When it comes to cybersecurity, there are abundant frameworks and approaches a company can utilize to best protect themselves. But for all the unique possibilities for an organization’s cybersecurity infrastructure, there are certain unifying norms that companies need to follow. For example, many service-oriented organizations are beholden to the SOC 2 standards developed by American Institute of CPAs (AICPA).
But what are these, and how does a company become compliant? These are just a few of the most commonly asked questions about SOC 2 compliance. Companies need to understand the spirit and design of AICPA’s guidelines in order to fully implement them. This FAQ exists to help fill that gap in understanding.
10 Common Questions About SOC 2 Compliance
Here at RSI Security, we understand that the complex world of SOC 2 can entail difficulty and frustration for businesses of all sizes. This is especially true for small to medium-sized businesses with overburdened technology departments.
This guide will make the process a bit more manageable by walking through the top 10 most asked questions about SOC 2 compliance:
- The first five questions below will cover basic definitions of what SOC 2 is, what compliance entails, and breakdowns of its component parts (types 1 and 2).
- Then, the final five questions will dive into ways in which SOC 2 compliance applies to companies: who needs it, why, what it costs, and the best way to accomplish it.
Let’s get started.
#1: What is SOC 2?
SOC 2 refers to a standardized form of auditing and reporting. It assesses the state of privacy and security of a service organization when it interacts with other businesses to process client data. Formerly known as the Service Organization Controls, the SOC now represents System and Organization Controls.
With respect to the number, SOC 2 is the second of three AICPA reporting protocols that apply to service organizations:
- SOC 1 – Internal Control over Financial Reporting (ICFR), a report on the risk profile and overall status regarding outsourced servicing of clients’ financial records.
- SOC 2 – Trust Services Criteria (TSC), a report on the security of information systems that host or process sensitive client information, according to the TSC (see below).
- SOC 3 – TSC for General Use Report, a public report that makes the technical findings of SOC 2 accessible to any individual researching your company.
Companies may choose one or more of these reports, depending on the nature of their business and relationship to clients’ data. Larger differences exist between SOC 1 and SOC 2, whereas SOC 3 is merely a more public version of SOC 1 and 2 reporting.
#2: What Is SOC 2 Compliance?
Attaining SOC 2 certification means ensuring compliance. And compliance with SOC 2 comprises meeting minimum levels of maturity and fidelity across the TSC.
The TSC’s five main criteria related to SOC 2 compliance standards are:
- Security – The most important principle, security comprises safeguarding from internal and external risks. It’s labeled as “common” and is the only one fully required for SOC 2 compliance. Essential controls required and measured include:
- Availability – This principle involves the ease of access to client data. Specifically, it measures the fairness and accuracy of provided access relative to contract agreements.
- Processing Integrity – This principle measures the extent to which internal and external processing, storage, and transportation of data are completed and delivered as agreed upon in contracts between an organization, partners, and clients.
- Confidentiality – This principle applies to any and all data that’s labeled confidential. It measures the extent to which this data is protected.
- Encryption is essential to prevent compromise even in the event of a breach
- Privacy – Similar to confidentiality, this final principle applies to all processing of data, whether labeled confidential or not. It measures key features guarding access, like overall account management and multi-factor authentication.
Importantly, the way these principles are measured and reported upon differs across two different types of SOC 2 reports—type 1 and type 2.
#3: What is SOC 2 Type 1?
“SOC 2 Type 1” refers to the requirements for this specific type of SOC 2 report. The SOC 2 Type 1 report is a measurement of an organization’s designed system and infrastructure relative to the TSC detailed above. But specifically, it measures the TSC at a fixed point in time.
A type 1 SOC 2 report indicates to a client – or another concerned party who requests it – that the organization being audited does have SOC 2 compliant best practices in place. Importantly, it establishes that the organization has these controls in place as of a given time—the “as of” is a key distinguishing factor of a SOC 2 report.
#4: What is SOC 2 Type 2?
Unlike SOC 2 type 1, a type 2 report seeks to measure the practical implementation of the five TSC over a duration in time. This wider and broader scope makes SOC 2 Type 2 reporting a much more complex and potentially burdensome process.
However, the payoff for this more arduous process is a stronger guarantee of an organization’s everyday security. Best practices measured “as of” or “on” one particular date may not be representative of the general operations at a company. But consistency over the course of multiple days, weeks, or months is a much better indicator of a company’s dedication to safety.
#5: Does SOC 2 Type 1 Come Before Type 2?
Companies looking for a SOC 2 audit may choose between either a type 1 or type 2 report or both. Technically, there is no requirement that a company achieves type 1 before type 2.
However, obtaining a type 1 audit first is often the best option for companies who ultimately hope to attain both types, or even those who aspire to achieve just type 2. Why? The first reason involves turnaround—since a type 1 report is easier to generate, it’ll be provided to the client or other concerned party who requested it sooner.
