Data security is of the utmost importance today, which is why frameworks like SOC 2 were developed. Learn everything you need to know about SOC 2.

Your Complete Guide to SOC 2 | Secureframe

Your business' cybersecurity is paramount, especially in the wake of several high-profile data breaches and exposures that have occurred within the last few years. To avoid costly data breaches and remain competitive in the marketplace, businesses must make sure they have systems and processes in place that protect against cyber threats.

And, once you build those systems, your prospective clients need to know that their data is safe.

There are various standards and certifications that organizations like yours can pursue to prove their commitment to security. One of the most well-known is the SOC report — and in terms of handling customer data, SOC 2.

Below, you’ll learn about the three types of SOC reports, how to comply with SOC 2 standards and guidelines, and why you should consider getting a SOC 2 report.

Systems and Organization Controls is both a type of auditing procedure and a suite of reports that those audits can produce. 

The American Institute of Certified Public Accountants developed these to measure and report on the security of a company’s systems and evaluate the internal controls around them. 

Internal controls are simply policies, procedures, rules, and mechanisms to ensure compliance with laws, foster reliable financial reporting, and mitigate risks. An example would be requiring one individual to approve an invoice before another pays it.

Creating systems, controls, and documentation that comply with SOC guidelines requires you to invest time and resources. Then, SOC requires those systems and that documentation process to be audited by a SOC auditor — it can be complex.

However, there are plenty of benefits to be had, as we’ll discuss next.

There are several kinds of SOCs reports — SOC 1, SOC 2, and SOC 3. 

Let’s briefly cover SOC 1 and SOC 3 so you have some context before we go more in-depth on SOC 2.

SOC 1 is the first type of SOC auditing procedure and report, focusing on the finance and accounting side of a business.

In particular, SOC 1 deals with internal controls pertaining to an organization’s financial statements. An outside auditor — usually a CPA firm — can do these audits.

You can get one of two report types from a SOC 1 audit. 

Type I: This reports on an organization’s design and suitability of controls and systems as of a specific date.

Type II: This reports on an organization’s design and suitability of controls and systems over a period of time, generally three 12 months.

The business’s customers and external auditors are the primary users of the SOC 1 report. Customers want to know that your financial processes are secure, while auditors must know a firm’s internal controls so they can understand how they impact financial statements.

SOC 1 and SOC 2 compliance reports are restricted-use reports, meaning only the company and its current/prospective customers can look at them. These contain a level of detail on a firm’s internal controls that shouldn’t be public-facing.

If they were, competitors could, for instance, steal ideas for internal controls and possibly other secret information about the company.

SOC 3 helps with this. The SOC 3 report is not a distinct auditing procedure, nor is it a separate report. Instead, it’s a general-purpose, less formal version of the SOC 2 report that we’ll cover later.

The SOC 3 report contains a shorter, high-level version of the information found in a SOC 2 report. It mainly provides background about the company, a brief auditor opinion on the firm’s systems and controls, and management’s assertions about those aspects.

SOC 3 reports are often helpful for marketing purposes. For example, you can make a SOC 3 report available on your website so customers can see that you take security seriously — but without having to contact you to request a SOC 2 report.

SOC 2 is a set of compliance criteria concerning how companies handle customer data and information.

It covers every process that might deal with that data and scrutinizes the security associated with it. 

It’s also the auditing procedure used to determine if you comply with those criteria. 

When you undergo a SOC 2 audit successfully, the auditor will issue you a SOC 2 report. There’s no official SOC 2 certification — instead, this report serves as proof that an independent auditor believes you adhere to SOC 2’s rigorous standards.

Like SOC 1, there are two kinds of SOC 2 audit reports you can receive.

These evaluate the design and suitability of a firm’s internal controls pertaining to customer information handling and security. It also examines how they stack up against the relevant trust criteria at a specific point in time. 

Type I audits and reports can be completed in a matter of weeks. 

These evaluate the same factors as the Type I audits, but they also analyze operational effectiveness over a timeframe — generally, three to 12 months.

Audits must be performed annually to maintain SOC 2 compliance. Thus, auditors monitor systems for a period of time instead of performing a single audit.

Now, both types are nearly the same, with the differences mainly being the time involved.

