System and Organizational Controls 2 (SOC 2) is sometimes known as Service Organization Controls. Maintained by the American Institute of Certified Public Accountants (AICPA), SOC 2 is a standard for auditing and reporting on the efficacy of internal controls to protect the confidentiality, integrity, and availability of an information system. It is a business tool for companies providing information systems as a service to assure their customers that their systems are compliant and secure.
SOC 2 auditing and reporting is an important business consideration for cloud and enterprise service providers who store or process third-party data. A SOC 2 report gives service provider customers the required information they use as part of their cyber-governance and risk management processes. Often, providing security and privacy compliance is a sales requirement. SOC 2 applies to nearly every SaaS company and having a SOC 2 report in hand can help streamline the sales process and build trust with your clientele.
Why Achieving SOC 2 Compliance is a Big Deal
SOC 2 compliance involves a rigorous auditing process of an organization's controls based on the principles of security, privacy, availability, and processing integrity. As a nationally recognized standard, SOC 2 compliance assures partners and customers that your service can satisfy their security and privacy requirements.
In competitive environments, achieving SOC 2 compliance improves the market position of service providers' products and reputations. Recently healthcare service providers Mozzaz and Vivante issued press releases announcing SOC 2 audit and reporting compliance. Mozzaz says, "SOC2 provides our customers with the added assurance that our Trust services are fully compliant and secure." Vivante claims, "The SOC2 certification process is one of many tools that we've used to ensure we are staying aligned with security best practices and ultimately delivering the highest quality service to our clients and members."
Achieving SOC 2 compliance is a competitive advantage. Many times, it is critical to make a sale. SOC 2 reports are often used throughout technology, healthcare, and financial sectors to screen providers early in the customer's evaluation process. Non-compliant service companies miss out on business opportunities regardless of their technology's otherwise extraordinary capabilities. Subscription customers can rely on the SOC 2 Type 2 reports for vendor management requirements.
Does a Startup need the Same Process as a Large Established SaaS Provider?
One of the advantages of the SOC 2 standard is that it is fully customizable to your business's size, scope, requirements, and objectives. A cybersecurity service provider like Truvantis will scale a SOC 2 audit and reporting program to your needs.
Type 1 vs. Type 2
The difference between a SOC 2 Type I vs. a Type II report is that Type I looks at the information system at a single point in time. In contrast, Type II monitors the system over a specified period, typically six to twelve months.
The benefit of a Type 1 report is that it can be done quickly. For example, a Type 1 could be perfect for a SaaS startup landing its first set of fortune 500's. The SOC 2 Type 1 report satisfies customer cybersecurity and privacy requirements and gives your product a competitive advantage. As a business executive, the SOC 2 report brings peace of mind that your team has cybersecurity and privacy covered. You made the first big step toward a Type 2 compliance that you can now complete in the next 6 to twelve months.
SOC 2 Type 2 reports examine the real-time operation of your controls, adding monitoring of the information management system, ability to detect and respond to anomalies, audit trails, and the ability to gather, evaluate and respond to forensic evidence. Ongoing SOC 2 reporting gives you a business advantage in assuring your partners and customers and building a trusted reputation.
The Five Sections of a SOC 2 Report
Section One: Independent Service Auditors Report - Auditor (CPA)
The independent auditor's report is the summary opinion of the CPA performing the audit. This section describes the scope of the auditor's examination, the auditor's responsibilities, a description of the system under review, the relevant Trust Services Criteria, and the auditor's overall opinion as to the effectiveness of the controls given the business objectives. If the report is a type 2 audit, the auditor will also describe the period, testing methodology, and summary results.
Section Two: Management's Assertion - Organization
This section contains the facts and assertions made by management regarding the suitability of the information management system controls. The management's assertion section summarizes the system under audit, TSCs used subservice organizations, CSOCs and CUECs, and the exam period. Management confirms why based on their best knowledge, the controls in place are suitable to meet the business's service commitments and system requirements.
Section Three: Description of the System Under Audit - Organization
The system description section renders details of the system, including scope, boundaries, controls, and related contractual and statutory commitments. In addition, it includes the services the organization provides and its primary obligations and requirements.
This section may also contain management philosophy of relevant aspects of the control environment, including security policies and management, personnel and physical security, change management, monitoring, disaster recovery, and risk assessment.
Infrastructure describes the hardware platform infrastructure. For example, infrastructure could talk about the number and types of servers running and their physical location, networked, and employee access points such as VPN gateways.
This subsection talks about the chain of software used by the information management system from the OS to off-the-shelf and proprietary software and user interfaces such as web apps, APIs, and communication stacks.
This section describes all the organization's employees, their job functions, and how they interact with the information management system. The people section also describes system monitoring and metrics, documentation, and training programs.
This section describes critical procedures related to managing the information system. The procedures section can include detailed methods for data classification, system monitoring, maintenance, and incident response.
The data section includes customer data, transaction data, reports, system files, and error logs.
This subsection details any cyber-attacks or other system incidents suffered during the examination period. In addition, it includes details of the incident(s), the organization's response, and mitigating control changes put into operation.
Section Four: Auditor's Tests of Controls (type 2 only) – Auditor (CPA)
In the introduction of this section, the auditor details TSCs relevant to the report and defines their meaning concerning the information system at hand. The body of this document section is typically a four-column table summarizing:
- The control criteria objective
- The relevant organization control in place
- The auditor's test of the control
Auditor's Test of Controls Example Entry:
Trust Services Criteria for the Security Category
Description of Service Organization Controls
Auditor's Test of Controls
Result of Tests
CC6.5 The entity discontinues the protection of physical storage devices only after destroying the ability to retrieve data from those devices.
Formal device disposal procedures are in place
Inspected device disposal procedures to determine they were in place.
No exceptions noted.
Before removal from the facility, all storage devices are degaussed and sanitized.
I examined a sample of destroyed media to determine that sanitization measures are applied.
No exceptions noted.
'No exceptions noted' is the best grade you can get on SOC 2 reports. One or more exceptions do not necessarily degrade the overall opinion of the report. Instead, the auditor will root cause the exception and consider whether the system continued to meet its service commitments and requirements.
Section Five: Unaudited Information
Section five is open for any additional relevant information management adds to the report. Typical use is for management response to exceptions
SOC 2 compliance is a nationally recognized standard for assuring the confidentiality, availability, and processing integrity of an information management system. SaaS and enterprise service providers use SOC 2 reports to satisfy customers' and partners' cyber-governance requirements. For executives, SOC 2 compliance can help streamline sales, build trust in the marketplace and maintain business continuity. A Type 1 report can be done quickly and is a stepping stone toward your SOC 2 Type 2 report.
Get Started on SOC 2 Compliance Now
When preparing for a SOC 2 audit, the path often seems unclear and overwhelming. Some online organizations use meaningless overused buzzwords and tell you that if you pay to use their online portal, everything will be done for you automatically. A trusted cybersecurity firm like Truvantis can help take the mystery out of the SOC 2 process. Download this SOC 2 Project Plan for more details.
Truvantis provides full-service support for getting to your SOC 2 report. We will advise on the best approach and choices, work with you and your auditor to agree on the design of your program, and manage the implementation. We will then train your staff and guide you through the audit.
Let's get started. Contact Truvantis today.