SSAE 18 is a set of standards governing service organizations’ security practices. It’s used to identify and manage risks involved in handling consumer data. Many organizations need to showcase compliance with SSAE 18 standards through SOC audit reports. While SSAE 18 Type 2 is often misused to refer to SSAE 18 SOC 2 Type 2 reports, the usage is commonly accepted. SOC 2 reports closely follow guidelines laid out in SSAE 18, especially for service organizations that utilize subcontractors or sub-service organizations.
SSAE 18 SOC 2 Type 2 Audits and Reporting
Statement on Standards for Attestation Engagements 18 (SSAE 18) was published by the American Institute of Certified Public Accountants (AICPA) in May 2017, superseding the SSAE 16, to increase applicability and quality across all SOC auditing and reporting.
SOC 2 is an auditing process to ensure service organizations and third-party contractors protect the safety and security of consumer data. To understand it, you must first grasp:
- Who needs to be SSAE 18 SOC 2 Compliant
- What the Trust Services Criteria comprise
- How an SSAE 18 SOC 2 Type 1 Report works
- How an SSAE 18 SOC 2 Type 2 Report works
Additionally, information on supplemental criteria for these reports, and context surrounding other forms of SOC auditing (e.g., SOC 1, SOC 3, special SOC reports), is beneficial.
Who needs to be SSAE 18 SOC 2 compliant?
As a rule of thumb, almost every service organization is covered under the scope of SSAE 18 SOC 2 standards. The AICPA defines a service organization as an “entity…that provides services to a user organization that is part of the user organization’s information system.”
If you’re a service organization, the term “user organization” refers to your clients; hence, any entity you’re engaged with while providing services to your clients is also covered under the scope of SOC 2 compliance.
Some organizations generally required (by business agreements and contracts, not legally) to be SOC 2 compliant are:
- Organizations that consult on or otherwise enable financial or accounting processes
- Software as a Service (SaaS) organizations that provide platforms and infrastructure
- Organizations that provide data analytics, business, and other management services
- Organizations that manage, provide, or advise on IT and cybersecurity services
If your organization fits into any of these categories, you’ll probably need to maintain SOC 2 compliance to establish trust with your clientele and meet local or industry norms and rules.
SSAE 18 SOC 2 Trust Services Criteria
The SOC 2 framework provides internal auditing guidelines for organizations to report on their privacy and security controls protecting confidential customer information. These are intended to honor the five trust services categories (formerly known as trust services principles or TSPs) detailed in AICPA’s TSP Section 100 document.
The five trust services categories are as follows:
- Processing Integrity
Taken together, these principles and the criteria they inform paint an accurate picture of the trust a client can place in a service organization. A SOC report may focus on any selection within the five, but Security is almost always the top priority, as it impacts all the others.
The Security category deals with possibly the most crucial aspect of consumer data protection: implementing dedicated safeguards to protect it. Ensuring strong network, infrastructure, and data security controls is fundamental to trust assurance.
To that effect, network firewalls and updated anti-virus software are some of the most basic but indispensable tools you can have in your fight against unauthorized system access. For example, a web filter improves the defense of a firewall with additional screening criteria for all traffic.
Then, there are more advanced considerations:
- Identity and access management (IAM) controls such as role-configured access permissions and multifactor authentication ensure that individuals who access data are who they say they are—and are authorized to do so.
- Data encryption is essential; using the AES-256 standard for end-to-end encryption protects data even if it has been stolen or lost, as it remains unreadable if encrypted.
- Developing and following an incident management plan ensures that, if a breach does occur, any damage to files is quarantined, minimized, and recovered from.
Implementing protections like these across an organization requires robust cybersecurity awareness training to apprise all stakeholders of their roles and responsibilities. Working with a Managed Security Services Provider (MSSP) on training and program advisory will help ensure uptake across all staff.
The Availability category deals with ensuring accurate service availability to your client or business partner, per what is contractually promised. For example, suppose you’re in the business of offering cloud computing infrastructure. In that case, you’re expected to ensure near-100 percent availability of your services, as any downtime can severely hamper your clients’ end-user experience.
SOC 2 standards require implementing controls and solutions that will ensure close to 100 percent availability. Through robust threat and vulnerability management solutions, you can stave off even the most advanced and persistent threats to uptime, such as Distributed Denial of Service (DDoS) attacks. Additionally, a managed detection and response (MDR) suite can empower efficient, timely resumption of services—even after a successful cyberattack.
Processing Integrity in the SOC 2 context refers to your ability to ensure accurate, timely, and complete processing of data—as defined by your organization. This category covers verifying that your data services are delivered to clients as they expect and per your agreements.
Proper visibility and quality assurance infrastructure will go a long way toward ensuring processing integrity. Strive to measure network and system activity at regular intervals and around special events, such as during peak traffic times or after a security event impacts peers in your location or industry. Be sure to minimize inaccuracies in data processing, preventing delays and downtime at the user organization’s end.
ISO frameworks for best practices involving information management are extremely useful for this service category’s associated criteria.
Confidentiality of information concerns how an organization ensures safe and authorized storage and access for any client data designated as classified or protected by an applicable regulation or law. This may include, but is not limited to, personal and personally identifiable information (see below).
Service organizations need to install access controls so that only the individuals who are required or authorized to access the information are able to, and only for purposes identified explicitly in the governing rules or statutes applicable to the data.
