What is SOC 2?
SOC 2 is an Information Security compliance standard laying out how any organization who stores customer data on the cloud should protect that information from unauthorized access, security incidents, and other vulnerabilities.
The SOC 2 framework is a list of criteria that essentially lays out practices of a cybersecure organization. Companies who meet the standards set out in the criteria are SOC 2 compliant. Companies achieve official SOC 2 certification by going through a SOC 2 audit.
Why does SOC 2 matter?
Our global transition to cloud-based storage has made us more vulnerable to hacks, unauthorized access, and data breaches than we have ever been before. Every day, we read about data breaches and hacks exposing huge amounts of customer data – your data. SOC 2 is a framework that, if followed, can help protect companies from these security incidents. SOC 2 certifications help companies prove to their customers that they are meeting the SOC 2 standard of data protection practices, to build trust with their customers.
Who needs to be SOC 2 compliant?
Any company that stores customer data on the cloud has a reason to become SOC 2 compliant. To be clear, SOC 2 is a voluntary compliance standard. It is not a government mandate for companies (like GDPR is a government mandate) – at least, not yet. Younger companies’ decision to get SOC 2 certified is often initially driven by their customers. Many customers simply won’t bring on vendors who will be storing customer information on the cloud and are not SOC 2 compliant. So, companies may initially pursue SOC 2 certification to close a sales deal. From there, they maintain their SOC 2 compliance (via annual audits) – both to retain customers, but also because they see the value in testing their cybersecurity practices.
What does SOC 2 compliance entail?
The SOC 2 framework is broken down into the following categories:
- Security (security of information across an organization, including a wide range of criteria from monitoring of security vulnerabilities to employee disciplinary procedures for non-compliance to incident response procedures)
- Availability (systems’ uptime and performance)
- Confidentiality (protection of confidential information across its lifecycle from creation/collection to disposal)
- Processing Integrity (reliability of both the inputs processed and the outputs generated by the company)
- Privacy (extension of the Confidentiality category, focused on proper management of personal information from consent to collection to disposal)
In order to get a SOC 2 certification, a company must be compliant with all criteria in the Security category at a minimum. You can see a much more detailed breakdown of what SOC 2 compliance entails in our post “SOC 2 Deep Dive”.
What is SOC 2 certification?
SOC 2 certification is proof that a company is SOC 2 compliant. Certification comes in the form of a SOC 2 report, created by an auditor annually after they audit or test your compliance with SOC 2 criteria. The report will confirm areas of compliance and will also note exceptions to compliance (practices or observations of non-compliance). There are 2 stages to SOC 2 certification: Type 1 and Type 2. You can read more in our post, “The End-to-End SOC 2 Certification Process”. In short, Type 1 is a temporary certification, or a stepping stone on the way to SOC 2 Type 2. Type 1 confirms that a company has policies and rules, or controls, in place to meet the standards of SOC 2 criteria. SOC 2 Type 2 certification means that the company is actually implementing against their policies and controls. Companies only go for Type 1 during their first SOC 2 certification. After that, they achieve and maintain SOC 2 Type 2.
Who usually owns SOC 2 compliance in an organization?
True SOC 2 compliance requires the participation of everyone inside an organization, because it takes everyone’s commitment and practice to ensure that data is protected and secure. The responsibility of achieving SOC 2 certification is often owned by an organization’s Information Security or Compliance team (e.g., a Compliance Manager or Director of Information Security or even Chief Information Security Officer may own the SOC 2 program). The program owner will need support from leaders of the Technology, Operations, HR, Legal, and other teams in order to meet SOC 2 criteria. For smaller organizations, overall responsibility often falls to the CTO or COO.
Who created SOC 2?
SOC 2 was created by the AICPA, the American Institute of Certified Public Accountants.
How do I check if a company I am working with is SOC 2 compliant?
Always ask your vendors and partners (especially any sub-processors) for their SOC 2 report before you decide to work with them. This helps you validate their SOC 2 compliance, and it also gives you a look into their compliance practices in more depth. For example, you can read the auditor’s noted exceptions in the company’s SOC 2 report. This tells you where the company may be non-compliant or where the auditors observed discrepancies, even if they achieved SOC 2 certification. If a company is not SOC 2 compliant, they may be ISO 27001 compliant instead.
What are my first steps to achieving SOC 2 compliance?
- Get more comfortable with SOC 2 – the framework and the process (helpful reading: “SOC 2 Deep Dive”, “The End-to-End SOC 2 Certification Process”)
- Do a gap assessment of your current practices vs. SOC 2 criteria
- Create and implement controls to bridge the gap between your current practices and 100% compliance with SOC 2
- Bring in an auditor to get official certification Complyance can help with each of these steps. Complyance will help you:
- Fully understand SOC 2 via our customer resources and free expert sessions
- Does your gap assessment to assign your organization a SOC 2 compliance score
- Suggests controls to bridge the gap between your current score and 100% compliance
- Introduces you to an auditor to get official certification
For more information on how we can help you, please Request a Complyance Consultation or email hello@complyance.com.