7 common questions about SOC 2 compliance

Organisations that provide tech services and systems to third parties should be familiar with SOC 2.

Service organisations are usually required to gain SOC 2 compliance in order to partner with or provide services to other companies. But what does that involve? And how do you know if you’re compliant? 

We answer these questions, along with other common queries about SOC 2, in this blog.

1. What are the benefits of SOC 2 compliance?

The main benefit of SOC 2 compliance is that it demonstrates that your organisation maintains a high level of information security.

The rigorous compliance requirements, which are put to the test in an on-site audit, ensure that sensitive information is being handled responsibly. Organisations that implement the necessary controls are therefore less likely to suffer data breaches or violate users’ privacy.

This protects the organisation from the negative effects of breaches, such as regulatory action and reputational damage, and gives them a competitive advantage.

SOC 2-compliant organisations can use this fact to prove to customers that they’re committed to information security, which in turn will create new business opportunities.

That’s because the framework states that compliant organisations can only share data with other organisations that have passed the audit.

2. How are SOC 1 and SOC 2 different?

Depending on the service or system you provide, third parties might ask whether you’re SOC 1- or SOC 2-compliant. 

You might think that SOC 2 is an updated version of SOC 1, but they are actually two different frameworks. You might be required to complete one SOC audit or both. 

SOC 1 is less common, and applies when you host financial information that could affect third parties’ financial reporting. 

SOC 2 applies for all other types of sensitive information related to the third party. If you don’t host financial data, this is the only compliance audit you should complete. 

By contrast, if you only host financial information, you don’t need to complete SOC 2. 

Organisations that host both types of data will need to complete both compliance audits. 

3. What are the principles of SOC 2?

SOC 2 contains five principles. These are:

• Security (also known as ‘common criteria’) 

“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.” 

• Availability: “Information and systems are available for operation and use to meet the entity’s objectives.”

• Processing integrity: “System processing is complete, valid, accurate, and authorised to meet the entity’s objectives.”

• Confidentiality: “Information designated as confidential is protected to meet the entity’s objectives.”

• Privacy controls: “Personal information is collected, used, retained, disclosed and disposed [of] to meet the entity’s objectives.”

4. What does SOC 2 certification cover?

To achieve SOC 2 certification, organisations must implement controls on:

• System monitoring

Organisations must always monitor their information systems, keeping track of who is accessing sensitive information and what changes they are making to it.

This process should include the adoption of access controls, which ensure that only approved users can open sensitive information.

A sophisticated access control management system will contain layers of controls that ensure employees can only view information that’s relevant to their job.

This not only reduces the risk posed by malicious insiders but also mitigates the damage should a cyber criminal gain unauthorised access to an account.

As such, access controls provide an extra level of security in the event that employees choose weak passwords or expose their credentials in a phishing scam.

• Data breach alerts

No matter how sophisticated your cyber security defences are, you will suffer a data breach sooner or later, because there are simply too many attackers and too many vulnerabilities.

When a security event occurs, you need a system that will alert you of the threat. This doesn’t just refer to unauthorised access, but also to suspicious file transfers or changes to sensitive data.

These are particularly important to look out for when it comes to threats such as spear phishing, where an attacker poses as a senior employee or third party and requests that a lower-level employee sends them a certain file.

The organisation in question hasn’t technically been breached – the attack is nothing more than an email from an illegitimate address – but when the employee complies with the request, a serious incident has occurred.

• Audit procedures

Organisations must adopt a rigorous audit procedure to ensure they keep detailed records of the way personal information and other sensitive data is used.

It’s only by doing this that you can trace the source of a data breach and determine the full extent of the damage.

• Forensics

The final aspect of SOC 2 compliance concerns the way you respond to threats. This covers the steps you take to identify the full extent of the breach, understand how the incident occurred and prevent further damage.

Having such forensics systems in place gives you the assurance that incidents will be handled promptly, ensuring that a bad situation doesn’t get any worse.

5. What does a SOC 2 audit report contain?

The audit report is more than just a list of findings and a checklist of compliance requirements. SOC 2 allows plenty of room for interpretation, because every organisation will have its own requirements based on the way it operates. 

As such, the audit report should provide: 

• An opinion letter; 
• Management assertion; 
• A detailed description of the system or service; 
• Details of the selected trust services categories; 
• Tests of controls and the results of testing; and 
• Optional additional information. 

6. How long does it take to certify to SOC 2?

There are three things to consider when evaluating how much SOC 2 certification will cost and how long it will take:

• Your existing compliance posture.
• The size and complexity of your organisation.
• The cost and availability of a SOC 2 auditor.

However, even if you know the answer to those questions, there’s no set price structure or timescale for when you can expect to certify.

Every organisation has its own requirements, and it would be overly simplistic to suggest that there was a cost-per-day estimate for certification.

In that regard, SOC 2 is more variable than other information security standards, which tend to have a consistent timeline for certification.

The most well-prepared organisations might be able to complete their audit in a few weeks, whereas others could spend 18 months or more implementing the necessary controls in the Trust Services Criteria.

7. How do you know you’re ready for a SOC 2 compliance audit?

The only way to be sure you’re ready for a SOC 2 compliance audit is to review your systems. You can get help doing that with our SOC 2 Audit Readiness Assessment and Remediation Service. 

One of our expert consultants will advise you on which audit or audits are right for your organisation, and give you all the information you need to pass. 

They’ll do this in two ways. The first is the SOC 2 Audit Readiness Assessment, which compares your organisation’s practices to the AICPA’s TSC, highlighting any requirements where you fall short. 

This is followed by the SOC 2 Remediation Service, which explains the corrective actions your organisation must take to ensure its security controls are sufficient.

---

A version of this blog was originally published on 15 August 2019.