Nov 17, 2021
8 min read

What is SOC 2 and do I need it?

Learn what SOC 2 is and whether you need it with practical advice on implementation from a CISO with over a decade's experience.

SOC 2 is an audit report that attests to the fact that your company has effective controls in place. The audit is carried out by a licensed Certified Public Accountant (CPA) or accountancy organization. When you first undergo the audit, your SOC 2 compliance will be Type I: you demonstrate that controls are in place and designed effectively. SOC 2 Type II compliance comes when your company can show that you can maintain these controls over a period of time (usually from 6-12 months) and the CPA gives their opinion on whether they think that is true.


The thing with SOC 2 that makes it different from some other standards and frameworks in and out of infosec is that there is no comprehensive list of requirements for compliance. To be approved as SOC 2 compliant, you need to satisfy general criteria which shows that you have controls in place which counter potential risks depending on the service you provide.

SOC 2: differeces from SOC 1 and SOC 3

SOC 1 compliance focuses on financial reporting and how you demonstrate internal controls for handling customer financial data. SOC 2, on the other hand, is about operations and compliance with special regard to data security. SOC 3 is similar to SOC 2 in that it is about how you keep data secure, but is an outward-facing and general report that you use to demonstrate to your customers; displaying it publicly on your site or sending it at the request of partners to demonstrate your level of compliance.

SOC 2 certification: what is needed?

A SOC 2 report prepared by a CPA firm focuses on your company’s position with respect to 5 trust services criteria (the so-called TCS):

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

Let’s take a look at each in more detail as per the guidelines set in the AICPA’s TCS handbook.

Security

Security controls are aimed at detecting and preventing data breaches. As such, you will need to protect your information and systems from unauthorized access and disclosure of data, including having safeguards in place that prevent situations in which the availability, integrity, confidentiality or privacy of data could be negatively impacted. 

According to AICPA’s TCS handbook, security refers to the protection of:

  • Data during collection, processing, transmission, and storage
  • Systems that process, transfer, and store data

In practice

The first step is to classify the data and define the measures needed to keep it secure. You will probably look to receive certification not for your infrastructure in its entirety, but just the specific part which is responsible for providing a service. This part is called a contour. For example, PCI DSS audits check separate contours. 

In any case, you will need to assess risks for the scope (which systems, components, applications, etc.) of your SOC audit and for the data which you store or process in the contour you plan to audit. The outcome will be a matrix of assets, which risks and measures are or should be applied to them, indicating levels of:

  • Confidentiality
  • Integrity
  • Accessibility

You should also have general safety processes in place, such as:

  • Password security
  • Access management (logical and physical processes)
  • Software purchase and development processes
  • Audit and monitoring
  • Security of confidential information (including personal data)
  • Perimeter and network security (including security testing, pentesting, and vulnerability scans)

Confidentiality

Confidentiality is key to all private companies and to be SOC 2 compliant. You will need to make sure information designated as confidential is protected to meet your objectives.The confidentiality requirements that you should have in place will correspond to the jurisdictions within which you operate and the contracts which you conclude with customers and others. While confidentiality and the principles behind it are similar to privacy, they differ in that they can contain data other than that pertaining to individuals (e.g. trade secrets).

In practice

For confidentiality, you will need the following processes in place:

  • Service provider management (who is providing you services)
  • Third-party management (who you are sharing data with)
  • External service and cloud security and compliance

In this section, you can also include data storage processes, specifically: the storage format which ensures confidentiality, including in relation to your employees (for example, encrypted data).

Processing integrity

Here you need to make sure there is integrity of the services you provide. This means that the system processing should be complete, valid, accurate, timely, and authorized to meet your goals. In short, processing integrity is about whether the systems you put in place achieve their aim in the first place, executing their functions as intended and without any errors, delays, or open to be tampered with.