This criterion operates similarly to, and enjoys some crossover with, the final one—
Privacy is nearly identical to confidentiality, but it applies specifically to personal information, irrespective of other regulations or qualifications. Therefore, data containing any personally identifiable information needs to be protected both up to legal and other regulations (e.g., HIPAA, CCPA) alongside any organizationally defined privacy standards for SOC 2 compliance.
Ensuring privacy, alongside confidentiality, requires robust cybersecurity implementations and configurations (e.g., automatic data deletion after a specified period has passed), among other safeguards.
SSAE 18 SOC 2 Type 1 Report
To fully understand how a SOC 2 Type 2 (sometimes erroneously called “SSAE 18 SOC 2 Type II”) report works, one must first understand the less elaborate SOC 2 Type 1 report first.
The SSAE 18 SOC 2 Type 1 report is meant to represent the design of an organization’s security controls at a specific point in time—think of a snapshot. It’s a static report on your organization’s processes and security standards, as designed, concerning the storage, processing, and transmission of protected user information they theoretically provide.
It’s worth noting that a SOC 2 Type 1 report doesn’t indicate a company’s future adherence to the same security standards. Instead, it proves that the existing controls in place at an organization are in line with suitable security standards, at that point in time only.
Nonetheless, the SOC 2 Type 1 report offers a competitive advantage to organizations when partnering with other businesses. In addition, it may be required or preferred by a current or prospective client, as the report instills a sense of trust in the design of your security program. It is also cheaper and faster to complete than the more advanced SOC 2 Type 2 report, with many organizations achieving Type 1 while pursuing Type 2—see below.
SSAE 18 SOC 2 Type 2 Report – Long Term Compliance
The SOC 2 Type 2 report represents your organization’s commitment to data security and privacy over an extended period. They illustrate how your security system operates in practice, as measured over a duration that can last up to a year in some cases.
All SOC 2 reports are intended for specialized audiences, such as auditors or clients.
But SOC 2 Type 2 reports provide said readers with the most complex and exhaustive data on which to make their judgments about your organization’s security. So, a SOC 2 Type 2 report is most apt to substantiate claims about security systems. They assure the most trust.
Neither Type 1 nor Type 2 reports are mandatory in many instances, unlike other compliance frameworks such as HIPAA or PCI DSS. But, if it is required for your organization due to a local or industry standard, the AICPA provides an illustrative sample SOC 2 Type 2 report you can use as a reference. Some takeaways from AICPA’s sample report include:
- The duration reported generally is one calendar year, but it doesn’t have to be
- Not all controls or criteria need to be reported; only the relevant ones
- Cloud controls and security is a primary focus of the report
Given the duration of a SOC 2 Type 2 audit, some organizations may generate a SOC 2 Type 1 report en route to a full-fledged Type 2 report. Others may also add a SOC 3.
To better understand the full scope of SOC 2 reporting—Type 1 or Type 2—it’s critical to understand the entire TSC framework and other, related frameworks. You may discover that some or all of the TSC’s various supplemental criteria, or a different SOC standard, may be required for you.
SSAE 18 Detailed Criteria for SOC 2 Reporting
The TSC is based heavily upon another regulatory guide, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework. COSO outlines specific implementation controls pertaining to the realization of the five trust services criteria.
For SOC audits, these COSO principles are expanded into a series of common and supplemental criteria, which are in turn distributed across the following series:
- CC1 Series: The Control Environment
- CC2 Series: Communication and Information
- CC3 Series: Risk Assessment
- CC4 Series: Control Monitoring
- CC5 Series: Control Activities
- CC6 Series: Logical and Physical Access
- CC7 Series: System Operations
- CC8 Series: Change Management
- CC9 Series: Risk Mitigation
- A Series: Supplemental Availability Criteria
- C Series: Supplemental Confidentiality Criteria
- PI Series: Supplemental Processing Integrity Criteria
- P Series: Supplemental Privacy Criteria
Each series breaks down into several controls or their descriptions for measuring efficacy. In addition, some series (e.g., P Series) break down further into sub-series of many controls.
Furthermore, SOC 2 Reports are not the only SOC audits that utilize the COSO-based TSC.
Broader Scope of SSAE 18 SOC Reporting
Though the SOC 2 report (Type 1 or Type 2) is one of the most important SOC frameworks, applicable to most service organizations, there are two other primary kinds of SOC reports:
- SOC 1 (SSAE18 SOC 1) – SOC 1 reports are generated by organizations dealing with financial reporting or assisting user organizations with their financial accounting. SOC 1 reports can also be Type 1 or Type 2, respectively called SSAE 18 SOC 1 Type 1 and SSAE 18 SOC 1 Type 2. Typically, you need either SOC 1 or SOC 2.
- SOC 3 (SSAE 18 SOC 3) – SOC 3 reports also assess compliance to the trust services criteria, like SOC 2, but are intended for public consumption by a more generalized audience. Often, they are published on organizations’ public websites.
Beyond these, there are also SOC reports tailored to specific industries’ needs, such as SOC for Cybersecurity and SOC for the Supply Chain. Depending on the industry you operate within, your organization may need to generate multiple SOC reports.
SSAE 18 Type 2 Compliance Services
SSAE 18 Type 2 (or SOC 2 Type 2) compliance is becoming a must-have in today’s extremely competitive services market. Every last differentiator is crucial; it could be the difference between a client converting or opting for your competitor. As a result, organizations gain immense benefits by rethinking their security and complying with the SOC 2 standards.