SOC 2 Type 2 Guide: Compliance and Certification - Part 1
What is SOC2 Type II and who needs it?
To start with, SOC is a system of service organization controls. The acronym stands for “system and organization controls,” and the controls refer to a series of standards designed to help measure how well a given service organization regulates and conducts its information.
SOC standards exist to provide peace of mind and confidence for organizations when they work with third-party vendors. A SOC-certified organization has been audited by an independent certified public accountant.
The Service Organization Control 2 (SOC 2) Type II examination shows that an independent auditing and accounting firm has examined and reviewed an organization’s control activities and objectives, and tested those controls to ensure that they are effectively operating.
It is based on Communications, Policies, Monitoring and Procedures.
SOC 2 Type II audits are meant to help organizations attain a reasonable level of confidence that their service providers comply with the applicable privacy and security standards, and that their systems are being operated efficiently and effectively.
With SOC 2 Type II examination, customers of service providers can evaluate the processing activities of service providers that have an impact on the security, confidentiality, processing integrity, and availability of the customer’s information.
And for the service providers, SOC 2 Type II examination helps them to understand the adequacy of their controls and in the demonstration of conformity with the applicable privacy and security standards.
The entities responsible for performing the SOC 2 Type are known as "qualified security assessors" (QSAs) and AICPA maintains the standards that govern SOC 2 Type II examinations.
A brief history of SOC 2
Before SOC 2, the main auditing service organizations’ standard was referred to as SAS 70 (Statement of Auditing Standards No. 70). These audits were done by Certified Public Accountants (CPAs) with the main intent of reporting on the effectiveness of internal financial controls. These started in the early 1990s.
With time, the audit was being used as a way of reporting on the effectiveness of an organization’s internal controls around information security more deeply.
Sometime in 2010, the AICPA (The American Institute of Certified Public Accountants) introduced SOC 1 and SOC 2 reports with the primary purpose of addressing the increasing need of companies to externally validate and communicate the state of their security.
Today, SOC 1 reports focus on controls that have an impact on financial reports. On the other hand, SOC 2 reports are written on audits against the Trust Services Criteria (TSC) standard. This is an ideal standard if you’re looking for a way to simultaneously grow your company’s maturity around business processes and security.
Types of SOC 2 Report
- The SOC 2 Type I Report
SOC 2 Type I reports detail the suitability and design of the company’s controls, its scope, and its management at a given point in time. It demonstrates proof of compliance with the American Institute of Public Accountants (AICPA) and other recognized accounting bodies’ auditing procedures and industry best practices. This benefits companies by assuring potential customers that their data will be safe in the hands of a SOC II compliant company.
There has been increased demand for SOC 2 Type I compliant providers as cyber-attacks continue to rise in frequency and sophistication. While not legally required, SOC 2 Type I compliance is highly sought after for companies handling customer data like healthcare providers and financial institutions to assure their customers that they have protective controls in place.
Depending on how well a company is prepared for their SOC 2 Type I, they can be audited immediately, and the report created. If a service organization has already performed a readiness assessment, has its controls in place, and is well documented, and the approved auditor can begin the examination right away.
Generating the SOC 2 Type I report typically takes between 2 to 4 weeks, unlike the SOC 2 Type II report, which takes 6 months to a year – making the SOC 2 Type I report is ideal for companies assessing multiple potential vendors or looking to engage 3rd parties in a relatively short amount of time.
- The SOC 2 Type II Report
Like the SOC 2 Type I report, the type II report is a description of a company’s system and the suitability of the design of controls, but it also assesses the operating effectiveness of said controls. While there are many benefits to SOC Type I compliance, SOC Type II provides a much higher level of assurance in comparison.
To achieve SOC type II compliance, a company must pass a thorough examination of its policies and controls over an extended period, requiring companies to dedicate even more time and resources. Most companies will select a period that overlaps the most with the company’s financial year. While there is no required minimum duration for the type II reporting period, the AICPA has suggested companies use a period of 6 months. To provide their clients with a continuous flow of reporting on their controls, companies usually decide in a 12-month reporting period to eliminate a break in the reporting period.
