SOC 2 is an audit report that attests to the fact that your company has effective controls in place. The audit is carried out by a licensed Certified Public Accountant (CPA) or accountancy organization. When you first undergo the audit, your SOC 2 compliance will be Type I: you demonstrate that controls are in place and designed effectively. SOC 2 Type II compliance comes when your company can show that you can maintain these controls over a period of time (usually from 6-12 months) and the CPA gives their opinion on whether they think that is true.
The thing with SOC 2 that makes it different from some other standards and frameworks in and out of infosec is that there is no comprehensive list of requirements for compliance. To be approved as SOC 2 compliant, you need to satisfy general criteria which shows that you have controls in place which counter potential risks depending on the service you provide.
SOC 1 compliance focuses on financial reporting and how you demonstrate internal controls for handling customer financial data. SOC 2, on the other hand, is about operations and compliance with special regard to data security. SOC 3 is similar to SOC 2 in that it is about how you keep data secure, but is an outward-facing and general report that you use to demonstrate to your customers; displaying it publicly on your site or sending it at the request of partners to demonstrate your level of compliance.
A SOC 2 report prepared by a CPA firm focuses on your company’s position with respect to 5 trust services criteria (the so-called TCS):
Let’s take a look at each in more detail as per the guidelines set in the AICPA’s TCS handbook.
Security controls are aimed at detecting and preventing data breaches. As such, you will need to protect your information and systems from unauthorized access and disclosure of data, including having safeguards in place that prevent situations in which the availability, integrity, confidentiality or privacy of data could be negatively impacted.
According to AICPA’s TCS handbook, security refers to the protection of:
The first step is to classify the data and define the measures needed to keep it secure. You will probably look to receive certification not for your infrastructure in its entirety, but just the specific part which is responsible for providing a service. This part is called a contour. For example, PCI DSS audits check separate contours.
In any case, you will need to assess risks for the scope (which systems, components, applications, etc.) of your SOC audit and for the data which you store or process in the contour you plan to audit. The outcome will be a matrix of assets, which risks and measures are or should be applied to them, indicating levels of:
You should also have general safety processes in place, such as:
Confidentiality is key to all private companies and to be SOC 2 compliant. You will need to make sure information designated as confidential is protected to meet your objectives.The confidentiality requirements that you should have in place will correspond to the jurisdictions within which you operate and the contracts which you conclude with customers and others. While confidentiality and the principles behind it are similar to privacy, they differ in that they can contain data other than that pertaining to individuals (e.g. trade secrets).
For confidentiality, you will need the following processes in place:
In this section, you can also include data storage processes, specifically: the storage format which ensures confidentiality, including in relation to your employees (for example, encrypted data).
Here you need to make sure there is integrity of the services you provide. This means that the system processing should be complete, valid, accurate, timely, and authorized to meet your goals. In short, processing integrity is about whether the systems you put in place achieve their aim in the first place, executing their functions as intended and without any errors, delays, or open to be tampered with.
In practice, this will involve:
Data integrity is ensured by making it impossible for unauthorized changes/deletion of data to take place during transfer, storage, or processing, just as it should be impossible for unauthorized people to access data at its storage location. You also shouldn’t forget about end-user devices which could be used to access your contours and, therefore, the data and the servers where the data is housed.
If you are using cloud providers like Amazon, you can request an AOC and SOC report to demonstrate their controls regarding physical security and server security.
Obviously, your databases and systems need to be available to meet your business objectives both internally within the company and externally: client facing. There is no minimum service level, range of functionality, or usability requirements for this criterion, but it does specify that your systems should include controls which support “accessibility for operation, monitoring, and maintenance.”
The main controls and processes here are:
The auditors are usually interested in the outcomes of standard processes and settings. This includes: outcomes and timetable for data backup, outcomes of test restoral processes from backup, etc.
The privacy criterion of SOC 2 compliance is about how you collect, store and process personal data. It involves 8 aspects:
If you are a consumer data-focused company, e.g. a B2C business, your documented consumer data practices should cover your data assets throughout the whole lifecycle: (1) collection; (2) use; (3) transfer; and (4) disposal. Such practices should be disclosed in a privacy notice. Finally, you should designate a point of contact for consumers to exercise their rights.
As mentioned earlier, SOC audits can be carried out only by licensed organizations or individuals: AICPA-affiliated companies so this should be the first thing to consider when looking to be assessed.
Secondly, you should look at the audit company’s experience and work with other clients to see if they have carried out SOC 2 assessments. In particular, you should pay attention to the type of clients they have assessed and look to work with an auditor that has evaluated companies in similar industries and of a similar size.
Lastly, if you are looking to attain SOC 2 type II, you should check with the auditor about the time frames in which they can perform the assessment so that it fits with your own deadlines.
During the audit, you will have to provide different types of documentation as evidence of the security controls you have in place, depending on the criteria that will be evaluated. There are generally three stages:
The auditor will provide you with a security questionnaire to complete that asks you different questions regarding your security practices. The questions will focus on your security architecture, policies and controls you have in place.
Once you have completed the questionnaire, you will be asked to provide evidence about the different controls you have stated that you have in place and prove that they are effective. For example, a new employee requests access to a contour or system which processes personal data. In this case:
The auditors often ask for all of the access requests for the past 6-12 months, select several of them and ask you to show the confirmation and how the request was processed.
Once you have provided all of the documentation and evidence asked of you, the auditor may have additional questions pre-final evaluation. This will also give you time to correct any practices that the auditor highlights as inadequate.
Following completion of the audit, you will receive the auditors’ evaluation of the controls you have in place and understand how effective they are and if there is room for improvement. You will be provided with your SOC 2 report.