In practice

In practice, this will involve:

  • Access management before the contour and to the data within it, in addition to role and rights management
  • Admin account management
  • Management of changes and updates as part of secure development practices
  • Network and network-component security
  • Server and server-software security
  • Physical security (of data centers, servers, and buildings from where access to data is possible)
  • End-user device security


Data integrity is ensured by making it impossible for unauthorized changes/deletion of data to take place during transfer, storage, or processing, just as it should be impossible for unauthorized people to access data at its storage location. You also shouldn’t forget about end-user devices which could be used to access your contours and, therefore, the data and the servers where the data is housed. 


If you are using cloud providers like Amazon, you can request an AOC and SOC report to demonstrate their controls regarding physical security and server security.

Availability

Obviously, your databases and systems need to be available to meet your business objectives both internally within the company and externally: client facing. There is no minimum service level, range of functionality, or usability requirements for this criterion, but it does specify that your systems should include controls which support “accessibility for operation, monitoring, and maintenance.”

In practice

The main controls and processes here are:

  • Data and asset backup
  • Backup copy restoral
  • Data transfer backup channels
  • Contingency plans for emergencies and restoral plans following emergencies
  • Automatic task and service execution


The auditors are usually interested in the outcomes of standard processes and settings. This includes: outcomes and timetable for data backup, outcomes of test restoral processes from backup, etc.

Privacy

The privacy criterion of SOC 2 compliance is about how you collect, store and process personal data. It involves 8 aspects:

  • Prepping a nice privacy notice
  • Offering consent about usage
  • Minimizing of data collection
  • Setting fair use and retention policies
  • Offering data subjects access to their personal data
  • Having data transfer agreements in place and disclosing breaches
  • Ensuring accuracy of data held
  • Enforcing your own rules

In practice

If you are a consumer data-focused company, e.g. a B2C business, your documented consumer data practices should cover your data assets throughout the whole lifecycle: (1) collection; (2) use; (3) transfer; and (4) disposal. Such practices should be disclosed in a privacy notice. Finally, you should designate a point of contact for consumers to exercise their rights.


SOC 2 auditors

As mentioned earlier, SOC audits can be carried out only by licensed organizations or individuals: AICPA-affiliated companies so this should be the first thing to consider when looking to be assessed.


Find a licensed CPA


Secondly, you should look at the audit company’s experience and work with other clients to see if they have carried out SOC 2 assessments. In particular, you should pay attention to the type of clients they have assessed and look to work with an auditor that has evaluated companies in similar industries and of a similar size.


Lastly, if you are looking to attain SOC 2 type II, you should check with the auditor about the time frames in which they can perform the assessment so that it fits with your own deadlines.

Undergoing a SOC 2 audit

During the audit, you will have to provide different types of documentation as evidence of the security controls you have in place, depending on the criteria that will be evaluated. There are generally three stages:

  1. Questionnaire

The auditor will provide you with a security questionnaire to complete that asks you different questions regarding your security practices. The questions will focus on your security architecture, policies and controls you have in place.

  1. Evidence

Once you have completed the questionnaire, you will be asked to provide evidence about the different controls you have stated that you have in place and prove that they are effective. For example, a new employee requests access to a contour or system which processes personal data. In this case:

  • You should have a request/support system setup, such as YouTrack, Jira, etc.
  • The request should specify their role and rights to within the system (in accordance with you access and role management matrix)
  • It should be fully confirmed and agreed by someone appointed responsible that the new employee should be granted this level of access/rights/role 


The auditors often ask for all of the access requests for the past 6-12 months, select several of them and ask you to show the confirmation and how the request was processed.

  1. Evaluation

Once you have provided all of the documentation and evidence asked of you, the auditor may have additional questions pre-final evaluation. This will also give you time to correct any practices that the auditor highlights as inadequate.


Following completion of the audit, you will receive the auditors’ evaluation of the controls you have in place and understand how effective they are and if there is room for improvement. You will be provided with your SOC 2 report.


Author
Alex
Alex is an expert in information security with more than 10 years of experience. Currently a CISO of a giant e-commerce marketplace with 400M+ users and with previous experience working as a consultant for Deloitte.

Receive helpful tips, practical content, and updates

Thank you! You have been successfully subscribed
Oops! Something went wrong while submitting the form.