC 2 compliant. Flexibility is a double-edged sword. Similar organizations can achieve SOC 2 compliance in different ways, and there is no uniformity.
Scoping
SOC 2 defines principles for handling customer data based on what’s widely referred to as trust service criteria — Security, availability, processing integrity, confidentiality, and privacy. Security is the baseline, and the rest four are added based on the client demands or industry norms. Let’s consider a cloud service provider or a data center in general; availability is one of the core criteria. Privacy is critical for a business that operates in the health care space, and processing integrity is vital for fintech. General guidance from CPA firms is to start with Security. Once they get used to SOC 2 as a framework, add the other criteria(s) based on their business needs.
The systems in scope can include one or all of the following:
- Applications
- People
- Location
- Technical stack.
As part of SOC 2, information systems are audited, giving businesses flexibility. An organization could choose to define scope narrowly to a specific product or a division, or the entire organization.
Timeline
Generally, partners and vendors require SOC 2 compliance. The general recommendation is to get compliant in phases. Organizations should engage in identifying controls and gaps which define their current status. This process gives one an idea of how long it will take to achieve compliance. There are two types of SOC 2 compliance, conveniently named Type 1 and Type 2. Type 1 is a point in time report. Once a business defines policies and controls, it can get a Type 1 report in hand. For most organizations, this falls in the first year.
Type 2 is the end goal achieved after a 12 month audit period. There is flexibility in attaining the first-time report after a three-month or six-month audit as well. A three-month report is generally discouraged as it covers a relatively short period. Generation for the first SOC 2 — Type 2 report triggers the audit process’s completion for that year. SOC 2 is an annual process; the entire audit and review process must be performed each year to comply.
Like HIPPA, PCI-DSS, SOX, GDPR, and many more, the ultimate goal is Transparency!