Type II audits take a require a more significant investment in both time and resources. However, certain types of clients — usually those that regularly deal with sensitive customer data — will often only work with firms that have a SOC 2 Type II report.

For example, clients in the banking and insurance industries may only work with you if you successfully underwent a Type II audit since they handle customer money and financial data.

As mentioned, your SOC 2 report can serve as proof of your adherence since there’s no official certification.

This report will contain several sections.

Assertion tells the reader if your systems are represented fairly in the report and if they meet the trust principles you specified and sought to meet.

This contains the auditor’s professional opinion about how well your controls follow the trust standards you specified.

This contains a description of your service organization, including details about your firm’s industry and location. It includes a summary of your data security controls and why you need them.

The infrastructure section provides a detailed list of data, people, policies, processes, software, and technology your organization deals with. It also includes info about third-party providers if you outsource to any.

Relevant aspects of the control environment: 

This part explains the most important aspects of your internal control environment: 

This section details how you’re implementing your internal controls to bolster your firm’s security.

Trust service principles, criteria related controls, and tests of controls

In this part, the report discusses your system of controls and how effective they are at achieving each of the trust principles you sought to come into compliance with.

Several potential parties may need to read or use the SOC 2 report, including: 

Current and prospective customers: Customers are interested in how you handle their data and if it’s secure for obvious reasons.

Business partners: Business partners want to know what kinds of internal controls are in place to keep data safe and prevent costly breaches.

External auditors: External auditors may examine internal controls surrounding customer data security.

Regulators: Regulators check to ensure a firm’s controls and systems comply with all applicable laws and regulations.

Becoming SOC 2 compliant can require a significant investment of your time and financial resources. However, the payoff is immense.

Here are some of the many benefits you’ll enjoy by achieving and maintaining SOC 2 compliance in your organization.

Sets you apart and attracts more customers

Every company that does anything online claims that they’re secure and handle your data with care. 

However, these claims are empty without evidence — and a formal SOC 2 audit provides that evidence.

Reaching and maintaining SOC 2 compliance demonstrates that you actually do have top-notch security and that you’re committed to keeping your customers’ data safe and sound. This can stick in peoples’ minds and even capture prospects that are on the fence.

Therefore, it’s a good idea to let it be known that you are compliant with SOC 2 in relevant areas throughout your brand’s assets. This includes your website homepage, privacy policy, and so on. 

Then, you can market your compliance as your adherence to the most rigorous security standards could sway prospective customers.

2020 saw a massive 1,001 data breaches. That’s close to double the 662 data breaches we saw in 2010. 

Each one of those data breaches could affect a substantial number of customers, exposing their data to cybercriminals. 

Accidental data exposures were frequent, too. These often result from weak internal cybersecurity controls and processes — an example being leaving a massive database unprotected and accessible online.

Some 156 million people had data exposed through human error and oversight in 2020. 

The lesson here is that you can have the greatest brand in the world, but if your security is lacking and you experience a data breach, your brand’s reputation will crash.

SOC 2 processes and controls in your organization minimize the chance of these events occurring, protecting your brand in a world of unauthorized data access.

Accelerates progress toward other security certifications

Naturally, pursuing policies, procedures, and controls that bring you into compliance with a rigorous security standard will shorten your journey toward other certifications.

For example, SOC 2 compliance shares a lot of its requirements with ISO 27001 guidelines. Once you’ve achieved SOC 2 compliance across all of the trust principles, getting ISO 27001-certified is easier and may require fewer resources.

This can be especially helpful if you do business domestically and internationally, as clients outside the U.S. prefer ISO 27001.

There are five core trust principles involved in complying with SOC 2 standards. 

You don’t have to become compliant in all five of these at once. Ideally, you should become compliant in all five at some point, especially if you regularly process a lot of customer data.

However, firms with limited resources should pick the principles that will be the easiest to achieve, then go for the others later. 

Auditors will provide you with a report detailing how you’ve done in every area that you’d like to be evaluated for.

With that said, here are the five principles.

Security deals with protecting information and system resources against unauthorized access. 

Two main types of controls are involved in security.