The SOC 2 Type II compliance and reporting demonstrate superior data security and control systems to potential customers. Companies with SOC 2 Type II compliance gain an advantage from the ability to engage larger, and more security-conscious organizations with their services.
SOC 2 Type II compliance is follows the same general principles of SOC type I but requires additional resources and working hours. SOC 2 Type II compliance easier to acquire for companies with mature controls that are constantly monitored and updated accordingly. The SOC 2 Type II audit is generally sought out by medium to large who operate with sensitive data or in heavily regulated industries with stringent security requirements.
SOC 2 major trust Principles
SOC 2 certification is issued by external auditors. They examine the level to which a vendor has complied with one or more of the five trust principles based on the processes and systems in place.
The trust principles are further broken down below:
The security principle has to do with the protection of system resources against unapproved access. Access controls help avoid potential system abuse, theft or unapproved removal of data, abuse of software, and inappropriate alteration or disclosure of information.
IT security tools like network and web application firewalls (WAFs), two-factor authentication, multi-factor authentication and intrusion detection are handy in preventing security breaches that can result in unauthorized access of systems and data.
The availability principle refers to the availability of the system, services, or products as stipulated by a service level agreement (SLA) or contract. Hence, the minimum level of performance that’s acceptable for system availability is set by both parties.
This principle does not include system usability and functionality but involves security-related criteria that may affect availability. Monitoring network availability and performance, site failover, and security incident handling are critical here.
3. Processing integrity
The processing integrity principle has to do with whether a system achieves its purpose or not (i.e., delivers the right data where it should be and at the right time). As a result, data processing must be valid, complete, accurate, authorized, and timely.
Nevertheless, processing integrity does not always mean data integrity. If data contains errors before it is entered into the system, detecting them is usually not the responsibility of the processing entity. Monitoring of data processing, as well as quality assurance procedures, can help ensure processing integrity.
Data is considered confidential if its access and disclosure are limited to a specified set of individuals or organizations. Examples may include data meant only for company personnel, and also business plans, internal price lists, intellectual properties, and other types of sensitive financial information.
Encryption is a critical control for the protection of confidentiality in the course of transmission. Network and application firewalls, in combination with rigorous access controls, can be used to protect information being stored or processed on computer systems.
The privacy principle deals with the system’s collection, use, disclosure, retention, and disposal of personal information to conform with an organization’s privacy notice, and in line with criteria outlined in the AICPA’s generally accepted privacy principles (GAPP).
Personally identifiable information (PII) is the details that can uniquely distinguish an individual (e.g., name, address, Social Security number). Some personal data related to health, sexuality, race, and religion are also considered sensitive and usually require an additional level of protection. There must be controls in place to protect all PII from unauthorized access.
Why SOC 2 Compliance Matters
Majorly, SOC 2 compliance will let you have peace of mind that your processes and procedures correspond with what they say: protect your customers’ data. Apart from this, there are two additional benefits:
- SaaS providers with SOC 2 Type II certification are more trusted by clients than those who don’t have it because the certification shows a commitment to data security.
- Companies with plenty of data to handle—especially enterprise companies with numerous customers (up to thousands or millions of customers)—will more likely choose SOC 2-compliant SaaS providers to work with.
More SaaS companies are getting SOC 2-certified to gain users' trust and protect their data. A good example is an Intercom that announced that they are SOC 2 compliant. Intercom is developed as a platform to ease the way B2C messaging is exchanged.
One of their business goals is to develop innovative products, but they want to also make sure their customers can trust these products. In line with SOC 2 compliance, Intercom intends to conduct annual reviews to ensure their procedures are adequate to protect customer data and that they consistently meet the needs and expectations of customers.
SaaS providers depend on their customers to help them grow. Irrespective of how creative and cutting edge the products are; if customers are not confident in the fact that their data is safe, they won’t sign up. The commitment of companies to security, processing integrity, availability, confidentiality, and privacy will determine business success. In summary, SOC 2 compliance serves as a link between tech innovation and developing trusting relationships with customers.
Let’s closely examine additional reasons why SOC 2 compliance matters
- SOC 2 compliance reduces security risks over a period of time
There are two kinds of SOC 2 reports: Type I and Type II. Type I reports don’t take much time to make preparations for and obtain because they only focus on how well you’ve done at setting up standard procedures for your business. For instance, Type I reports will check to see if your procedures can take care of issues such as data breaches. Type I reports don’t check whether these procedures work, just examine to know you have a plan. Also, Type I audits only check for compliance at one point in time.
