The American Institute of Certified Public Accountants (AICPA) manages various certification programs for service organizations, including those for software-as-a-service (SaaS) providers. If clients are concerned about how a SaaS company secures their data, a System and Organization Controls (SOC) 2 Type 2 report offers tangible assurance of trust. SOC 2 Type 2 certification enhances customer confidence, reduces incident impact, and simplifies compliance.
SOC 2
SSAE 18 is a set of standards governing service organizations’ security practices. It’s used to identify and manage risks involved in handling consumer data. Many organizations need to showcase compliance with SSAE 18 standards through SOC audit reports. While SSAE 18 Type 2 is often misused to refer to SSAE 18 SOC 2 Type 2 reports, the usage is commonly accepted. SOC 2 reports closely follow guidelines laid out in SSAE 18, especially for service organizations that utilize subcontractors or sub-service organizations.
Service organizations that need to become SOC 2 compliant often struggle with scoping out their SOC 2 Report. Other issues include covering gaps in the control layout and allocating the resources needed for an audit. Working with a compliance partner helps solve for all of them.
Preparation for a SOC 2 Type 2 audit comprises four essential steps:
- Establishing an accurate implementation and assessment scope
- Implementing the Common Criteria from the SOC 2 Type 2 controls list
- Installing any Additional Criteria controls that may be required of you
- Conducting the assessment and reporting on your SOC 2 compliance
SOC 2 compliance ensures service providers meet client expectations for data security, and it offers the best value when implemented efficiently. To do so, organizations need to scope and install controls intentionally, prioritizing necessities for the specific kind of audit they’re targeting.
If you’re on the fence about whether you need SOC 2 compliance, you should consider:
- Which industry niches specifically require SOC 2
- Which Type of SOC 2 report might be best for you
- What differentiates SOC 2 from SOC 1 and SOC 3
- What other SOC compliance frameworks might apply
Data breaches continue to be a pressing concern for companies worldwide. According to the most recent Data Breach Report, the number of reported data breaches in the first quarter of 2019 is up to 56.4% higher than what was reported in the same period last year.
Indeed, information security has become a prime concern for many organizations around the world including those who outsource their business requirements to third-party organizations such as SaaS (software as a service) and cloud computing providers. And this is not a shock since mishandled data can leave companies vulnerable to security attacks like data theft, malware installation, and extortion.
Achieving SOC 2 Type 2 Certification is a complex process that follows these overarching steps:
- Choose the right SOC framework for your needs
- Determine the scope (or Type) of report you need
- Implement Trust Services Criteria controls
- Execute your SOC 2 compliance audit and report
Step 1: Determine Your SOC Framework
SOC 2 is the most widely applicable security framework, with utility for nearly all service organizations. When preparing for certification, the first step is to confirm which kind of SOC assessment report you need. You’re likely here to manage SOC 2, but to avoid redundancy in security processes, let’s compare the three primary options available:
- SOC 1 – These are reports on Internal Controls over Financial Reporting (ICFR), and they apply almost exclusively to financial services organizations. They are intended for highly technical audiences, such as accountants, and their use is tightly restricted.
- SOC 2 – These are reports on service organizations’ implementation of the Trust Services Criteria (TSC) detailed below. They illustrate general best practices with respect to security, in any industry, and are also intended for technical audiences.
- SOC 3 – Like SOC 2, these reports focus on TSC and apply to any industry. However, unlike SOC 1 and 2, they are meant for general audiences and can be freely distributed.
There are also niche SOC audit and reporting frameworks designed for particular industries and use cases. For example, there are SOC for Cybersecurity and SOC for Supply Chain reports, loosely based on the same criteria as SOC 2 and SOC 3, but with additional considerations.
Note: If your organization needs to generate a SOC 3 report, too, you’ll want to achieve SOC 2 certification first.
Request a Consultation
Step 2: Confirm Your Security Assurance Scope
After selecting the appropriate SOC framework, you’ll need to determine the scope of the report required to satisfy stakeholder demands. There are two Types available for SOC 1 and SOC 2, each of which requires a different level of scrutiny and provides lesser or greater assurance:
- Type 1 – This is a report on the design of controls at a fixed, finite point in time. The audit is relatively straightforward and fast to conduct but provides less assurance.
- Type 2 – This is a report on controls’ actual performance over an extended duration. It is significantly longer and more challenging to conduct but provides greater assurance.
It should be noted that, unlike SOC 1 and 2, SOC 3 does not differentiate between report Types. However, the scope of SOC 3 assessment and reporting mirrors that of a SOC 2 Type 2 report.
If your organization is trying to provide the maximum amount of security assurance to its clients and partners, you should consider a SOC Type 2 report. Another common approach is to begin with a SOC Type 1 assessment and secure that report en route to a fuller Type 2 report later.
Step 3: Implement Trust Services Criteria Controls
SOC 1 and SOC 2 attestation require meeting standards set out in the AICPA’s Trust Services Criteria (TSC) framework. Based heavily on the COSO framework, the TSC is organized around five Trust Services Categories, which house dozens of individual requirements and controls:
- Security – These are baseline protections that prevent unauthorized access and disclosure of sensitive data or otherwise compromise availability, integrity, privacy, etc.
- Availability – These include network, communications, and monitoring infrastructure that ensure information is available in accessible forms to stakeholders that need it.
- Processing Integrity – These standards work to ensure that all system-wide processes are complete, valid, accurate, timely, and properly authorized to meet your objectives.
- Confidentiality – These controls restrict, monitor, and control access to information that is classified as confidential other than personally identifiable information (PII).
- Privacy – These are similar to confidentiality protections, but for PII exclusively.
Across these categories, Common Criteria are shared between all. These constitute the entirety of the Security category, the baseline for all SOC 2 audits. There are also supplemental criteria distributed amongst the other four categories that may or may not be in scope for an audit.
Working with an advisor will help you determine which criteria you need to meet—and how.
Step 4: Conduct a SOC 2 Type 2 Certification Audit
If you’ve followed the steps above carefully and worked with a compliance advisor, this final stage should be relatively straightforward. You’ll prepare for a Type 1 or Type 2 audit by securing an assessor and explaining your needs. Then, with an agreement in place, all you need to do is select the best time for the point-in-time or extended assessment process.
Typically, you will want to start the assessment as soon as possible after your implementation is complete. This is when you can be most certain that controls will function as intended. However, you might also want to balance that urgency against other factors. For example, you should ideally target a period that figures to be at or below your average level of business. That way, technical and other staff will have the bandwidth to provide assistance if needed.
Streamline Your SOC 2 Certification Today!
Completing a SOC 2 assessment provides a uniform way to meet all your clients’ and partners’ needs for security assurance. Preparing for certification comes down to selecting the right framework and report Type, implementing the controls, and securing the assessment.
RSI Security has helped countless organizations prepare for and achieve SOC 2 Type 2 certification. We know that the right way is the only way when it comes to protecting data and assuring your clients you have their safety in mind. To get started, contact RSI Security today!