The Ultimate Guide to SOC 2

Developed to ensure the privacy and security of customer data, SOC 2 compliance is critical for all enterprises that process, store, or transmit this data.

Although SOC 2 attestation is completely voluntary, not having it can be a huge red flag, telling potential customers and clients that their secrets aren’t safe with you or your vendors.

The good news is, the SOC 2 reporting framework is flexible. Using the framework requirements as a guide, your enterprise can write internal controls that fit your unique situation and needs. But how can you know if you’re doing SOC 2 right?

Relax. This handy guide is designed to walk you through SOC 2 step by step to provide your organization with everything it needs for certification success, from understanding to planning to preparation, and all the way through audit.

If you’re already SOC 2 compliant, this guide can help you get the most out of the framework. Links throughout lead to our many posts and articles, our SOC 2 audit guide, and more to help you understand how SOC 2 may dovetail with your other compliance programs, smoothing the way to more certifications.

What is SOC 2? Definition and Background

System and Organization Controls for Service Organizations 2 (SOC 2) is a framework for determining whether a service organization’s controls and practices are effective at safeguarding the privacy and security of its customer and client data.

SOC 2 applies to all organizations and enterprises providing
services that process and store customer data.

The American Institute of Certified Public Accountants (AICPA) developed SOC 2 in response to growing concerns over data privacy and security.

The framework evolved from the 1992 Statement on Auditing Standards No. 70: Service Organizations (SAS 70), which guided the financial audits of third-party service providers such as insurance claims processors and hosted data centers.

Like SOC 2, SAS 70 resulted in two kinds of reports.

Type 1 assesses the effectiveness of controls at a point in time.

Type 2 assesses controls over a period of time — in the case of SOC 2, typically one year.

Over time, IT services became more central to business, and more organizations opted to outsource their technology functions to third-party service providers such as Software-as-a-Service (SaaS) vendors.

But SAS 70 was designed for financial audits, not for assessing data security and privacy controls. So in 2011 AICPA issued the Statement on Standards for Attestation Engagements No. 16 (SSAE 16). These standards—now updated to SSAE 18—are used in SOC 2 audits today, and emphasize data security.

SOC 2 reports discuss five “Trust Services Categories” (formerly “Trust Services Principles”):

  • “The security, availability, and processing integrity of the systems the service organization uses to process users’ data,” and
  • “The confidentiality and privacy of the information processed by these systems.”

The AICPA defines these categories this way

  1. Security: The effectiveness of policies and procedures governing the way organizations protect themselves against unauthorized access and respond to security breaches resulting in unauthorized disclosure of information will be periodically evaluated.
  2. Availability: Information and systems must be available for operation and use to meet the entity’s objectives.
  3. Confidentiality: Information designated as confidential must be sufficiently protected from unauthorized access to meet organizational effectiveness.
  4. Processing Integrity: System processing should be complete, valid, accurate, timely, and authorized to meet organizational objectives.
  5. Privacy: Personally identifiable information must be collected, used, disclosed, and disposed of in a secure manner.

Who Needs a SOC 2 Report?

Put simply, if your enterprise is a service provider that handles customer data, you should have a SOC 2 report. If you outsource work, your sub-contractors should be SOC 2 compliant, as well.

Showing SOC 2 compliance helps demonstrate your organization’s commitment to protecting the privacy and security of your customers’ information—increasingly important in our connected digital age.

