Become a security expert.
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.Get a Secureframe demo
Business software has become ubiquitous. The average mid-sized company works with more than 10 technology vendors, and some larger corporations can deal with hundreds.
But with hacks and data breaches on the rise, it’s increasingly important for your organization to earn customers’ trust.
Without a longstanding relationship, it’s difficult to know if a third-party provider can be relied on to secure your critical data.
That’s where Service Organization Control (SOC) comes in. A SOC report is like a letter grade in the restaurant window. At a glance, it proves you pay attention to crucial details.
But what is a SOC report, and how do you get one? This article has the comprehensive introduction you need.
A SOC report is generated by an independent audit of a company’s information security systems. It’s a comprehensive review of what the company does to secure the information it works with.
A company might request a SOC report because a prospective client has asked for one as a condition for working together. This is a common practice, similar to asking for references before hiring an employee.
Alternatively, a business might decide to pursue SOC compliance before anybody asks for it. This can help to attract clients by demonstrating that the company can be trusted. The term “audit” often implies that the subject is suspected of wrongdoing, but with SOC, that couldn’t be further from the truth.
SOC is specifically designed to test the security of information systems. Therefore, companies that seek a SOC examination tend to be in the business of handling large amounts of information on behalf of other companies. Examples include (but are not limited to) accountants, money managers, staffing firms, marketing agencies, third-party software developers, and anybody who provides cloud storage.
At Secureframe, we regularly seek SOC 2 compliance to practice what we preach. As compliance automation professionals, we’re a prime example of a business that needs to build trust among our customer base.
SOC stands for Service Organization Control. The American Institute of Certified Public Accountants (AICPA) oversees the process. Only a CPA or an organization accredited by the AICPA can conduct a SOC audit.
Preparatory materials often group controls into subjective versions of SOC 2 targeted at various goals. An example of this would be SOC for Cybersecurity, SOC for Supply Chain, and so on.
Beyond these divisions, each SOC report is personalized to the specific company under audit. Auditors must evaluate a few common criteria related to security, but they’re otherwise free to evaluate any of a long suggested internal control list. Ultimately, no two SOC reports will look exactly alike.
Given that they’re both standards for auditing information security protocols, SOC and ISO 27001 are often confused. If you’ve ever mixed them up, you’re not alone: ISO and SOC share almost all the same controls, varying by as little as 4%.
But they’re not identical. There are two key differences between SOC and ISO 27001:
The AICPA provides an illustrated example of a SOC report on its website. It runs 31 pages, a fairly typical length.
A quick review of the contents reveals the following:
Now that you have a better idea of what SOC reporting looks like, let’s explore the four different shapes SOC comes in.
Each type of SOC report has a slightly different set of use cases.
As you’ll read in the next section, SOC 1 and SOC 2 are subdivided into Type I and Type II. Both I and II refer to how the audit is conducted, while 1, 2, and 3 refer to the subject matter of the SOC report.
A SOC 1 audit is for any organization that provides its clients with services related to financial reporting.
To put it another way: if anything a business does could impact a financial audit of one of that business’s clients, that business might need a SOC 1 report.
Examples include accountants, payroll processors, or tax preparation assistants.
Since CPAs manage SOC, and financial information is often the most sensitive, financial controls are an area of special interest. The SOC 1 process examines a company’s security and business processes, looking for any risks to users’ financial information.
A service auditor should also check to see if any risks that arise from the audited business could impact internal controls put in place by clients. You could have the best information security in the world, but that’s not worth much if you contract with third parties who don’t uphold the same standards.
SOC 2 is by far the most commonly sought form of SOC compliance. It’s for any organization providing third-party services that require customers to trust them with sensitive data (known as trust services for short).
Instead of a pre-determined list of controls like those that make up most ISO criteria, SOC 2 is based on the “trust services criteria'' (TSC). This groups suggested controls under five categories:
The controls grouped under Security, known as the “common criteria,” are the only ones required to undergo a SOC 2 audit. Companies are asked to document their control environment, communication and information protocols, risk assessment processes, and how they implement and monitor controls.
All the others are optional, though any reputable auditor will check on more than the bare minimum.
A company that gets a SOC 2 audit usually provides some sort of B2B service, but it’s not uncommon for a B2C company to seek a compliance audit as well. However, since a SOC report is not necessarily public knowledge (and isn’t easy for a non-professional to parse), the company might get a SOC 3 report instead.
A SOC 3 report is similar to a SOC 2, except it’s shorter. It’s a more digestible product that can be used for marketing or made available to customers for free. SOC 3 reports are an easy way to build trust among large groups of individuals.
A SOC report is generated by a SOC audit conducted by a SOC analyst. This is usually a CPA or an AICPA-accredited organization. Before you invite an auditor to your office, your first step is to decide exactly what sort of SOC report you need.
First, choose from among the three SOC categories in the previous section. They’re not mutually exclusive. In fact, some companies might seek all three.
Plenty of large corporations offer both financial and non-financial services and want to build trust among businesses and the public.
Say your company is a small startup that provides cloud services to larger businesses. Obviously, you would choose SOC 2.
Next, you’ll need to choose a type. You have two options:
Choose based on your budget and the urgency of producing the certificate. Many organizations choose to start with a Type I audit and then use that report to undergo Type II.
Next, conduct a readiness assessment. This is like studying for the test — it ensures the auditor doesn’t catch you unprepared.
To do a readiness assessment, you have to get familiar with the trust services criteria.
Be able to answer questions like:
Consider every possible way the Trust Services Criteria might apply to your infrastructure. If you discover any areas in which your system falls short, determine what you need to do to become compliant. This is called a “gap analysis” — closing the gap between where your system is and where it needs to be.
Document everything heavily. You should be able to look at a complete list of the TSC and immediately produce a document explaining how your information security meets each criterion.
Finally, decide who you want to serve as your auditor. Pick a well-reviewed CPA or auditing firm that has experience in your industry.
The auditor will spend anywhere from a few weeks to several months working with your team before producing a SOC report. If you get an unqualified opinion, congratulations! If not, use the SOC report as an instruction manual for closing gaps and try again.
A SOC report is a stand-in for a trust relationship built over time. It takes a lot of work, but every other trust-building method takes more.
There’s really only one foolproof way to get a SOC report hassle-free. You have to work with a company that knows what they’re doing.
You’ve already seen that Secureframe is SOC 2 compliant. Our automations help businesses manage the complex compliance process with minimum friction. If you’re thinking about seeking a SOC report, get in touch with us today.