SOC 2: Working towards compliance (1/2)
SOC 2 or in long “Service Organisation Controls 2”, is a voluntary usable standard, developed by the American Institute of Certified Public Accountants (AICPA). Its focus lays on evaluating the controls and processes implemented by organisations to ensure the security, availability, processing integrity, confidentiality, and privacy of customer data.
Why working towards compliance?
Often, SOC 2 reports are demanded by potential customers for example during the selection of vendors to evaluate the security posture of service providers. With the help of SOC 2, the organisation can provide proof of effectively implemented controls and the use of best practices to protect the data to their customers and stakeholders, which may help to build trust and push the competitiveness of the organisation in the nowadays very demanding market.
The five principles of SOC 2
SOC2 is based on five “trust service principles” (also referred to as “trust service criteria”): Privacy, Security, Availability, Processing integrity and Confidentiality. The principles include important factors such as access control, encryption and performance monitoring. All the important information will be collected in reports, to help you, your customers, stakeholders, regulators and more to understand how the data is managed and protected.
Types of SOC 2
There are two different types of the SOC 2 reports: Type 1 (also called: “Type I”) and Type 2 (also called: “Type II”). The main difference between SOC 2 Type 1 and Type 2 reports lies in the scope and timeframe of the assessments.
A Type 1 report assesses the design and implementation of the controls at a specific point in time, while a Type 2 report assesses how effective those controls are over time by observing the operations for usually a minimum of six months. A Type 2 report therefore provides a stronger assurance level, as it is verifying that the controls are not just in place, but further are operating efficiently. This makes the SOC 2 Type 1 report more of a one-time assessment in comparison with the SOC 2 Type 2 report, which takes more time and effort.
SOC 2 Certification
To receive the SOC 2 certification, the organisation must pass an audit process. To prepare, it is important to first of all understand the trust service criteria, which are relevant to the own organisation's operations. Then define a scope including the identification of systems, processes, and services that will be included in the SOC 2 assessment and establish suitable controls for those processes. These controls should address the security and privacy requirements specific to your organisation's operations and the data you handle.
The next crucial step on your way to the certification is a readiness assessment. This is held internally and has the purpose to identify any gaps or weaknesses in your control environment, so potential improvement opportunities can be found and addressed before the actual audit. Once this step is done, a service auditor, an independent certified public accounting (CPA), can be contacted to conduct the actual SOC 2 assessment for your organisation.
SOC 2 Type 1 Audit
The service auditor will evaluate the design and implementation of your controls as of a specific date. They will review documentation, conduct interviews, and further check evidence to assess, if your controls are suitably designed and implemented.
SOC 2 Type 2 Audit
The service auditor will perform a more detailed assessment over a time period of usually at least six months. They will evaluate the operating effectiveness of your controls by reviewing documentation, conducting interviews, performing tests, and gathering evidence. The SOC 2 certification remains an ongoing process with continuous improvements, just like for other frameworks such as the ISO 27001 framework, which you can work on parallelly in Cyberday, as well.
After the audit
Once the audit is done, the auditor will provide the organisation with SOC 2 reports. These include information about the controls, implementation, their design and the effectiveness of the controls and can be used as a proof of compliance. It is expected of the organisation to constantly maintain and improve the controls over the time.
Working towards SOC 2 compliance
Becoming compliant with SOC 2 can be a time consuming and complex process. Therefore, a good tool is almost crucial on the way to your SOC 2 certification. Having a clear process and getting instructions on the implementation will save you a lot of effort. Cyberday is an agile tool, which allows you to work towards compliance with several frameworks at the same time. One of our frameworks is SOC 2. Cyberday breaks down the SOC 2 framework into tasks which help you to fulfil the requirements more efficiently. These tasks represent sections of the SOC 2 and by completing the tasks for each requirement you can achieve compliance with the SOC 2 criteria. Check our second article about how to get SOC 2 compliant with Cyberday here!
Questions and feedback
Do you have any further questions, would need another help article or would like to give some feedback? Please contact our team via email@example.com or the chat box in the right lower corner.