SOC 2 Primer

Lesson 1 | Introduction to SOC 2

Download Lesson PDF

Introduction

SOC 2 is a framework for auditing the internal processes and procedures for an organization. It is an increasingly popular standard, especially for technology companies that sell software and services to businesses. SOC 2 is governed by the American Institute of CPAs (AICPA).

SOC 2 is different than more strict regimes such as GDPR, HIPAA, or PCI in that SOC 2 is much more catered to the organization. SOC 2 is focused on what organizations say they do to protect data. The flexibility of SOC 2 comes from the company’s ability to select the controls and trust services categories to which they comply.

SOC 2 is divided into five services criteria:

  1. Security
  2. Availability
  3. Integrity
  4. Confidentiality
  5. Privacy

Organizations can choose one or more services criteria to be audited against. The Security criteria, however, is required of all organizations.

SOC 2 offers two types of reports.

  1. SOC 2 Type 1 Reports are used to document that you have policies and procedures in place to meet the relevant SOC 2 controls for your company.
  2. SOC 2 Type 2 Reports demonstrate that you have implemented your policies and procedures.

SOC 2 is not prescriptive. Each SOC 2 report is customized to the organization. The organization, usually with the help of an auditor, chooses what controls are relevant. Those controls are the only controls tested.

In order to standardized SOC 2 and hold the reports to a level of rigor, only organizations that are approved by AICPA can issue SOC 2 reports. This means organizations cannot work with any auditor or firm as they can for HIPAA or GDPR; though, in practicality, many large auditor firms are approved by AICPA and offer audits against all regimes.

SOC 1 vs SOC 2 vs SOC 3

SOC 2 is not the only SOC and this adds to the confusion about SOC.

  1. SOC 1. This type of SOC report assesses the controls around financial reporting. These are Restricted Use so not publicly disclosed.
  2. SOC 2. This type of report assesses the controls contained in the Trust Services Categories. These are a proxy for information security. These reports are Restricted Use and typically only shared outside the company under NDA.
  3. SOC 3. This type of report is similar to SOC 2 in that it assesses controls in the Trust Services Categories. The difference is that this type of report is meant for general distribution while a SOC 2 report is Restricted Use.

The most common form of SOC report for technology companies, especially startups, is SOC 2. This is because information security is the area of greatest concern for many buyers.

There is also a framework and report called SOC for Cybersecurity. This report is focused on risk management specific to the company. It covers how a company assesses threats and risks and how it manages and mitigates those risks. It is not widely used.

Below is a table to keep the different SOCs straight.


 

Financial

Information Security

Risk Management

Restricted Use

SOC 1

X

   

X

SOC 2

 

X

X

X

SOC 3

 

X

   

SOC for Cybersecurity

   

X

 



About this Course

The course is meant to be an introduction to SOC 2. The objective is to ensure learners understand SOC 2 trust services categories, types of reports, and the overall language of SOC 2.This training does not go into the details of the controls in SOC 2. Haekka offers a more in-depth SOC 2 course that does go into control detail if you are interested in learning more.


SOC 2 is tailored to organizations but the most common ways in which companies attest to SOC 2 are by addressing the common criteria controls that for the Security category.