Organisations that provide tech services and systems to third parties should be familiar with SOC 2.
They should know, at the very least, that they usually required to gain SOC 2 compliance in order to partner with or provide services to other companies. But what does that involve? And how do you know if you’re compliant?
We answer these questions, along with other common queries about SOC 2, in this blog.
1. What are the benefits of SOC 2 compliance?
The main benefit of SOC 2 compliance is that it demonstrates that your organisation maintains a high level of information security.
The rigorous compliance requirements, which are put to the test in an on-site audit, ensure that sensitive information is being handled responsibly. Organisations that implement the necessary controls are therefore less likely to suffer data breaches or violate users’ privacy.
This protects the organisation from the negative effects of security incidents, such as regulatory fines and reputational damage, plus it gives them a competitive advantage.
SOC 2-compliant organisations can use their tried-and-tested security practices as a selling point to customers. For a start, the framework states that compliant organisations can only share data with other organisations that have passed the audit.
If a potential partner also complies with SOC 2, you will be compatible and jump ahead of other organisations that haven’t implemented the framework.
Even if the other organisation doesn’t adhere to SOC 2, you can point to its mutually beneficial features. For instance, you’ll offer a low risk of a potentially embarrassing data incident and effective data processing as reasons to choose you.
2. How are SOC 1 and SOC 2 different?
Depending on the service or system you provide, third parties might ask whether you’re SOC 1- or SOC 2-compliant.
You might think that SOC 2 is an updated version of SOC 1, but they are actually two different frameworks. You might be required to complete one SOC audit or both.
SOC 1 is less common, and applies when you host financial information that could affect third parties’ financial reporting.
SOC 2 applies for all other types of sensitive information related to the third party. If you don’t host financial data, this is the only compliance audit you should complete.
By contrast, if you only host financial information, you don’t need to complete SOC 2.
Organisations that host both types of data will need to complete both compliance audits.
There is also a third type of report, SOC 3, which contains high-level information about the organisation’s security controls. It’s designed for a general audience and is often distributed to the general public to demonstrate the organisation’s commitment to information security.
3. What are the principles of SOC 2?
SOC 2 contains five principles. These are:
- Security (also known as ‘common criteria’) : “Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.”
- Availability: “Information and systems are available for operation and use to meet the entity’s objectives.”
- Processing integrity: “System processing is complete, valid, accurate, and authorised to meet the entity’s objectives.”
- Confidentiality: “Information designated as confidential is protected to meet the entity’s objectives.”
- Privacy controls: “Personal information is collected, used, retained, disclosed and disposed [of] to meet the entity’s objectives.”
4. What does SOC 2 certification cover?
To achieve SOC 2 certification, organisations must implement controls on:
- System monitoring
It’s essential that you monitor information systems and track who is accessing sensitive information and the changes they are making to it.
This process should include the adoption of access controls, which ensure that only approved users can view sensitive information.
A sophisticated system will contain layers of access that ensure employees can only see information that’s relevant to their job.
This not only reduces the risk posed by malicious insiders but also mitigates the damage should a cyber criminal gain unauthorised access to an account.
As such, access controls provide an extra level of security in the event that employees choose weak passwords or expose their credentials in a phishing scam.
- Data breach alerts
No matter how sophisticated your cyber security defences are, you will suffer a data breach sooner or later. There are simply too many attackers and too many vulnerabilities, and it’s only once you accept this that you can plan for the inevitable.
This means, first of all, creating a system that alerts you to information security threats. This doesn’t just refer to unauthorised access but also to suspicious file transfers or changes to sensitive data.
These are particularly important to look out for when it comes to things such as spear phishing, where an attacker poses as a senior employee or third party and requests that a lower-level employee sends them a certain file.
The organisation in question hasn’t technically been breached – the attack is nothing more than an email from an illegitimate address – but when the employee complies with the request, a serious incident has occurred.
- Audit procedures
Organisations must adopt a rigorous audit procedure to ensure they keep detailed records of the way personal information and other sensitive data is used.
It’s only by doing this that you can trace the source of a data breach and determine the full extent of the damage.
The final aspect of SOC 2 compliance concerns the way you respond to threats. This covers the steps you take to identify the full extent of the breach, understand how the incident occurred and prevent further damage.
Having such forensics systems in place gives you the assurance that incidents will be handled promptly, and means that a bad situation doesn’t get any worse.
5. What does a SOC 2 audit report contain?
The audit report isn’t only a list of findings and a checklist of compliance requirements. SOC 2 allows plenty of flexibility, because every organisation will have its own requirements based on the way it operates.
As such, the audit report should provide:
- An opinion letter;
- Management assertion;
- A detailed description of the system or service;
- Details of the selected trust services categories;
- Tests of controls and the results of testing; and
- Optional additional information.
6. How long does it take to certify to SOC 2?
There are three things to consider when evaluating how much SOC 2 certification will cost and how long it will take:
- Your existing compliance posture.
- The size and complexity of your organisation.
- The cost and availability of a SOC 2 auditor.
But even if you know the answer to those questions, there’s no set price structure or timescale for when you can expect to certify.
In that regard, SOC 2 is more variable than other information security standards, which tend to have a consistent timeline for certification.
The most well-prepared organisations might be able to complete their audit in a few weeks, whereas others could spend 18 months or more implementing the necessary controls in the Trust Services Criteria.
7. How do you know you’re ready for a SOC 2 compliance audit?
The only way to be sure you’re ready for a SOC 2 compliance audit is to review your systems. You can get help doing that with our SOC 2 Audit Readiness Assessment and Remediation Service.
Our expert consultants will advise you on which audit or audits are right for your organisation, and give you the information you need to pass.
They’ll do this in two ways. The first is the SOC 2 Audit Readiness Assessment, which compares your organisation’s practices to the AICPA’s TSC, highlighting any requirements where you fall short.
This is followed by the SOC 2 Remediation Service, which explains the corrective actions your organisation must take to ensure its security controls are sufficient.
A version of this blog was originally published on 15 August 2019.