Industries needing SOC 2 include
  • Cloud computing
  • IT security management
  • Software-as-a-Service (SaaS) vendors
  • Financial processing
  • Accounting and auditing
  • Customer support
  • Sales support
  • Medical claims processing
  • Legal
  • Pharmaceutical
  • Insurance claims processing
  • Human resources
  • Data analysis
  • Document and records management
  • Workflow management
  • Customer relationship management (CRM)
  • Technology consulting
Often, organizations will designate a team to oversee and coordinate SOC 2 compliance efforts. The job titles of these positions may include:
  • Executive sponsor. This may be your:
    • Chief Technology Officer (CTO)
    • Chief Information Officer (CIO)
    • Chief Security Officer (CSO)
    • Chief Information Security Officer (CISO)
    • Chief Risk Officer (CRO)
  • SOC 2 project manager
  • Author
  • Legal
  • IT
  • Information security
  • Risk officer/risk manager
  • Compliance officer/compliance manager
  • IT auditor
  • Consultant
Who has the role of SOC 2 manager varies from enterprise to enterprise, but stakeholders may include:
  • Chief Technology Officer (CTO)
  • Chief Information Officer (CIO)
  • Chief Security Officer (CSO)
  • Chief Information Security Officer (CISO)
  • Chief Risk Officer (CRO)
  • Risk manager
  • Compliance officer/compliance manager
  • IT auditor

6 Reasons Why You Need SOC 2 Compliance

SOC 2 certification isn't mandatory, which raise the question: Why bother?

Here are 6 reasons for SOC 2 compliance

1. Customer Demand

Protecting customer data from breaches and theft is top-of-mind for your clients, so without a SOC 2 attestation you could lose business.

2. Cost effectiveness

Think audit costs are high? In 2018, a single data breach cost, on average, $3.86 million—and that figure rises every year. An ounce of prevention is, in this case, worth many pounds of cure.

3. Competitive advantage

Having a SOC 2 report in hand will give you the edge over competitors who cannot show compliance, and enhances your organization’s reputation as trustworthy.

4. Peace of mind

Passing a SOC 2 audit provides assurance that your systems and networks are secure—not just to your clients and customers, but internally, as well.

5. Regulatory compliance

Because SOC 2’s requirements dovetail with other frameworks including HIPAA and PCI DSS, attaining certification can speed your organization’s overall compliance efforts.

6. Value

The benefits of a SOC 2 report go beyond the framework itself, providing valuable insights into your organization’s risk and security posture, vendor management, internal governance, regulatory oversight, and more.

When to Become SOC 2 Compliant

How about now? Because, chances are, your competitors are already SOC 2 certified.

Every service organization that handles customer or client data, from scrappy startups to multinational corporations, should be compliant with this increasingly important framework. But SOC 2 certification is no quick-and-easy deal. It requires teamwork, advance planning, coordination, internal audits, and more.

In the meantime, your risk of data breaches is higher than it needs to be. Opportunities for business might be passing you by.

Even if you already have your SOC 1 attestation, you’ll still need SOC 2. Because, while SOC 1 deals with financial reporting, SOC 2 generates internal control reports around those five trust principles: data security, privacy, processing integrity, confidentiality, and availability.

A SOC 2 report can take nine months or even a year to complete, especially if you’re using spreadsheets to track your progress.

Or: ZenGRC can help you achieve SOC 2 compliance in a fraction of the time. Contact one of our experts today to find out how.

How To Be SOC 2 Compliant: 7 Steps to Take

Getting to SOC 2 compliance can be a long and arduous process, with a lot of moving parts, policies, and procedures to align. A methodical approach works best. We suggest:

1. Appoint your SOC 2 team members. The list above can help you decide who should be on this important team.

2. Set your goals. Do you want a Type 1 report, or Type 2? Do you want SOC 2 attestation for a single product or service, or your entire organization?

3. Determine your scope. Which of SOC 2’s five Trust Services Categories apply to your organization? Which of SOC 2’s 61 Trust Services Criteria apply?

4. Organize your materials. For each Trust Services Criterion you’ve chosen in step 2, determine which controls apply, evaluate whether they are effective, resolve any gaps, and gather the documents you need as proof. Organize evidence around the five trust categories: security, availability, confidentiality, processing integrity, and privacy of customer data.

5. Self-audit. The point here is to do your work in advance. If you wait until the last moment to pull together documentation, establish an audit trail, and identify and fill gaps, you may face audit findings and a denial of attestation—more harmful than if you had never sought certification in the first place.

6. Monitor yourself. Setting up security monitoring and alerts can help keep you from falling out of compliance before the SOC 2 auditor arrives.

