A Complete SOC 2 Type 2 Guide & Certification Overview
No time to read?
Save our SOC 2 Type 2 guide and read it later
(Valuable checklists included!)
With data security becoming increasingly more important for enterprises and regulated industries, organizations often turn to auditing standards like SOC 2 in order to validate organization security postures. Many software companies and SaaS businesses turn to SOC 2 to validate their security standing for enterprise clients, and large enterprises often require vendors with share SOC 2 reports or similar security certifications.
If your organization is working with large enterprise or data in regulated industries, getting compliant now will help your team strengthen your security posture, validate your security processes, and streamline security assessments and procurement.
As organizations rely more heavily on electronic and online channels to gather, store, and share sensitive data, practicing SOC 2 compliance becomes more complex.
This guide will walk you through the essentials of SOC 2, from general SOC 2 compliance standards, planning, and steps for planning and achieving SOC 2 certification.
SOC 2, stands for System and Organization Controls 2, and is a complex auditing framework developed by the American Institute of Certified Public Accountants (AICPA). A SOC 2 audit tests a service organization’s internal security controls and provides a report of security assurances for the organization, and clients, customers, and third parties.
Unlike, laws and regulatory standards like HIPAA, PCI DSS, or SOX, there is no legal requirement or law requiring organizations to comply with SOC 2. SOC 2 is a voluntary auditing standard, that organizations adopt in order to validate and prove their security posture.
For there are two types of audits and SOC 2 reports that can be conducted for SOC 2 – Type 1 and Type 2:
SOC II Type I: An audit and report on an organization’s system and design of its security controls related to the Trust Services Criteria (TSC).
SOC II Type II: An audit and report on an organization’s system and design of its security controls related to the Trust Services Criteria (TSC) and operating effectiveness of controls.
A SOC II Type 2 audit includes all the same information as Type 1, but also features the auditor’s assessment that the organization’s controls have been tested for effectiveness over a period of time. An organization is typically evaluated for a 6 month period or longer to assess that internal controls are in place.
While SOC 2 Type 1 Reports do provide some initial security validation, it is important to note that the value of a Type 1 diminishes as the report gets older, since internal controls are not evaluated over time. For this reason, many organizations work to achieve and keep a current SOC 2 Type 2 report in order to prove that internal controls are current.
Organizations operating in regulated industries such as healthcare and finance must meet stringent security standards or face large monetary penalties. Large enterprises must ensure that new vendors and software solutions have established security programs and do not pose a risk to the organization. In fact, 44% of enterprises have experienced a data breach caused by a vendor. With that in mind, security assessment and validation is becoming a bigger focus.
With that understanding, many vendors and organizations work to be SOC 2 compliant to achieve the following reasons:
44% of Enterprises Have
Experienced A Data Breach
as a direct result of an
insecure third-party vendor.
SOC 2 audits vet organizations against a series of Trust Services Criteria (TSC) previously known as Trust Services Principles (TSP). Trust Service Criteria (TSC) are currently outlined in the latest 2017 AICPA Trust Service Criteria TSP Section 100.
The security criteria serve as assessment criteria for reporting on a list of controls that organizations must have implemented in their security programs. Organizations going through a SOC 2 audit may be evaluated on or more service criteria depending on the scope of the assessment and audit.
The five Trust Services Criteria (TSC) are:
Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
Information and systems are available for operation and use to meet the entity’s objectives. Availability refers to the accessibility of information used by the entity’s systems, as well as the products or services provided to its customers.
System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. Processing integrity refers to the completeness, validity, accuracy, timeliness, and authorization of system processing. Processing integrity addresses whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or inadvertent manipulation.
Information designated as confidential is protected to meet the entity’s objectives. Confidentiality addresses the entity’s ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity’s control in accordance with management’s objectives.
How personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. Although the confidentiality applies to various types of sensitive information, privacy applies only to personal information.
Trust Services Criteria (TSC)
are the principles/categories
that organization security
controls are audited against.
Additionally, the latest 2017 TSC standards for SOC 2 reports integrate the 2013 COSO framework. COSO provides a generally accepted framework for internal controls within the organization. SOC 2 integrates the COSO framework including the five components of internal controls:
Download our SOC 2 compliance guide with checklists to track SOC 2 compliance!
Organizations must prepare for a SOC 2 audit and achieving SOC 2 certification. Security teams must establish security controls, engage with a reputable audit firm, and validate the effectiveness of security standards within the organization. Teams should outline a roadmap for building their security programs and working with assessors to resolve security concerns.
It is essential that organizations are prepared for formal audit. Organizations can expedite the audit process by gathering and providing appropriate SOC 2 evidence, administrative policies, and technical security standards in order to streamline the process and making the assessment process as painless as possible.
