‹ Back

What is SOC 2?

 

Source: Vanta

 

SOC 2 is a compliance framework used to evaluate and validate an organization’s information security practices. It’s widely used in North America, particularly in the SaaS industry. To get a SOC 2, your organization's security controls will need to be investigated against a set of criteria to verify you’ve implemented the right policies and protocols to protect your customer’s data. A SOC 2 will help build trust with your stakeholders and let them know what measures you have in place to keep their data safe.

‍

What does SOC 2 stand for?

 

SOC 2 stands for System and Organization Controls 2. It was created by the American Institute of Certified Public Accountants (AICPA) as a way to help organization’s verify their security and reduce the risk of a security breach. The name relates to which controls are being assessed, which for the case of SOC 2, is an organization's data security controls across their technical system and day-to-day operations. 

‍

What is SOC 2 compliance?

 

When you get your SOC 2, it means you have implemented the appropriate security controls and have had those controls investigated by a third-party auditor. Your auditor will assess your information security against five categories, known as the five Trust Services Criteria (TSC): 

‍

• Security (CC): Your systems and data are protected against unauthorized access and disclosure.
• Availability (A): Your information and systems are available for their intended use.
• Confidentiality (C): Confidential information is kept confidential.
• Processing integrity (PI): Data processing is complete, valid, accurate, and timely.
• Privacy (P): Consumer data is protected and consumers are informed about the collection, use retention, and disposal of their data. 

 

Your auditor will assess your information security against the five Trust Services Criteria (TSC).

 

Each TSC category includes a list of various practices and standards. The security criteria, also known as the common criteria, are mandatory for all SOC 2 reports, while the other four criteria categories only need to be included if they apply to your organization’s products and services. For example, you should add confidentiality to the scope of your report if that criteria is relevant to your business and your SOC 2 report. 

‍

Importance of SOC 2 compliance

 

SOC 2 is not legally required by any organization, however, it may be required by your prospects before they agree to do business with you. Your SOC 2 report helps your customers reduce the risk of bringing you on as a vendor and verifies what measures you have in place to protect their data. For this reason, many businesses and investors in North America can only do business with organizations that demonstrate their information security with a SOC 2 report. 

‍

There are several advantages to getting a SOC 2 that can impact your business: 

‍

• Show you have a strong data security posture.  
• Ensure via an audit that you’ve lowered your chances of a possible data breach. 
• Unlocks deals with high-value clients and business partners that require a SOC 2. 
• Demonstrate trustworthiness with your stakeholders. 
• Build a strong data security posture.

‍

Who needs to comply with SOC 2?

 

SOC 2 compliance is not legally required for any organization. It’s completely voluntary for businesses to get and there are no fines or penalties for not having a SOC 2. This standard is commonly used by SaaS companies, organizations that provide business intelligence or analytics, and managed IT providers.‍

What is a SOC 2 audit?

 

A SOC 2 audit is a third-party evaluation of an organization's information security practices. It assesses how effectively you protect your organization’s and customer’s data, focusing on controls like security, availability, and confidentiality. 

‍

To get a SOC 2 report, you must hire an external auditor to review your policies and practices to ensure they meet the SOC 2 criteria. Completing a SOC 2 audit is a way to verify the trustworthiness and effectiveness of your security policies to be trustworthy and effective.

‍

There are two types of SOC 2 audits: SOC 2 Type 1 and SOC 2 Type 2. During a SOC 2 Type 1 audit, your auditor will review and document the security controls you have in place at a single point in time. A SOC 2 Type 2 audit is done over a period of time where your auditor will review and document your controls and test how effective they are. 

‍

Who can perform a SOC 2 audit?

 

A SOC 2 audit must be performed by a certified public accountant (CPA) at a firm that is accredited by the American Institute of CPAs (AICPA). This must be a third-party individual outside of your organization. 

‍

What is a SOC 2 report?

 

A SOC 2 report is a document that verifies your compliance with SOC 2 standards and is the end result of a SOC 2 audit. This report will provide insights into how effectively your organization protects data based on key criteria such as security, availability, and confidentiality. It provides an objective assessment of your security posture, detailing whether your organization meets the established SOC 2 criteria.

‍

SOC 2 Type 1 vs. SOC 2 Type 2 reports

 

There are two types of SOC 2 reports: SOC 2 Type 1 and SOC 2 Type 2.

‍

• A SOC 2 Type 1 report will detail your security controls at a single point in time, the date of your audit. This type of report verifies that the necessary controls have been implemented but does not include information about how effective those controls are. SOC 2 Type 1 is often faster and more cost-effective than a SOC 2 Type 2, however SOC 2 Type 1 tends to be less valuable among larger firms.

‍

• A SOC 2 Type 2 report assesses your security controls over a period of time and tests how effective they are. You choose the length of your audit window depending on how long your controls are in operation. This window can be between three and twelve months. This type of report provides additional reassurance to stakeholders as it demonstrates how effective your controls are over time. 

 

	SOC 2 Type 1	SOC 2 Type 2
Audit window	At a single point in time	Over a period of time, typically 3, 6, 9, or 12 months
Tests effectiveness of controls	Data service organizations	Data service organizations
Timeline	Often faster	Often takes longer
Cost	Usually cheaper	Tends to be more expensive
Report depth	Provides less insight into security posture	Provides more insight into security posture

 

 

SOC 1 vs SOC 2 vs. SOC 3

 

There are three types of SOC audits: SOC 1, SOC 2, and SOC 3. A SOC 1 audit evaluates financial reporting procedures, while SOC 2 focuses on information security, and SOC 3 reviews security controls for public sharing. SOC 2 is intended for stakeholders like customers and partners, whereas SOC 3, with less confidential information, is designed for public display, like on your website.

‍

Below is a table that compares the different types of SOC reports:

 

	SOC 1	SOC 2	SOC 3
What it’s	Audits of your financial reporting practices	Audits your information security practices to protect your customer’s data	Audits the same controls as SOC 2 but for public viewing
Who gets one	Organizations that could impact their customer’s financial reporting	Data service organizations	Data service organizations
What it reports on	Your control for keeping accurate financial records	Your security posture and the controls in place to protect your data	The same controls as SOC 2 but in far less detail
Who requests it	Customers	Customers	No one—used for marketing purposes

 

How long does it take to get a SOC 2?

 

The average SOC 2 process takes between six months to a year from the moment you start preparing the controls to when you have a completed SOC 2 report in hand. This is because you’ll need to see which controls are missing, set your security controls, test them, collect evidence, and then find an auditor. Once you’ve found an auditor and established your audit window, their assessment will take between four to six weeks. 

‍

However, you can cut this time in half with compliance automation. 

 

 

With automation, you can streamline your SOC 2 audit. Here’s what an automated SOC 2 process can look like: 

‍

• Connect your infrastructure to the automation platform.
• Assess your risk holistically from one unified view. 
• Identify areas of non-compliance with in-platform notifications.
• Get a checklist of actions to help you make the needed changes. 
• Automate evidence collection and centralize all your documents in one place.
• Find a vetted auditor within the platform. 
• Streamline reviews by giving your auditor the information in your Trust Center. 
• Complete your SOC 2 in half the time.