SOC 2 Primer - Your Mini-Guide to SOC 2

Travis Good
June 30, 2021

Information security is a priority topic for all companies in 2021. This high priority spans markets, industries, and infrastructure (cloud and on premise). Beyond the need for better security to reduce the chance of an incident of data breach, companies need to provide proof to the market of information security practices. Most typically, this comes in the form of a SOC 2 report.

A SOC 2 report requires an audit to help verify the company has security policies and procedures in place and that those are followed. There’s an endless number of “soc 2 guides” to help you navigate the SOC 2 process. In an effort not to reinvent the wheel, we created this SOC 2 primer. In a little over 500 words, we hope you’ll know more about SOC 2 than 99% of the world.

What is SOC 2 Compliance?

SOC 2 compliance is a bit of a misnomer. It’s more accurate to say you have a SOC 2 report that documents, in a standardized way, your information security program; SOC 2 is a reporting framework, not a certification.

The American Association of Certified Public Accountants reviewed and developed the SOC 2 reporting standard. SOC 2 is based on five Trust Service Criteria that define criteria for the proper handling and use of customer data. The easiest way to break down and approach SOC 2 is with the Trust Service Criteria.

The only required Criteria is Security, sometimes referred as the Common Core. The other Criteria are optional and typically selected based on the profile of the business - type of product / service offered, data collected and stored, etc.

Let’s look at each of the Trust Service Criteria separately:

[Required] Security

Security refers to the measures an organization takes to prevent unauthorized access to its systems, such as access controls, firewalls, intrusion detection, and two-factor authentication. Security awareness training falls under the Common Criteria. Following security requirements demonstrates that the company can reasonably prevent improper use of information, data, or software.

[Optional] Availability

Availability is a guarantee that the company can reliably deliver products or services. A service level agreement (SLA) describes the terms and conditions of these guarantees. Companies must monitor network and uptime performance closely to meet this principle.

[Optional] Integrity

Integrity refers to a system’s ability to achieve the intended purposes, particularly when it comes to data storage and processing. Regular monitoring of your company’s data processing systems is critical to this principle. As a side note, this principle does not refer to data integrity, which is outside the processor’s scope.

[Optional] Confidentiality

SOC 2 compliance emphasizes the confidentiality of sensitive data and how the organization demonstrates its commitment by employing encryption, firewalls, and access controls to prevent malicious access to the data by third parties.

[Optional] Privacy

Your company’s systems must protect all personally identifiable information (PII), including names, addresses, health information, and other details, from being manipulated by internal or external users without adequate permission. An additional level of protection is usually required to guarantee the privacy of such data.

What Are the Different Types of SOC2 Reports?

For an organization to obtain a SOC2 report, it must undergo an external audit of its data processing by an AICPA approved firm..

There are two types of SOC2 reports, including:

  • Type I: Type I examines a company’s policies and procedures to determine whether they are appropriate for meeting relevant trust criteria. This is a point in time evaluation that can be completed in under a month, sometimes as short as a few weeks.
  • Type II: Type II describes the operational effectiveness of these systems. Basically, it assesses if your company is following your policies and procedures. These usually take between 6 and 12 months.

Why get a SOC 2 report?

SOC 2 reports are valuable for several reasons.

First, it shows your commitment to data security and the measures you have taken to protect people.

Second, unlike other reporting standards, SOC 2 reports are unique to each company as they must accurately reflect the specific data management processes of that company.

Third, due to the flexibility and bespoke nature of SOC 2, it provides an excellent opportunity to reassess your strategies and infrastructure. 

Last, and increasingly one of the most important reasons to do SOC 2, is that SOC 2 is widely used in the U.S. as a security reporting standard, and company vendor management policies increasingly incorporate SOC 2 reports. A SOC 2 report will provide assurance to current customers and accelerate signing and implementing new customers.