7. Get a SOC 2 audit. The AICPA stipulates that only an independent Certified Public Accountant is qualified to perform your SOC 2 audit. Your auditor may engage an independent, experienced SOC 2 specialist to assist, if necessary.

Guide Icon

Preparing for a
SOC 2 or SOC 3 Audit:
Three Easy Steps

Download the Checklist

SOC 2 vs. SOC 1: What’s the Difference?

Don’t be fooled by the similar acronyms: SOC 1 and SOC 2 compliance are as different from each other as night and day.

In fact, they only have a few things in common:

  • Both are based on SSAE-18, a set of auditing standards developed by the American Institute of Certified Public Accountants (AICPA).
  • Both concern service organizations.
  • Both can generate Type 1 and Type 2 reports.

A SOC 1 report will discuss organizational controls that affect the enterprise’s financial statements. Are the controls well designed? Do they work, helping the organization to meet its financial goals?

A SOC 2 audit is not at all about financial reporting. A SOC 2 report discusses controls that affect the organization’s information security, availability, and processing integrity, as well as data confidentiality and privacy.

SOC 2 has much more in common with SOC 3. In fact, these reports are pretty much the same—the difference lies in their intended audience.

  • SOC 2 reports provide information about your organization for an informed, knowledgeable audience whose members often have a vested interest in the audit findings.
  • SOC 3 reports address a more general audience and tend to be shorter and less detailed than SOC 2 audits.

Overview: SOC 2 Type 1 vs. Type 2 Reports

The difference between SOC 2 Type 1 and Type 2 reports lies in the amount of time each covers.

  • SOC 2 Type 1, often an organization’s first-ever SOC 2 report, looks at controls governing data security and privacy at the time of the audit.
  • SOC 2 Type 2 reports discuss the effectiveness of your organization’s information security and privacy controls since your last SOC audit, which typically means one year.

The two types of reports are used differently by organizations:

  • SOC 2 Type 1 takes a “snapshot-in-time” approach, setting a baseline for future audits.
  • SOC 2 Type 2 asks how well your data security and privacy controls have worked since your last SOC 2 audit.

So, the audit procedure some organizations follow is:

  • Type 1 for the first SOC 2 audit
  • Type 2 for subsequent SOC 2 audits

Changes to SOC 2: What You Need to Know

Like cybersecurity risk, SOC 2 changes quite frequently: the AICPA issued updates in 2016 and 2017. This head-snapping pace can make maintaining your SOC 2 compliance a challenge, but we’re here to help.

The latest revisions, effective for review periods ending after Dec. 15. 2018, represent the most comprehensive SOC 2 updates since the framework’s creation. They include:

  • Alignment of the SOC 2 Trust Services Principles and Criteria with the Committee of Sponsoring Organizations of the Treadway Commission (COSO 2013) framework, the world’s most widely used internal controls framework. The AICPA made this important change to help organizations use COSO to audit their internal controls.
  • New rules for file integrity monitoring and vendor risk management
  • Requirements for setting up a fraud whistleblower policy

The 2017 update established SOC 2+, a new type of report that allows you to address criteria from other frameworks including HITRUST, HIPAA, ISO 27001, Cloud Security Alliance (CSA), NIST 800-53 and COBIT.

Look for more changes in SOC 2 as the cybersecurity and risk landscape continues to shift.

What Happens During a SOC 2 Audit?

A SOC 2 assessment works much like any other audit. The independent Certified Public Accountant or accounting firm you choose can help you:

  • Determine your audit scope, a critical first step in which you determine:
    • Which of the 5 SOC principles, now called Trust Services Categories, apply to your organization
    • Which SOC report you need: Type 1 or Type 2. Most organizations choose Type 1, which considers SOC 2 compliance at a point in time, for their first SOC 2 audit, and Type 2, which examines compliance over a period of time, for subsequent audits.
  • For each applicable Trust Services Category, the auditor will examine your controls, a process that includes evidence collection, to evaluate whether they are working as they should. Documents the auditor may examine include:
    • Organizational charts
    • Asset inventories
    • Onboarding and off-boarding processes
    • Change management processes

If the auditor finds problems or gaps, no worries: You’ll have an opportunity for remediation. Findings can drive up audit costs, however, so thorough preparation using a SOC 2 audit checklist is your best bet for efficiency and ease.