Secureframe Raises $18m from Kleiner Perkins to Automate Security Compliance. Read on TechCrunch →

https://techcrunch.com/2021/03/18/secureframe-series-a-cybersecurity-compliance/

Get the answers to some of the most crucial questions relevant to becoming SOC 2 compliant directly from an expert in the field.

A complete interview with a SOC 2 auditor

If you’re a service-based company, becoming SOC 2 compliant is an important step.

With the increasing number of cyber threats, clients feel more comfortable with a business that goes through this type of examination.

But if you’re reading this guide, chances are you already know that.

Now the question becomes: What can you do to prepare for a SOC 2 audit?

To help you out, we interviewed auditor K.C. Fikes, Data Analytics Practice Lead at The Cadence Group.

He answered some of our most frequently-asked questions.

But let's start out with our own quick primer on SOC 2 audits.

SOC 2 audits analyze the operations and controls of service-based organizations in terms of the “Trust principles” outlined by the AICPA (American Institute of Certified Public Accountants), which include:

Security (often referred to as “common criteria”): Controls you have to protect confidential data from unauthorized access.

Availability: Controls that help you make sure your services are available to clients, employees, and customers when they need them.

Processing integrity: Standards you have in place for your processing system (i.e., how are you making sure your systems provide timely, accurate data to clients?)

Confidentiality: Controls and standards that help you manage, classify, access, and protect clients’ confidential data.

Privacy: Controls you’re using to keep your clients’ sensitive information private. 

Here's a quick diagram of how it all fits together:

All these principles working together help you effectively protect customer data. The only required principle to become SOC 2 compliant is the “Security” principle, best known as “common criteria.”

That said, the best way to understand SOC 2 audits is by “getting into the mind” of an actual auditor. 

What do you look for when examining an organization? 

“Assuming you’re type II, we’ll come in a couple weeks before the period of review ends. We’ll do a kick off and talk to the key players and request populations (e.g., instances of some sort of technology function in operation, like a software change or security monitoring software logs).

“From the populations, we’ll sample some of them to see if the control was working. For example, we might sample 10 of the 100 software changes during the review period and see if they were reviewed by peers.

“Then, we’ll test each sample against each control.

“After this assessment, if everything worked out correctly, we will start writing the report.” 

But what happens if one of your controls isn’t working properly?

“If we sampled something and didn’t meet the attribute of a control, we go to the firm and see what happened. We tell the client that we’re missing something. Is there any evidence for this sample to meet controls? Then, we’ll look at the sample that didn’t pass. We might also expand the samples to analyze whether it was just an outlier or see if there’s more of a systemic issue. 

“If it was an outlier, we note an exception. If it wasn’t, we might say it was a failure of the control. Our reports would note these exceptions and failures.”

To get a more thorough explanation of SOC 2 audits, we suggest you read our complete guide to SOC 2. 

SOC 2 audits can be split into two main types: Type I and Type II.

The length of your audit will depend on the report type you’re looking for. 

Here is the average scope for each report provided by K.C. Fike:

Type II: A couple weeks longer. From kick-off to handing in the report, it’s about two months.”

If this is the first time you’re going through a SOC 2 assessment, we suggest you start with a SOC 2 Type I report, as they’re simpler audits that can help you prepare for a Type II report. 

What are the differences between Type l and Type ll reports in a SOC 2 audit?

The main difference between SOC 2 Type I and SOC 2 Type II lies in the length of each. 

SOC 2 Type I reports analyze the performance of your controls at a single point in time (e.g., SOC 2 report for May 15, 2021).

SOC 2 Type II reports analyze the performance of your controls over a longer period (e.g., SOC 2 report of May 15, 2021, to July 15, 2021).

Fikes also mentions other crucial differences between each report type, breaking them down piece by piece. 

According to Fikes, these reports consist of the following: 

Our SOC 1 vs. SOC 2 guide provides a more detailed explanation of all the elements involved in the different report types. It’s a great way to deepen your understanding of this topic. 

Which specific controls do companies typically have difficulty passing?

Understanding the overall guidelines to become SOC 2 compliant is important, but what about the most common challenges?