The second involves synergy between the two types. A type 2 report is more robust and actually assumes type 1 compliance, so most companies would not obtain a type 2 before a type 1. But a type 1 report can be the scaffold for a type 2. It can function as a baseline that establishes proper design first, before truly measuring the efficacy of that design in practice.
#6: Who Needs to Be SOC 2 Compliant?
As briefly noted above, SOC compliance applies to service organizations, or businesses that work in concert with others to process, store, and transport client data. SOC compliance requirements across SOC 1 and SOC 2 differ depending on a company’s business model.
Here are the related industries and kinds of service providers that require SOC Compliance—
- SOC 1 compliance applies to companies involved with:
- Software as a Service (SaaS) and data center services
- Client financial data, such as payroll and loan processing
- SOC 2 Compliance applies to companies involved with:
- Hosting and processing of sensitive information beyond financial data
- SaaS, data center, cloud computing, and IT managed services
SOC 2 compliance may not be strictly legally required for a given company. In fact, federal laws don’t strictly require SOC 2 compliance. However, local laws or norms may require it. Plus, the auditing and underlying controls it measures are extremely important regardless.
#7: Why is SOC 2 Compliance Important?
Performing an audit and attaining SOC 2 compliance is one of the best ways to show your customers that you care about their safety. Even in the absence of a legal requirement, for instance at the local level, SOC 2 can provide business advantages you can’t pass up.
On the one hand, understanding your status with respect to data security is vital. Keeping clients’ private data secure doesn’t just protect them; it protects your business from potentially costly attacks, such as:
- Outright theft
- Ransom or extortion
- Reputational damage
On the other hand, potential customers are more likely to do business with a company that they can trust with their information. A SOC 2 report can prove you’re a step ahead of the competition in this regard.
#8: How Much Does SOC 2 Compliance Cost?
Proving your commitment to cybersecurity isn’t cheap. Generating an SOC 2 report can be an extensive and expensive process, regardless of which type of report chosen. According to one estimate, a type 1 report can cost anywhere from $20 to $60 thousand dollars, and a type 2 report can exceed $80 thousand dollars. But these prices aren’t just for the reports themselves.
There are various other costs involved beyond the actual price paid to an auditor.
On one level, companies need to account for a lengthy preparation process before testing SOC 2 compliance. This includes training all staff, implementing all software and practices needed, and potentially expensive legal analysis of contracts. Another level involves lost productivity from staff tasked with preparing for and overseeing the study itself.
Finally, yet another level involves patchwork needed after auditing. Your company may need to build or buy additional cybersecurity infrastructure to meet AICPA demands. That’s why, by another estimate, your total costs could exceed $145 thousand dollars.
#9: Does SOC 2 Overlap With Other Regulatory Guidelines?
As a regulatory framework, SOC 2 is relatively unique. Unlike other such guidelines, SOC 2 is less a set of uniform rules that apply equally to all companies, and more a flexible guide that changes based on the specific nature of a given service organization. In its required and suggested controls, it does overlap with some other guidelines that companies need to follow.
One of the biggest areas of overlap is with the Payment Card Industry Data Security Standard, also known as PCI DSS, which applies specifically to companies that harbor, transport, or otherwise process consumers’ credit card information.
Certain elements are common to both systems as audited by accredited CPA firms (for SOC 2) or qualified security assessors (for PCI DSS):
- Training of personnel regarding security measures
- Access management and authentication systems
- Functionality of physical security safeguards
If timed properly, these and other features can be audited simultaneously in quick succession, increasing efficiency and reducing overall costs. An external company that is qualified for both kinds of audits can combine the two into one holistic process.
#10: What’s The Best Way to Achieve SOC 2 Compliance?
Whether your company is looking to bundle together PCI DSS and SOC 2 compliance, or simply generate a SOC 2 Type 1 report as quickly as possible, professional help is essential. You’ll need to contract an outside company certified to perform the SOC 2 audit to become certified. But setting up the test shouldn’t be the first thing you look to outside help for.
Having professional help preparing for that process is the key to passing your test easily the first time you take it. It’s also the best way to streamline the implementation of any new practices and tools you’ll need to install before, during, or after your audit. To that end, we’re here to help.
RSI Security offers a robust suite of SOC 2 compliance advisory services that include guidance through the entire reporting and patching process.
SOC 2 Standards, Accounted For: RSI Security
No matter what kind of cybersecurity question or situation your company is facing, RSI Security has answers and solutions that’ll keep you safe. Our experts have over a decade of experience helping companies of all sizes with all matters of cyberdefense planning and implementation.
Beyond SOC 2 and other compliance services, we also offer everything from firewalls and web filtering to cloud security and password management. We’re a one-stop-shop for not just compliance, but all cyber defense solutions you may need to keep your stakeholders safe.