What does SOC mean and why does it matter? How did a CPA organization come to audit information systems for cybersecurity and privacy controls? Spoiler alert. The acronym SOC currently means System and Organization Controls, but that wasn't always the case. Read on to learn why. The history of SOC began in 1992when the American Institute of Certified Public Accountants (AICPA) published SAS 70 as a framework to audit and report on internal financial controls. Since then, in response to market demand, SOC reporting has evolved from purely financial controls toSOC 2 andSOC for Cybersecurity engagements. In 2021 hundreds of IT service providers issued press releases highlighting AICPA SOC 2 Type II engagements as part of industry best practices of a cyber-resiliency strategy. The AICPA expects demand for SOC engagements to grow as much as 49% in 2022.
SOC History and Future
The original standard for auditing service organizations was the SAS 70 (Statement of Auditing Standards No. 70). Certified Public Accountants (CPAs) performed SAS 70 audits to report on the effectiveness of internal financial controls.
From the mid-'90s to 2010, CPAs started to use the SOC framework to report the effectiveness of a company's internal controls around information security more broadly.
In 2010 the Statement on Standards for Attestation Engagements no. 16 (SSAE 16) superseded SAS 70. SSAE 16 brought the reporting structure closer to the Sarbanes Oxley Act requirements.
In conjunction with SSAE 16, the AICPA published the (then named) Service Organization Controls (SOC) suite of reports.
SOC 1 reports are dedicated to financial reporting and controls.
The AICPA introduced SOC 2 reports to address the growing need of companies to validate and communicate the strength of their cybersecurity practice through an objective third-party.
In 2014, the AICPA Assurance Standards Board published the Trust Services Criteria (TSC) for evaluating an organizations' ability to assure the Security, Availability, Processing Integrity, Privacy, and Confidentiality of information security management systems. The TSC addresses logical and physical access, system operations, change management, and risk mitigation controls.
According to a 2015 Intel Security Report, 90% of IT and security professionals reported having faced at least one severe attack on their secure systems.
SSAE 18 superseded SSAE 16. The AICPA published SSAE 18 in response to comments concerning previous standards' clarity, length, and complexity. SSAE 18 also addresses sub-service organizations and makes it easier to include third-party risk mitigation as part of their SOC 2 engagement.
In 2017 the AICPA changed the meaning of SOC from 'Service Organization Controls'to 'System and Organization Controls’.With the redefining of the acronym, AICAP enabled the introduction of new internal control examinations that may be performed (a) for other types of organizations, in addition to service organizations, and (b) on either system-level or entity-level controls of such organizations."AICPA introduced a new risk management examination, SOC for Cybersecurity. In aSOC for Cybersecurity examination, management asserts the effectiveness of controls within the organizations' cybersecurity risk management program. The SOC for Cybersecurity examination may be performed for any organization, regardless of size or industry.
In its' 2020 survey, the AICPA reported that due to increased awareness of IT security concerns, there was a 49% increase in demand for SOC 2 engagements between 2018 and 2020. A significant growth factor involves third-party risk management efforts.
What have companies said about implementing SOC 2 compliance programs?
August 2021, "SOC 2 compliance is considered the leading benchmark for data security and we're proud to adhere to these standards," – CEO Everyware on SOC 2 Type II compliance.
"The SOC 2 assessment gave us the opportunity to have an outside party review the work we have already put in place," – Chief Legal Officer, Scalefast
September 2021, "SOC 2 Type 2 compliance ensures that our Solutions have a security framework that is focused on safeguarding our customers' data. This audit covered all operating divisions in the U.S., India, Canada, Australia, and the U.K., confirming our strong ISMS across global operations." - CIO/CSO - AQuity.
Jan. 4, 2022 "This is an important announcement for us because it underscores our unwavering commitment to the highest standard of security and operational performance." – CEO of TraceLink, on their SOC 2 Type II program.
Jan. 17, 2022 "Completion of our SOC 2 Type II audit means that we are following industry best practices and were audited by an outside firm to ensure we were upholding these practices correctly. Our own opinion of how we are doing is not enough in this industry." - Co-founder Quavo, Inc.
2022 and Beyond
According to a PWC survey, 61% of UK executives expect to see an increase in reportable ransomware incidents in 2022. 86% said that third-party cyber risk is of particular concern.
Securityweek editor Ryan Naraine predicted that in 2022 ransomware attacks will become less of a threat due to businesses prioritizing the basics of cybersecurity hygiene. (Properly tested backups, patching, multi-factor authentication, and secure cloud deployments)
According to the AICPA, demand for SOC for Cybersecurity engagements will increase in 2022.
Gartner predicts that by 2025 60% of organizations will use cybersecurity risk as a primary determining factor when choosing with whom they partner.
In 2022, SOC 2 Type II compliance continues to grow as a recognized standard for assuring an information security management system's security, availability, confidentiality, privacy, and processing integrity. The SOC practice continues to evolve in 2022 to meet the demands of the ever-evolving cyber-threat surface faced by IT service providers and other organizations.
Get Started on SOC 2 Compliance Now
The path often seems unclear and overwhelming when preparing for a SOC 2 audit. Some online organizations use meaningless overused buzzwords and tell you that if you pay to use their online portal, everything will be done for you automatically – yeah right.
A trusted cybersecurity firm like Truvantis can help you customize the SOC 2 program to fit your business. Truvantis provides full-service support for getting to your SOC 2 report. We will advise on the best approach and choices, work with you and your auditor to agree on the design of your program, and manage the implementation. We will then train your staff and guide you through the audit.
Let's get started.