Fikes suggests you pay special attention to the following controls, as organizations often struggle with them:

Non-usual controls: “Those controls that don’t operate as frequently as others because those get forgotten (e.g., forgetting to do annual risk assessments or annual reviews).”

Unclear controls: “Controls that don’t have clearly defined policies or procedures (e.g., getting a lot of data from a logging tool but not knowing how to properly respond).”

“It’s important to have very clear organizational management on how to deal with controls.”

What are the primary red flags you look for during an audit?

As Mark Grey states: “A team is only as strong as its weakest people.”

In the same way, your SOC 2 compliance will depend not on your best controls but your weakest.

The best way to prepare for a SOC 2 examination is by analyzing your controls and identifying which are the least efficient. That’s where you should put most of your attention.

To help you out, Fikes laid out some primary red flags you should be careful of:

Responsibilities: “No control ownership (e.g., control owners uncertain on what their responsibilities are).”

Scope: “No defined scope (e.g., what applications/infrastructure do you need for a SOC 2 assessment?).”

Readiness assessment: “No readiness project performed.”

Lack of preparation: “Controls stop operating.”

Inconsistencies: “Processes/technology changes but controls don’t match/meet.”

By paying attention to these elements, you’ll be better prepared for your SOC 2 audit.

Also, it’s especially important to perform a readiness assessment prior to your examination. This way, you’re able to spot potential issues with your controls and fix them before the auditor comes in to analyze your firm. 

Lack of preparation is one of the main reasons organizations don’t pass a SOC 2 audit. 

Do you have any last words for companies preparing for a SOC 2 audit?

At this point, you already understand the basics of becoming SOC 2 compliant. 

To help you become more prepared, we asked Fikes for some extra tips to consider. 

“Have a clear idea of how you manage the compliance process.”

“Define an owner or person in charge of handling compliance at scale.”

“Have a budget to make security a priority for resources, tools, and personnel.”

“Make sure there’s true buy-in from senior management from the top.”

If management doesn’t truly support your security compliance, you’ll experience tons of issues during the whole process.

A SOC 2 assessment should be completely aligned with business objectives and goals. 

We suggest you schedule a meeting with your management team to discuss all the benefits that come with a SOC 2 examination and make sure they’re fully on board with the process. 

Are you ready for the SOC 2 attestation process?

SOC 2 examinations help service-based organizations ensure they have the best controls in place to protect a client’s confidential data.

By becoming SOC 2 compliant, you’re able to protect one of your most valuable assets: data.

Hopefully, the answers provided today can help you better prepare for your examination and start off on the right foot. 

And, if you need more thorough guidance for your security compliance, Secureframe might be able to help. To see for yourself, read our product overview page to learn more about our process.

Interview with a SOC 2 auditor: what does an auditor look for during the audit?

Learn why most companies fail to get an unqualified SOC 2 report in this in-depth interview.

Interview with a SOC 2 auditor: reasons for SOC 2 failure

Preparing for your first SOC 2 audit and worried that you won’t pass? Wondering what exact things stop companies from getting approved?

To help you figure out just that, we interviewed K.C. Fike, Data Analytics Practice Lead at The Cadence Group, with more than a decade of experience in overhauling IT processes and data handling within businesses.

This interview covers what a SOC 2 report is and how it’s different from SOC 1, the top reasons auditors won’t give you the report, and how you can avoid those issues.

He also breaks down how to interpret the SOC 2 report results when you get them (as they don’t just write passed or not passed).

What is the difference between a Type 1 and Type 2 SOC 2 report? 

SOC 2 Type 1: The initial controls design

A Type 1 report is an evaluation of the design of your controls at a point in time. We’ll walk through the controls, make sure it makes sense for the environment, and look at an example of the control to make sure it’s designed effectively. For example, if the focus is on secure data handling, making sure password settings like character count are actually implemented, two-factor authentication is used throughout the company, and more.

Who has access to what data is also important, so setting up a hierarchy using user access controls is another example of a data security control.

SOC 2 Type 2 - ongoing operation of the controls

A Type 2 report examines the design of controls to see if they’re operated effectively over 6 or 12 months. So it’s essentially a test of the controls you set for the Type 1 report.

