SOC 2 compliance: Everything your organization needs to know

What does SOC 2 stand for?

SOC 2 stands for System and Organization Organization Controls (SOC) 2. This is one of a few types of compliance reports generated under the aegis of the American Institute of CPAs (AICPA).

What is SOC 2 compliance?

SOC 2 compliance validates a service provider’s ability to provide its contracted services to its customers. During an SOC 2 compliance audit, a CPA evaluates the provider’s controls against one or more Trust Services Criteria (TSCs), which include:

Security
Confidentiality
Availability
Processing integrity
Privacy

Any organization undergoing a third-party SOC 2 audit will be evaluated against the Security TSC. However, they can opt to be evaluated against any or all of the other four TSCs based on the nature of their business. For example, a cloud service provider may choose to have an SOC 2 evaluation against the Availability TSC as part of proving its ability to meet service level agreements (SLAs) around uptime.

What is an SOC 2 report?

An SOC 2 report is generated at the end of an SOC 2 compliance audit to certify that a service provider’s controls meet the criteria for compliance. An SOC 2 report can attest to compliance with one or more of the SOC 2 TSCs.

In addition to a set of TSCs, a service provider must also choose whether to undergo a Type 1 or Type 2 compliance audit. The differences are:

Type 1: provides a snapshot of the organization’s compliance. The CPA will test one of the company’s controls for compliance and issue a compliant report if it meets the required criteria.
Type 2: tests an organization’s ability to sustain compliance across multiple controls. The auditor will evaluate the company’s controls over a set period (six months, a year etc.). At the end of the audit, a company may be awarded an SOC 2 Type 2 compliance report.

An SOC 2 Type 1 report is a watered-down version of Type 2. While it is faster and easier to achieve, it doesn’t demonstrate the ability to sustain compliance. A company may ramp up operations for the audit, pass, and fall out of compliance afterward. For this reason, Type 2 audits are generally more desirable but also more time-consuming and difficult to undergo.

ISO 27001 vs SOC 2

ISO 27001 and SOC 2 are both certifications designed to evaluate a service provider’s capabilities. The overall objective of both is to ensure that a company is appropriately protecting the data entrusted to it by its customers.

The scope of both regulations is very similar. One study found an estimated 30% overlap between the controls of the two frameworks. The AICPA has also published mappings from the 2017 SOC 2 TSCs to ISO 27001 and other common frameworks (NIST CSF, COBIT 15, NIST 800-52 and GDPR). These mappings can help achieve and demonstrate SOC 2 compliance if an organization already holds a compliant status under another regulation.

Under the hood, the two certifications have some differences:

Footprint: ISO 27001 is internationally recognized, while SOC 2 is specific to the U.S.
Authority: ISO 27001 is certified by a registrar accredited by the ISO, while a licensed CPA firm audits SOC compliance
Duration: ISO takes 12-18 months to complete and can be renewed for three years. SOC 2 requires 6-12 months to complete and must be renewed yearly.

SOC 1 vs. SOC 2

SOC 1 and SOC 2 are certifications created by the AICPA, but they focus on different areas. SOC 1 is targeted towards financial reporting and looks at how a service provider’s operations could impact their customer’s financial reports. SOC 2, on the other hand, is focused on the service provider’s ability to provide a service and protect sensitive data in their care.

Beyond this, the two certifications are largely similar. They both are performed by a CPA firm and offer Type 1 and Type 2 reports.

SOC 2 vs. SOC 3

SOC 2 and SOC 3 reports are designed to test a service provider against one or more TSCs. However, the two reports are designed for different audiences, and SOC 3 are always Type 2 reports.

An SOC 2 report is intended for a “professional” audience, such as auditors and shareholders. These reports will be provided to a service provider’s customers in response to an audit request.

An SOC 3 report is designed for a general audience and is a more high-level version of an SOC 3 report. For example, a cloud provider may publish an SOC 3 report on their website to assure their non-corporate customers that they properly protect the data entrusted to them.

SOC 2 compliance checklist

The AICPA does not provide a checklist for preparing for an SOC 3 compliance audit. Some steps to take when preparing for an SOC 2 audit include:

Choose the right report: An SOC 2 report is designed to demonstrate to a professional audience that an organization managing non-financial data can perform the required services. If this description does not fit your goals, then an SOC 1 or SOC 3 report may be a better fit.
Choose an audit type: SOC 2 reports can be Type 1 or Type 2, each with certain benefits.
Identify target TSCs: SOC 2 only requires that an organization be certified against the Security TSC, but one or more of the other four may be a good fit for your business. Identify which TSCs your organization wants to be certified against.
Identify regulatory crossover: SOC 2 has a significant overlap with other regulations (ISO 27001, GDPR, etc.). If your organization holds or plans to seek compliance with these regulations, take advantage of the mappings provided by the AICPA.
Perform a gap assessment: The AICPA publishes the criteria that an organization will be assessed against for each of the five TSCs. While this does not mandate specific controls that should be in place, an organization should be able to demonstrate that it has controls in place to meet each of these requirements.
Implement missing controls: If gaps are identified in the previous step, put the required policies, processes and controls in place to fix them.
Engage an auditor: SOC2 audits are performed by a CPA firm. Identify and engage one who has experience in performing SOC 2 audits, ideally for organizations similar to yours.

Sources

SOC 1 vs. SOC 2 vs. SOC 3, WorkOS
System & Organization Controls (SOC) Reporting, Baker Tilly
Mappings Relevant to the SOC Suite of Services, AICPA
ISO27001 vs SOC 2 Certification: Six Similarities and Differences, Tugboat Logic
2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, AICPA

Posted: October 19, 2021

Howard Poston

View Profile

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at howard@howardposton.com or via his website at https://www.howardposton.com.