Simplifying Compliance: SOC 2 Explained

Simplifying Compliance: SOC 2 Explained

  • April 21, 2022

Security breaches are becoming a more prevalent and more costly threat for today’s organizations. Last year, the total number of data breaches rose by more than 68% and the average cost of a breach jumped by 10%. And that trend shows no signs of slowing down. 

An airtight security posture is no longer a nice to have, it’s a must-have. And from CIS to PCI DSS, there are dozens of security frameworks designed to help organizations protect their customer data. One of the most popular and respected frameworks is SOC 2. 

Unraveling SOC 2 can be difficult for the uninitiated. The different SOC frameworks and report types can be confusing, criteria and requirements fuzzy, and auditing details vague. 

In this article, we strip away the jargon and explain the essentials of SOC 2 in clear and simple terms. 

Let’s get to it.

What is SOC 2?

SOC 2 is a security framework that specifies how service organizations should safeguard customer data that’s stored in the cloud. The American Institute of CPAs (AICPA) developed SOC 2 in 2010 to give CPAs and auditors more specific guidance for evaluating an organization’s security protocols — and to help those service organizations establish trust with customers.

SOC 2 stands for “System and Organization Controls” and refers to both the security framework and the final report that’s issued at the end of a compliance audit. To “get a SOC 2” means to have a report in hand from an accredited CPA or auditor stating your company has completed an audit and meets SOC 2 requirements.

Being SOC 2 compliant is not legally required, unlike HIPAA or GDPR. But in recent years it has become table stakes for modern SaaS companies.

More customers are requesting a SOC 2 report as a way to verify your information security posture before they will do business with your company. Without a SOC 2 report, your organization will likely lose deals to compliant competitors, experience longer sales cycles, have difficulty moving upmarket, or be asked to complete lengthy security questionnaires in order to satisfy customers’ cybersecurity requirements.

A SOC report clears these roadblocks. It builds trust with customers, who know that you will safeguard their data from security breaches. 

The process of getting SOC 2 compliant also unveils important insights into your organization’s systems and processes. Do you have conflicting policies or redundant software? SOC 2 encourages growing companies to build a stronger data security posture and scalable processes into their DNA. Laying a strong security foundation early on will make it much easier to close enterprise deals, prepare for an acquisition, and secure funding. 

SOC 1 vs SOC 2 vs SOC 3

SOC 2 isn't the only security framework created by the American Institute of Certified Public Accountants. They also developed SOC 1 and SOC 3. So what’s the difference between these auditing standards?

SOC 1 is designed for organizations that impact a customer’s financial reporting, like payroll, claims, or payment processing companies. SOC 1 assures customers that their financial information is safe.

SOC 3 is closer to SOC 2 in that both reports involve a CPA audit based on SSAE 18 standards. But since SOC 2 reports include detailed descriptions of organization controls and systems, they are usually private and not shared unless under an NDA. SOC 3 reports don’t go into as much detail and are meant to be shared with the general public, typically on the organization’s website.

Basically, SOC 2 and SOC 3 cover the same information and both certify your organization’s compliance. But SOC 2 has a greater level of detail and privacy. Because of this, SOC 3 reports generally don’t satisfy customers who need to see a SOC 2 report before doing business with your company.

The AICPA Trust Services Criteria

The AICPA built the SOC 2 framework on the foundation of five Trust Services Criteria (formerly called the Trust Services Principles).

They are: 

Security: How do you protect data from data breaches?

Availability: How do you ensure data is reliably available to those who need it?

Processing integrity: How do you verify that information assets and systems operate the way they’re supposed to?

Confidentiality: How do you limit data access, storage, and use?

Privacy: How do you keep sensitive information and personally identifiable information (PII) private from unauthorized access?

The criteria you select for your SOC 2 report are what your organization will be evaluated against during your audit.

Note that Security is the only TSC that’s required for every SOC 2 report. The other four TSC are optional, and you’ll decide which to include based on the type of services you provide and your customers’ demands. 

Report types: SOC 2 Type 1 vs SOC 2 Type 2

There are two types of SOC 2 reports: Type I and Type II. 

A SOC 2 Type 1 report examines an organization’s security posture at a given point in time. It’s designed to determine whether the internal controls are both properly designed and sufficient for data protection. 

A SOC 2 Type 2 report evaluates how those internal controls perform over a specific period of time, typically anywhere between 3-12 months. 

Because a SOC 2 Type I is a point-in-time report, it’s often faster and less expensive to complete than a Type II report. Some Type I audits can be completed in just a few weeks. However, many customers are specifically requesting SOC 2 Type II reports from their service providers, which provide greater assurance of the quality of an organization’s security posture. 

For organizations that need a SOC 2 report urgently, we typically recommend a Type II report with a 3-month review window. It will save you from duplicate audits and provide potential customers the level of assurance they need. 

How to achieve SOC 2 compliance: the SOC 2 audit process

No two SOC 2 audits are alike. Every organization is different, the chosen Trust Services Criteria are different, and the internal security controls and systems are different. 

That said, SOC audits typically follow a similar set of steps. 

First, the organization decides which type of SOC 2 report they will pursue — a type I or type II — and which TSC they will include in the scope of their report. Remember, Security is the only required TSC. 

Next, the audit window is determined. The AICPA recommends at least 6 months for Type II reports, but they can be done in as little as 3 months or as many as 12. 

Now you’ll need to decide which systems are within the scope of your audit and begin collecting documentation about those systems and controls to use as evidence during your audit. Your auditor will review all of this documentation, along with your systems and security controls, to determine your level of compliance with the TSC you’ve selected. 

Examples of documents your auditor will need are: 

  • Information asset inventories
  • User access controls and policies
  • Risk management policies, risk assessments, and risk treatment plans
  • Change management policies and procedures
  • Code of conduct and ethics policies
  • Security incident response and business continuity plans
  • Maintenance records and system backup logs

Finally, you’ll complete a gap analysis and readiness assessment. Use the documents you’ve compiled to compare where your organization stands today with SOC 2 requirements. Where are the gaps you’ll need to fill in before your audit? 

A formal readiness assessment can provide useful insights into the state of your security posture. A SOC 2 auditor will perform its own gap analysis and provide specific recommendations for your organization based on the TSC you’ve selected for your audit. The final readiness assessment report will help identify which controls will appear in your final SOC 2 report and any vulnerabilities that could prevent you from meeting compliance requirements. 

Finally, you’ll select an accredited CPA or auditing firm and complete your SOC 2 audit, during which the auditor will test the operating effectiveness of your systems and controls. At the end of your audit, you’ll be issued your formal report. To maintain compliance, a new audit is typically needed every 12 months. 

35+ free resources to simplify SOC 2

Security frameworks can be complicated. That’s why we built a one-stop SOC 2 information hub with everything you need to understand compliance.

Browse 35+ free resources to master the basics of SOC 2. Dive deeper into the audit process, get tips to simplify audit prep, and much more. Check out the complete SOC 2 Compliance Hub here

Become a security expert

Get the latest articles on startup security and compliance best practices delivered straight to your inbox.

Get a Secureframe demo
subscription-logo