On the other hand, Type II audits do not only ensure that your procedures are in place, but that they work and are supported for some time (for example, six months).
The process of auditing to get this level of certification is more stricter and meticulous than Type I, but it comes with greater benefits.
According to a SaaS management platform known as Blissfully, Type II audits are “more valuable in the hands of customers, prospects, board members, partners, insurance companies, and so on.” To have third-party auditors come to terms with the fact that your data security measures meet a high standard is pretty significant. Companies are much more likely to be interested in investing and doing business with you.
- SOC 2 compliance gives you the opportunity to show your strengths
Although there are five trust-service principles, SaaS companies aren’t expected to use all of them to protect data. For instance, if a SaaS business is mainly focused on storing data, safeguarding systems from unauthorized access is their priority. Hence, their SOC 2 audit will focus on Security Principle.
Before your SOC 2-compliance audit commences, think of how the five criteria relate to your business practices. Then decide which areas you’ll concentrate on. Check out the following examples:
- If you provide CRM services, then all five principles might apply to you.
- If you provide sales and marketing services, then Confidentiality, Availability, and Security might apply to you.
- If you provide analytics software services, then Processing Integrity, Availability, and Security might apply to you.
Think of what your customers want from you, and the most relevant principles to you become clearer to you. For instance, find out whether customers are interested in access to features such as data recovery, end-to-end encryption or two-factor authentication for their end-users. The answers will tell you which principles to concentrate on.
For instance, when Auth0 went for their SOC 2 report, they considered what their customers wanted from them. They discovered that customers wanted to be assured of two things:
- They wanted to know the type of security Auth0 had to avoid data breaches
- They wanted to know if services would be always available.
So, Auth0 chose Security and Availability as the two principles they needed to be audited on to get their SOC Type II report.
By the way, Auth is an authentication and authorization platform.
- SOC 2 compliance Bolsters Company Culture
Implementing new security controls can be tough. People may complain about the extra time it takes to log in to services using multi-factor authentication. However, the minor annoyances are worth the outcome. When it comes to building a secure and compliant company culture, the smaller and younger you are as an organization when new processes are put in place, the easier it will be to scale. Companies that are as small as three employees have gone through SOC 2 audits. It is also helpful to automate these processes as much as possible, baking them deep into your company culture.
- SOC 2 compliance Provides Documentation
It’s never too early to get your documentation in order. Do you have policies and procedures? Do you have internal standards documentation? Having these processes well-documented will improve internal communication and consistency, which in turn enables you to meet legal and compliance challenges, close more sales, and prepare for financial changes like a merger or acquisition or a new round of VC funding.
- SOC 2 compliance helps with Risk Management
Finally, preparing for a SOC 2 audit will give you a framework for acknowledging and mitigating risks. Many organizations that have not undergone a formal compliance audit are either unaware of security risks or addressing them in an ad hoc way. Approaching compliance systematically instead will ensure that even risks that aren’t top of mind receive attention and can be mitigated in a timely manner.
The Value of SOC 2 as a Vendor
If you don’t have SOC 2 compliance as a vendor, you will probably have to fill out more than a few security questionnaires before you can work with any enterprise-scale customers. While that might sound easier than a SOC 2 audit on the surface, the questionnaires can be quite detailed and overwhelming, and they are often hard to fill out if you don’t already know the security lingo, have tooling in place, and know-how to document processes. In other words, if you haven’t already gone through the process of setting up and enforcing policies as you would for SOC 2, you may find yourself stuck when the questionnaires arrive.
In a nutshell, being SOC 2 compliant will both help you sell to the enterprise, and force you to follow a set of strong best practices when it comes to keeping your company’s and customers’ data safe. Security is (or at least should be) a major concern for all technology-focused companies today, as we’ve written about in our previous eBook: Blissfully’s Practical Guide to People-First SaaS Security. Achieving SOC 2 compliance is a good way to demonstrate that you do indeed have security at heart in all you do as an organization.
Continued in the second part