SOC 2 compliance is an esteemed designation offered to organizations that pass the SOC 2 auditing procedure. This audit is conducted by outside, impartial auditors and was developed by the American Institute of CPAs, or AICPA.
To earn SOC 2 attestation, a service organization must meet the following five trust service principles.
Security. SOC 2 auditors will assess policies, processes, and controls that have been put in place to protect systems from unauthorized access. Access controls might include intrusion detection, firewalls, or two-factor authentication. These security measures are intended to prevent system breach, hacking, and unintended disclosure or alteration of data stored in the system.
Confidentiality. Auditors will also evaluate safeguards that have been put in place to protect confidential data during storage. Confidential data might include intellectual property, proprietary business data, legal documents, transaction details, or engineering plans—essentially any information restricted to a certain person or group. Controls can be put in place by a cloud or SaaS service provider to block unintended access to any confidential data while it’s being transmitted or stored in the system. This might include firewalls, encryption, or access controls along with policies for identifying confidential data, retaining it for a set period of time, and erasing or destroying that data after the retention period has expired.
Privacy. How a service provider safeguards personally identifiable information is also part of an SOC 2 audit. Personally identifiable information encompasses any details that might identify an individual. For example, this might include their name and address, their race, sexual orientation, religion, or social security number. It also encompasses sensitive health records, credit details, and financial information. SOC 2 auditors assess the system’s ability to maintain privacy of that personally identifiable information during storage, transmission, use, and disposal. Auditors will also look to ensure an organization meets the promises set forth in its privacy policy and that it complies with AICPA’s own generally accepted privacy principles.
Availability. SOC 2 compliance requires that a service provider’s product or solution operates at the minimum performance levels promised in their service level agreement or contract. This covers both network availability and incident handling. Some areas an auditor might investigate include a company’s handling of security incidents or its disaster recovery processes. Controls in place to safeguard availability might include detection measures, environmental protection procedures, or routine testing of back-up system integrity.
Processing integrity. Finally, auditors evaluate how well a system achieves its intended objective. This means not only its ability to deliver the right information in a timely manner but also that the data is complete, valid, authorized, and that it accurately reflects the data a user entered originally into the system. Processing integrity might be compromised if, for example, there are duplicates when processing or if there are errors or inaccuracies in transactions that were submitted into the system.
Cyber Security Services (CSS) has been providing consulting services to help organizations achieve SOC 2 Type I and Type II attestation since 2013. From our first customer until today, we have successfully concluded more than 100 SOC 2 engagements. Let us show you our proven methodology that gets customers over the finish line.
SOC reports, short for Service Organization Control, were designed by the AICPA. There are two types of SOC 2 audit reports that a service provider can obtain, Type I and Type II. Both analyze the same controls that a service organization has in place to adhere to five trust service principles, specifically security, availability, process integrity, confidentiality, and privacy. The primary difference between complying with SOC 2 Type 1 vs SOC 2 Type 2 is that Type 1 is a point in time audit where SOC 2 type 2 is an audit period over a period of time (3 months to 1 year). In short, the SOC 2 Type 1 is typically the easier to meet for organizations with short timelines to meet the requirements. The SOC 2 Type 2 being over a period of time means that controls will need to be demonstrated for the entire period of the audit.
The SOC 2 Type I audit investigates that a company has internal controls in place for managing customer data based on five trust service principles as of a specified calendar date. It also looks to ensure those controls are designed appropriately to meet the service provider’s objectives. You can think of Type I as a snapshot in time.
While the SOC 2 Type I audit investigates that a company has controls in operation as of a specified date, the SOC 2 Type II audit delves further to investigate the operational effectiveness of those controls—assessing whether or not they performed as promised over a period of time spanning from 3 consecutive months up to 1 year.