SOC 2 is a framework for auditing the internal processes and procedures for an organization. It is an increasingly popular standard, especially for technology companies that sell software and services to businesses. SOC 2 is governed by the American Institute of CPAs (AICPA).
SOC 2 is different than more strict regimes such as GDPR, HIPAA, or PCI in that SOC 2 is much more catered to the organization. SOC 2 is focused on what organizations say they do to protect data. The flexibility of SOC 2 comes from the company’s ability to select the controls and trust services categories to which they comply.
SOC 2 is divided into five services criteria:
Organizations can choose one or more services criteria to be audited against. The Security criteria, however, is required of all organizations.
SOC 2 offers two types of reports.
SOC 2 is not prescriptive. Each SOC 2 report is customized to the organization. The organization, usually with the help of an auditor, chooses what controls are relevant. Those controls are the only controls tested.
In order to standardized SOC 2 and hold the reports to a level of rigor, only organizations that are approved by AICPA can issue SOC 2 reports. This means organizations cannot work with any auditor or firm as they can for HIPAA or GDPR; though, in practicality, many large auditor firms are approved by AICPA and offer audits against all regimes.
SOC 1 vs SOC 2 vs SOC 3
SOC 2 is not the only SOC and this adds to the confusion about SOC.
The most common form of SOC report for technology companies, especially startups, is SOC 2. This is because information security is the area of greatest concern for many buyers.
There is also a framework and report called SOC for Cybersecurity. This report is focused on risk management specific to the company. It covers how a company assesses threats and risks and how it manages and mitigates those risks. It is not widely used.
Below is a table to keep the different SOCs straight.
The course is meant to be an introduction to SOC 2. The objective is to ensure learners understand SOC 2 trust services categories, types of reports, and the overall language of SOC 2.This training does not go into the details of the controls in SOC 2. Haekka offers a more in-depth SOC 2 course that does go into control detail if you are interested in learning more.
SOC 2 is tailored to organizations but the most common ways in which companies attest to SOC 2 are by addressing the common criteria controls that for the Security category.