Depending on your business and clientele, you may need to comply with security requirements established by the American Institute of CPAs (AICPA). The System and Organization Controls (SOC) numbered 1, 2, and 3 apply to service organizations, particularly those that store, process, or come into contact with consumer data.
But who needs SOC 2 compliance? And what does it comprise? Read on to find these answers and more.
Who Needs to Be SOC 2 Compliant?
Given the various standards and reporting options the AICPA makes available to all companies, it can be challenging to figure out what your company needs to do to be compliant. But don’t worry! This guide has you covered. We’ll break down everything you need to know about SOC 2 compliance across two primary subject areas:
- Who SOC 2 standards apply to and who needs to be compliant (and why)
- What SOC 2 compliance entails and a detailed breakdown of requirements
By the time you’re done reading, you’ll be well aware of whether or not you need to comply with SOC 2 (or SOC 1 or 3), along with how to achieve compliance.
But first, let’s define the basics.
Brief Overview of SOC 2 Compliance
The general purpose of SOC 2 and SOC more broadly is to ensure that companies are keeping sensitive consumer data safe. For SOC 2, the specific controls are targeted toward cloud computing and cloud hosting services, as they primarily apply to organizations in this field.
SOC compliance comprises following a set of controls set out by the AICPA. Companies achieve compliance by contracting an external auditor to produce a SOC report.
On the one hand, specific organizations may need different levels of SOC compliance. On the other, companies might want different reporting types — namely, SOC Type 1 reporting or SOC Type 2 reporting. See below for specific breakdowns of what SOC 1, SOC 2, and SOC 3 entail and to whom they apply.
Companies to Whom SOC 2 Applies
Who needs a SOC 2 report? SOC applies specifically to most service organizations. The SOC is sometimes erroneously referred to as “Service Organization Controls.” The most common kinds of service organizations SOC applies to include but are not limited to:
- Software as a service (SaaS) companies that provide programs, apps, and websites
- Companies that provide business intelligence, analytics, and management services
- Businesses that oversee, facilitate, or consult with finances or accounting practices
- Organizations that provide customer management and other client-facing services
- Managed IT and security service providers, including those that help with SOC 2
If your company fits into any of these descriptions or matches one of these service organizations more broadly, you may need to comply with SOC. While these service organizations are the primary focus of SOC, there are also other regulatory guidelines AICPA provides inside the SOC framework and beyond that extend its protections to the supply chain and more.
SOC Applicability to the Supply Chain
Service organizations work with many vendors, suppliers, and other service providers to help them meet their own clients’ needs. Given the many stakeholders involved, there are new risks at each interaction point. So, AICPA has developed a flexible, voluntary system of SOC for the supply chain.
Companies in service organizations’ supply chains may report on their own security practices. Service organizations also have the option of incorporating select suppliers into their SOC reporting, as a good rule of thumb: the more transparency, the more overall security.
AICPA provides many valuable resources to educate service organizations and their strategic partners on all stakeholders’ requirements. For example, refer to the DC Section 300 for description criteria informing a supply chain SOC report. You can also refer to the illustrative example SOC for Supply Chain Report for a hands-on look at what you or your partners need to submit.
Breakdown of Broader SOC Framework
There is more to AICPA’s SOC framework than just SOC 2 compliance. Namely, there are three primary forms that SOC takes, each with its own purpose, measures, and target audience. They are:
- SOC 1 – Also called “SOC for Service Organizations: Internal Control over Financial Reporting (ICFR),” this standard is intended to manage select service organizations. AICPA’s AT-C Section 320 defines the practices measured.
- SOC 2 – Also called “SOC for Service Organizations: Trust Services Criteria,” this standard is for restricted audiences as well but more widely applicable across industry readers. AICPA’s TSP Section 100 defines its practices (more on these below).
- SOC 3 – Also called “SOC for Service Organizations: Trust Services Criteria for General Use Report,” this is a simplified version of SOC 2 intended for a broader readership.
Whereas SOC 1 is distinct and restricted in terms of whom it applies to, SOC 2 and SOC 3 apply to a wide range of service organizations. The most significant difference in their reporting is that SOC 2 is intended for specialized readers, whereas SOC 3 is for an open, public audience.
Type 1 and Type 2 SOC 1, 2, and 3 Reporting
For companies proving their security measures are up to speed at a specific time, SOC Type 1 testing offers a relatively quick, affordable, and straightforward option. An external auditor will assess your systems and practices to ensure you meet the trust services criteria (defined below), providing a snapshot of security at that particular moment.
A downside of this accessibility is that SOC type 1 reporting offers little long-term assurance.
In contrast, SOC Type 2 reporting is much more complex and comprehensive. It measures how your company adheres to the security criteria over a prolonged duration of time, such as nine months to a year. Rather than a single test on a single day, SOC Type 2 reporting entails continuous testing, either every day or multiple days throughout the period.
Trust Services Criteria: Guiding Principles
As noted above, SOC 2 and SOC 3 compliance are based upon the Trust Services Criteria (TSC), which used to be called the Trust Service Principles. Here are definitions for each:
- Security – Established by restricting access to information through user authorization.
- Availability – Established by ensuring parties who own information have access to it.
- Processing integrity – Established by minimizing flaws in all cybersecurity architecture.
- Confidentiality – Established by taking extra measures to protect unique kinds of data.
- Privacy – Established by paying particular attention to personally identifiable information.
Flexibility is built into compliance and reporting for SOC 2 and SOC 3 because not all of the criteria need to be met or established to a certain degree. Instead, companies must commit to establishing some combination of them, without blatant disregard for any one principle.
Professionalize Your SOC 2 Reporting
To return to the first question from above: who needs SOC 2 compliance? If your company is a service organization storing or processing consumer data, it likely needs to comply with SOC 1, 2, or 3.
To establish compliance, you’ll need to generate SOC type 1 or SOC type 2 reports, depending on the specific legal or market needs facing your company. Working with a qualified SOC 2 auditor is the best option for most companies that need to comply. If your company fits that description, contact RSI Security today to get started with SOC 1, 2, or 3 compliance!