That’s when we come in and ask a company to show us the actual process in action. That includes any new employees over the last 12 months, and we’ll do a test to see if they were onboarded properly. We might ask to see password settings, two-factor authentication, and other security measures, access logs, uptime reports, and more.

There are some nuances in the type of report. For example, in Type 1, we only focus on listing out the controls. But in Type 2, we’ll also show a table of tests we ran to make sure these controls were effective/ineffective and test procedures.

To learn more, you can read our full in-depth guide to SOC 2.

How do you interpret the results of the SOC 2 report

In a SOC 2 report, the results fall into one of four categories.

Unqualified opinion: No material inaccuracies or flaws in systems. This is your goal.

Qualified opinion: There are material misstatements in system control descriptions, but they’re limited to specific areas. 

Adverse opinion: There is enough evidence to prove material inaccuracies in your controls’ description and weaknesses in design and operational effectiveness.

Disclaimer of opinion: There’s no way to obtain enough evidence to establish an educated opinion.

It may sound counterintuitive, but the best outcome for the report and what you want for your business is an “unqualified opinion.” 

In this context, it doesn’t indicate a lack of information but that your implementation of the controls and security measures work exactly as described in the initial SOC 2 Type 1 report.

Adverse opinions are pretty rare, as they basically conclude that there are major issues with the entire design of your security measures. If you receive one, you should start again from the ground up, preferably with an experienced consultant.

If you want SOC 2 compliance for your service organization, a robust internal control protocol is crucial.

What are the top reasons an auditor wouldn't give an unqualified SOC 2 report?

If you pay for a report, you’re always going to get one, but the opinions will decide whether or not you can claim to be SOC 2 compliant. Just getting a report doesn’t automatically mean your data processing integrity is approved.

You need a SOC 2 report with an unqualified opinion for that.

What causes me to deliver a qualified opinion, indicating issues with the process in certain areas, is a failure of the controls. One common example is the failure of new staff to follow the original protocols laid out in the controls design.

A rapidly growing service organization or a company that underwent an acquisition or merger is typically at a much higher risk of this issue.

Here are some examples of what negatively affects the auditor's opinion:

Inconsistent application of controls between employees (even new hires)

Inconsistent application between projects or deliverables

Insufficient security measures in the original controls design

The reason behind these issues are often linked to:

No clearly defined standards throughout the company

Inconsistencies throughout the tech stack

SOC reporting and the audit process focus on consistency throughout your organization. 

SOC 2 requirements include risk management, communication protocols, designing, and monitoring controls, plus more.

Of course, over a 12-month testing period, there can be some exceptions without meaning you automatically fail. Exception for control doesn’t mean you didn’t get a report, but we mark it as an exception. 

For example, let’s say 2 of 25 software changes weren’t peer-reviewed before going live. We’d highlight these issues as exceptions and give management the opportunity to remediate the issues. 

A long list of exceptions can lead to a failure of your security controls. Every step of the process is crucial for securely handling internal and customer data.

I only issue an adverse opinion when the control environment doesn’t exist, and there are failures throughout the entire process. For example, if everyone in the company can access sensitive customer data and there are no safeguards like two-factor authentication.

How do you avoid falling into these common mistakes?

To make sure all employees follow protocol, you need to make it part of your company culture. Make sure all employees know their responsibilities within the organization and processes — even new ones.

Hold training sessions across departments and create a single standard for every relevant employee to follow.

As the organization grows, you must bake the controls and processes into your onboarding and training. 

Beyond this, you should reach out to the auditor and ask questions. Auditors are trying to be transparent. Let them know if you’re thinking about something like migrating from GCP (Google Cloud Platform) to AWS (Amazon Web Services) and how that would impact their SOC report.

Secureframe Blog

Your Complete Guide to SOC 2

Interview with a SOC 2 auditor: what does an auditor look for during the audit?

Interview With a SOC 2 Auditor: Why Would an Auditor Qualify Their Opinion on a SOC 2 Report

Interview With a SOC 2 Auditor: Maintaining Your SOC 2

Hiring an ISO 27001 Consultant: A Fast-Track to Compliance?

SOC 2 Type II Compliance: Definition, Scope, and Why You Need It

The Ultimate Guide to SOC 2 Requirements

Never miss a post. Subscribe!