Preparation for a SOC 2 Type 2 audit comprises four essential steps:
- Establishing an accurate implementation and assessment scope
- Implementing the Common Criteria from the SOC 2 Type 2 controls list
- Installing any Additional Criteria controls that may be required of you
- Conducting the assessment and reporting on your SOC 2 compliance
Step 1: Scope Out Your SOC Implementation
First, you’ll need to determine if the SOC 2 Type 2 assessment is best for your organization.
SOC 2 audits are designed for service organizations, such as SaaS providers. They offer security assurance by way of technical documentation of security and other controls, as measured at a point in time (Type 1) or over a long duration (Type 2). SOC 2 reports target technical audiences, whereas SOC 3 reports use the same framework but target general audiences. SOC 1 uses a different framework and is applicable only in financial services.
The same framework applies to both Type 1 and Type 2 assessments within a SOC standard, but for SOC 2, some controls may not apply depending on your clients’ needs—see below.
In practice, this means that the SOC 2 Type 2 and SOC 2 Type 1 controls list is the same, but a set of requirements may or may not apply, irrespective of Type. In either case, these controls do differ from the SOC 1 Type 1 or SOC 1 Type 2 controls list. Whether you’re conducting a SOC Type 1 or Type 2 test, check in with your clients to determine the specific controls they expect.
Step 2: Install Common Criteria Controls
SOC 2 and SOC 3 audits are based on the Trust Services Criteria (TSC) framework. The full SOC 2 Type 2 controls list comprises all of the Common Criteria (CC Series) from the TSC, along with Additional Criteria that may apply. Those that always apply break down as follows:
- CC1 Series: Control Environment controls
- CC2 Series: Communication and Information controls
- CC3 Series: Risk Assessment controls
- CC4 Series: Monitoring Activities controls
- CC5 Series: Control Activities controls
- CC9 Series: Logical and Physical Access Controls
- CC9 Series: System Operations controls
- CC9 Series: Change Management controls
- CC9 Series: Risk Mitigation controls
If your organization is preparing for a SOC 2 audit, of either Type (and/or a SOC 3 audit), you’ll need to install all of the controls and sub-controls listed within these nine series. This makes up the fundamental core of all SOC 2 compliance, and it shares many similar protections with other regulatory frameworks. If you’re subject to other protections, such as HIPAA or PCI DSS, it’s best to work with an advisor to map controls rather than starting from scratch with new ones.
Step 3: Install Additional Criteria Controls
The TSC framework provides insights into service organizations’ cyberdefenses across five principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy. All five of these criteria are touched upon to an extent across the CC Series controls, and Security is satisfied completely by them. But the other four each have dedicated controls, any or all of which might be required for your SOC 2 audit, depending on what your clients expect.
Availability (A Series) and Processing Integrity (PI Series) criteria focus on general operations with respect to sensitive data. They ensure that information is available to stakeholders, such as data subjects, and that processes conducted on data are authorized and function as expected.
Privacy (P Series) and Confidentiality (C Series) controls focus on your organization’s ability to prevent unauthorized access to personal data and other forms of protected data, respectively.
Many SOC 2 Type 1 and Type 2 audits cover all TSC controls, including both Common and Additional Criteria. Check with your service provider and any stakeholders requesting the audit to ensure you’re installing everything you need to—and accounting for long-term maintenance.
Step 4: Conduct Your SOC 2 Type 2 Audit
With the implementation completed, all you’ll need to do is contact a SOC 2 assessor and carry out the audit—and, for Type 2, ensure that all controls remain active throughout the duration.
As noted above, the SOC 2 Type 1 controls list is no different from its Type 2 counterpart. But other factors impacting your assessment, especially the time and resources required, will differ drastically. Type 2 audits often take at least six months to complete, and it is common for the process to stretch across a year or more. In contrast, SOC 2 Type 1 audits typically take no more than six months to complete, and they can often be completed within a matter of weeks.
For this reason, many organizations choose to produce a Type 1 report en route to full Type 2 compliance. Clients may specifically request a Type 1 report as they wait for a Type 2 variant.
Another consideration as you finalize your audit readiness is whether to generate a SOC 3 report as well. SOC 3 audits cohere to the same standards and duration as SOC 2 Type 2, generalizing the results for a lay audience—they’re perfect for public access on your site.
Prepare for SOC 2 Compliance Today
Overall, preparing for SOC 2 implementation means understanding which SOC report is right for you and which controls apply, installing those that do, and allocating resources for the audit.
RSI Security has helped countless organizations prepare for and achieve SOC 2 certification by rethinking their cyberdefenses. We believe that discipline up front, like robust installation of all TSC controls, will unlock greater freedom down the line—like expanding across verticals.
To get started implementing your SOC 2 Type 2 controls list, contact RSI Security today!