In order to have an objective assessment and report, organizations must turn to a reputable third-party to work with for SOC 2 certification. Organizations will work these stakeholders to determine gaps in their security program.
Often times an organization will perform a SOC 2 scoping and readiness assessment. This exercise, acts as a gap assessment and gives security teams a better idea of security controls that require attention or remediation actions.
Lack of Formal Administrative Policies
Missing Technical Security or Logical Controls
Undefined Security Roles and Responsibilities
Issues with Third-Party Access and/or Confidentiality
Lack of Risk Management & Incident Response Plans
Next, organizations must determine which Trust Services Criteria (TSC) will be assessed. Organizations may be assessed one or more categories of criteria.
Security Criteria is a “common criteria” that all organizations must be assessed for when going through a SOC 2 audit. Outside of the Security Criteria, organizations must determine the scope of TSC criteria to be evaluated in a SOC 2 audit. Since certain control areas and criteria may not be applicable to the organization, it is up to the team to work with the assessor to determine the scope and value of achieving certification across criteria.
It is up to teams to work with an assessor to determine which criteria are most relevant to the organization and should be measured in an audit.
Descriptions of these criteria and standards are mentioned in this section.
Once an organization has identified security gaps and security standards that must improve, teams should develop a roadmap for how they will implement these security controls.
Audits require precise work and preparation within and outside the organization. Teams should create a timeline and delegate preparation tasks to appropriate staff members. Staff should review any previous audits that may have been conducted to help identify areas for improvement.
Teams should gather data and security evidence ahead of working with an auditor and be available during audit fieldwork. Teams should have an open line of communication during the audit process, be ready to ask/answer questions and provide additional documentation during evaluation.
After implementing all necessary SOC 2 security controls to meet Trust Services Criteria (TSC), the organization must schedule a SOC 2 security audit. Teams will have to answer security questions and provide policies and evidence for security controls.
Organizations should select an audit firm/assessor with the following qualities:
Experience: Organizations should turn to an audit firm that has experience in conducting SOC 2 audits and has performed numerous assessments on the latest SOC 2 criteria.
Project Fit: Teams should work with an auditor who has worked with similar types of organizations. Your team will receive security insight most applicable to your team, by turning to a firm that has worked with similar sized companies, industries, etc.
Good Communication: In order to avoid any setbacks or confusion, teams should work with auditors that respond to concerns and inquiries within 24-hour period. Having a good communication loop allows teams to better address issues and progress in assessment process.
At the end of an audit, if all processes are well-documented and it is determined your team is compliant, you will receive SOC 2 report or otherwise known as a SOC 2 certification. This report is written by the SOC 2 assessor and outlines outlines your organization’s proficiency with security principles. Teams that work to receive a SOC 2 report can then use that report as a kind of security attestation and validation of the company’s security program.
To maintain certification your team will have to undergo annual audits to ensure that security measures are properly implemented within your organization. Organizations can utilize Dash security reports to keep an inventory of compliance controls and evidence for audits and certification.
SOC 2 requires that organizations conduct audits annually in order to maintain compliance and certification
Many organizations now utilize cloud service providers such as Amazon Web Services (AWS) to host applications and solutions. These cloud platforms generally operate on a cloud shared responsibility model for SOC 2 and most compliance frameworks. This means that while the cloud provider will handle many of the physical security controls, it is up to the cloud customer to address most administrative standards, and technical security controls in order to achieve SOC 2 compliance in the cloud.
Organizations should plan to build a set of administrative policies and standard operating procedures (SOPs) in order to achieve SOC 2 compliance. Security teams should create policies that fit the structure and technology needs of the company. Administrative policies should address security aspects including:
Roles & Responsibilities
While cloud providers give cloud customers many options for security configuration, it is up to the organization’s security team to set and enforce SOC 2 controls. For example, in order to build and maintain SOC 2 compliance in AWS, your organization must implement the security solutions including:
Backup and Disaster Recovery (DR)
Intrusion Detection Systems (IDS)
While there are many cloud services that may be used to implement these security standards, security teams must ensure that policies and cloud security controls are in place.
When conducting a SOC II Type II audit, organizations must prove the ongoing effectiveness of their security controls. Additionally, most SOC 2 reports cover a 12-month period, meaning that organizations must complete a SOC 2 audit every year in order to stay current with SOC 2 compliance.
Due to the ongoing nature of assessments, it is important that organizations have set proper administrative policies and ensure technical security controls going forward. Dash ComplyOps enables organizations to streamline collection of security evidence, create security policies, and ensure security controls with continuous compliance monitoring.
Preparing for a SOC 2 audit? Learn how your security team can streamline SOC 2 compliance with Dash and achieve certification quicker.