SOC 2 - The Compliance Standard For The Cloud Era
What is SOC 2?
SOC 2 is the de-facto security standard for technology companies and service providers.
Established by the American Institute of Certified Public Accountants (AIPCA), SOC 2 is not based on a checklist but instead covers 5 Trust Service Criteria; Security, Availability, Processing Integrity, Confidentiality, and Privacy. Although organizations can choose the criteria they want to be audited for, the Security Criteria, also called the Common Criteria, is mandatory.
Passing an audit for SOC 2 is an important benchmark for any organization looking to grow and expand; today, it’s considered as a major business enabler primarily in US-based companies interested in increasing sales volume. Note that SOC 2 is attestation, and not certification.
How long does it take to become SOC 2 compliant?
Achieving SOC 2 compliance can be a time-consuming and exhausting process.
But first, it’s important to understand that SOC 2 audits come in two types; Type 1 looks at how the organization is aligned with its security policies and procedures at the moment and takes about 1 - 3 months to prepare for. If you're wondering why Type 1 is needed, there are times when an organization may want to ensure their service provider is currently secured (for short term contracts, for instance). Type 1 is the fast way to prove exactly that.
Type 2 looks at policies and procedures over a significant period of time. It usually takes between 3 - 6 months to collect the relevant controls evidence for Type 2 and is thus far more labor-intensive to prepare for, but is a far greater indicator of security posture than Type 1. Moreover, many organizations may require potential partners to be audited for Type 2.
What is involved in the process?
The relevant parties will hold a kickoff meeting with the auditor. If this is their first SOC 2 audit, they’ll decide on the scope and the controls which will be included in the audit. If this isn’t their first time being audited for SOC 2, they will go through the chosen controls to decide whether they need to add additional ones. Then the auditor will get to know the organization’s control environment, i.e., reviewing the policies and procedures, agreeing on the criteria relevant for the organization, and accordingly setting up expectations for the audit, when the controls will be tested.
Part of the set expectation is to review all types of reports and lists (i.e., joiners and leavers) and ensure the basic controls operate properly. Once agreed upon, the auditor will start counting the time for the auditee to collect enough information about the controls, evidence, etc. Then the auditor performs the audit itself, which tests the controls in place.
As part of this phase, the auditor gets back to the reports and lists (joiners and leavers, for instance) and asks for updates and tests them again. The auditor expects to see that the controls that worked in the past work smoothly now as well. This proves the controls are well designed and are properly implemented. The auditor then brings their findings to the organization, and together they agree on remediation where needed, and whether there are any "deal breakers" (such as having harmful security practices, for example). Ideally, this phase is not needed since a reasonable control environment has been agreed upon. And finally, there is the report writing and presentation portion of the audit.
In order to pass an audit, evidence proving that the chosen controls are in place and are functioning optimally must be collected from different stakeholders across the organization. Organizations must prove they have the proper security controls in place and are using the proper tools.
The audit is performed by a Certified Public Accountant (CPA) who is a certified SOC 2 auditor.
What do Organizations Gain by Becoming SOC 2 Compliant?
There’s definitely a lot of work involved in SOC 2 reporting but it’s well worth it; achieving SOC 2 compliance is a tangible demonstration of an organization’s commitment to securing the data it collects and stores. The majority of businesses today will not enter partnerships with companies that have not successfully gone through the SOC 2 audit process. Moreover, the entire ecosystem agrees SOC 2 is sufficient, and if audited by a formal auditor who is certified by the AICPA, that should be enough to assure potential partners that the service provider is suitable.