How to Prepare For a SOC 2 Audit

The key to SOC 2 readiness is preparation. Before the auditor walks in your door, you should have checked off all the boxes on your SOC 2 compliance checklist and have your supporting evidence on hand. Here’s how to prepare:

  • Establish your goals. What is the scope of your audit? Begin by establishing which of the SOC 2 Trust Service Categories and their 61 principles apply to your organization. Those categories, governing how your organization processes personal information, are:
    • Security
    • Availability
    • Processing integrity
    • Confidentiality
    • Privacy
  • Organize your materials—the documents and correspondence proving the effectiveness of your controls—in line with the Trust Services Categories and Principles you’ve deemed applicable.
  • Conduct a self-audit. This step can save untold grief and cost down the road. If you can show the professional conducting your SOC 2 audit that you have remediated compliance issues or are in the process of doing so, your organization will be well on its way to achieving that coveted SOC 2 attestation.
  • Get help if you need it. Let’s face it: If SOC 2 certification were easy, everyone would have done it already. SOC 2 is a complex framework that changes frequently, and can be confusing—especially for organizations trying to manage compliance with Excel or other spreadsheets.

SOC 2 vs ISO 27001: Key Differences Between the Standards

ISO 27001 is another framework governing information security, and its standards are more rigorous than SOC 2's. If your organization is already ISO 27001 certified, should you even bother with SOC 2?

The short answer is, “yes.” While the two standards have similarities, the differences between ISO 27001 and SOC 2 are significant enough that many enterprises will want to show compliance with both.

Developed by the International Organization for Standardization, ISO 27001 guides enterprises in establishing an information security management system (ISMS). Preparing for the audit typically takes about three years, and results in certification which then must be renewed annually.

Governed by the AICPA, SOC 2 audits measure the effectiveness of existing security programs, and results not in certification but in a CPA’s “attestation” report.

Which to pursue—and whether to strive for compliance with both—depends on a number of factors. It’s safe to say, however, that if you are ISO 27001 certified, you probably are already in compliance with much of SOC 2.

Tips & Tools to Manage Your SOC2 Compliance

If you’re using Excel or other spreadsheets to track and manage your organization’s SOC 2 compliance, you’re working too hard. Juggling paperwork is time-consuming and confusing, and drives up SOC 2 certification/attestation costs.

In today’s high-tech world, there’s an application or tool for pretty much everything. Productivity/organization, workflows, human resources onboarding, identity access management, risk management, and other tasks governed by SOC 2 controls can now be done efficiently and effectively using a variety of software types.

To keep track of it all, a digital governance, risk, and compliance (GRC) tool that integrates with these applications and programs can help you quickly move through your SOC 2 compliance checklist and even generate sample reports in advance of the audit.

Then, no matter what your SOC 2 audit frequency, you’ll be prepared, and can move quickly—and successfully—through the SOC 2 process, from setting the scope of your audit to getting that coveted, glowing attestation report.

How to Choose SOC 2 Compliance Software

Choosing the right SOC 2 compliance software for your service organization can be a difficult task. How can you know which will work best with your compliance management program?

The fact is, not all compliance platforms are created equal. For best results, choose a SOC 2 compliance tool with:

  • Quick, easy deployment
  • User-friendly design
  • Easy internal audit capabilities
  • Vendor management tools
  • Continuous controls monitoring
  • Integration with your software and services stack
  • At-a-glance compliance dashboards that include your other frameworks

Zen GRC has these features and more to move you into worry-free SOC 2 compliance and yearly renewals of your AICPA attestation—so your clients will breathe easily, too, knowing their customer data is as safe and secure as can be.