A Practical Guide to SOC 2 Compliance
Updated: Jan 8, 2020
In a data-heavy world, there is an increasing focus on risk management, governance, and compliance. For business owners to be successful, they need to minimize the probability and severity of data breaches, which means having internal controls over all aspects of their organization. So, if you’re a service provider managing their data – especially a SaaS provider, you will have to prove that they can trust you over your competitors. Becoming SOC 2 compliant is a good practice we see many companies take, here's how to do it:
What is SOC 2?
Don’t break out in a sweat, achieving SOC 2 compliance is easier than it sounds. Let’s take a brief look at what it is.
Introduced by the American Institute for CPAs in 2011, SOC 2 (Service Organizational Control 2) outlines criteria for the management of customers’ information based on five Trust Service Criteria (TSC) — availability, security, confidentiality, privacy, and processing integrity. They are prepared per Statements on Standards for Attestation Engagements (SSAE) Section 101.
In short, SOC 2 is an auditing method confirming that a service provider transmits, stores, maintains, processes, and disposes of your data in a strictly confidential manner to guard your organization’s interests and your client’s privacy.
What’s SOC 2 Type 1 and Type 2?
There are slightly different SOC 2 reports. With a SOC 2 Type 1 audit, the auditor reviews and reports on the service organization’s system and the design of its controls, relating to one or all of the five TSC. The report is only applicable at a specific point in time.
A Type 2 audit includes all the same information as Type 1, but it also features the auditor’s assessment that a service organization’s controls have been tested for operational effectiveness over a period of time.
Seeing how fast companies are moving to and expanding in the cloud and considering the explosion of cloud-based security threats, the question of who needs to comply and who will ask for it is very relevant.
For any service provider, SOC2 compliance allows you to assure clients that their confidential information is safe in your care. Having SOC 2 certification is especially pertinent for providers who store their client’s data in the cloud (e.g., SaaS providers), as it adds a level of trust and transparency between you and them. Compliance is then a competitive advantage.
For security-aware companies, SOC 2 compliance is a basic requirement when choosing a 3rd party vendor (SaaS provider or another cloud-computing vendor). They want proof that the design and operation of the provider’s controls meet their control requirements. After all, who knows when the next NotPetya, Wannacry, Spectre Next Generation, or CloudBleed threat will leave them vulnerable to attacks, such as malware installation, extortion, or data theft!
What’s the difference between SOC 2 and ISO27001?
SOC 2 is similar to ISO 27001 in that both allow more flexibility for the company on how to meet the criteria compared to PCI DSS, HIPAA, and most security frameworks that have very well-defined standards with precise requirements. According to research, SOC 2 and ISO 27001 have 150 security controls in common (96%).
Here are the main similarities and differences between SOC 2 and ISO27001:
What about other security recommendations & Penetration Testing?
As we mentioned, the SOC2 framework is based on the five “Trust Service Principles”— security, availability, processing integrity, confidentiality, and privacy. However, there are complimentary security recommendations that you should consider including in your report, such as, following secure coding guidelines, performing security design reviews, and code reviews.
This question brings us to whether one has to perform a penetration test. Essentially, since a SOC 2 report isn’t a certification, but the opinion of an auditor, it is your joint-decision (interpretation) on what controls you need to meet. Obtaining an annual penetration test and running routine vulnerability scans are considered best practices. Also, the audit firm you have hired will usually have an opinion on the matter.
Overall, considering principles other than the basic five can significantly increase your organizational repute and vulnerability awareness. Hiring security consulting specialists to provide a security testing might be your best option to ensure compliance.