What Does a SOC 2 Report Cover?

Published January 11, 2021 • 3 min read

Information security is front of mind for most companies today, as data breaches are unfortunately an increasingly common occurrence. A SOC 2 attestation helps companies ensure their services are being provided securely. 

What is SOC 2?

SOC 2, or the System and Organization Controls for Service Organizations 2, is the framework that determines an organization’s ability to protect personal information and customer data. 

The SOC 2 developer, the American Institute of Certified Public Accountants (AICPA), created the framework in response to the accelerated cybersecurity risks due to technological advances in data security and data processing.

How does a company gain SOC 2 attestation?

To attain a clean SOC 2 report, a company is required to have a Certified Public Accountant (CPA) attest that security measures are in place. 

There are two types of SOC 2 reports: Type I and Type II. Type I SOC 2 must show that internal controls are in place and designed effectively. Type II requires that a company show its controls are in place and have been operating effectively over a period of time. 

Once a company’s senior management has decided that internal controls are in place to meet the required SOC 2 criteria, a CPA firm will then conduct a SOC audit to confirm or deny that the company has achieved full compliance.

What is included in a SOC 2 report?

Once an organization passes its audit, they receive a SOC report which outlines how the organization’s internal controls demonstrate its ability to provide their service securely. 

Each SOC 2 report will be unique to an organization and will vary depending on which of the five Trust Services Principles are assessed through the audit. The five criteria include security, availability, confidentiality, processing integrity, and privacy. 

Your organization’s functions will help determine which of the five criteria apply, and then internal controls will be assessed to ensure your organization’s policies and procedures help maintain the relevant trust criteria.

The SOC 2 report structure consists of an opinion letter from the auditor, management’s assertion of compliance, the description of the system being reviewed, and the description of tests of controls and the results of that testing.

Why seek SOC 2 compliance?

Cloud computing has revolutionized how many companies conduct business. While it’s led to groundbreaking advances in how service providers operate, it’s also led to security issues around customer and client data. SOC 2 compliance helps provide assurance to stakeholders that your organization is following regulatory standards for information security and processing. 

How does SOC 2 differ from ISO 27001?

While SOC 2 is a standard form of information security compliance, ISO 27001 is another framework that governs IT risk. ISO, developed by the International Organization for Standardization, contains numerous standards that govern risk assessment processes and security policies.

ISO 27001 is a more rigorous form of compliance, but by achieving ISO compliance, your organization shouldn’t have trouble gaining SOC 2 attestation as well. The ISO framework helps organizations establish an information security management system (ISMS), a process that can often take as long as three years to develop. 

Even though ISO 27001 is a more rigorous set of standards, it can still be useful for an organization to seek SOC 2 compliance because there are some significant differences.

What are other versions of SOC compliance?

While SOC 2 is primarily focused on controls around the five Trust Services Criteria as described above, SOC 1 and SOC 3 deal with different areas of an organization’s business procedures.

SOC 1 is concerned with internal controls dealing with financial reporting, while SOC 3 shares an identical set of reporting standards as SOC 2. However, SOC 3 reports are publicly available to anyone, while SOC 2 is confidentially shared only with stakeholders and industry regulators.

Obtaining a SOC 2 report is time-consuming yet vital for any service organization that relies on cloud computing for its operations. By establishing strong internal controls and using a SOC 2 framework as a guide for developing safe business policies, your organization will be able to operate with confidence in an increasingly digital age.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Get a demo