What is SOC2 and do we need it?
SOC 2 is one of the more common compliance requirements that tech companies should meet today to be competitive in the market. SOC stands for Service and Organization Controls, is introduced by AICPA and is based on the Trust Services Criteria (explained later). Each Trust Services Criteria (TSC) is divided into some Points of Focus which can be a security control or a combination of some security controls or linked to one or some security controls.
You can find all required TSCs and their Points of Focus in this pdf document on AICPA website. First 52 pages are TSCs for SSAE 18, effective May 1, 2017 SSAE 16 has been superseded by SSAE 18. Do not go beyond page 52!
SOC 2 is about the ability to report on the design of controls (and/or testing and operating effectiveness of those controls) for a service organization.
SOC 2 is something like ISO 27001 which allows more flexibility for the company on how to meet the criteria. On the other side, PCI DSS, HIPAA and most of other security frameworks are very well-defined standards and have very explicit requirements. For example PCI DSS asks for password complexity and accepts the passwords that are at least 7 characters and are combination of numbers and letters while SOC 2 and ISO 27001 leave the details of such a technical security control to you to decide. SOC 2 just ask for some sort of authentication (see CC6.1 in Trust Services Criteria document). ISO 27001 does not even ask for password!!!
Per AICPA, “The trust services principles on which the report is based, the controls a service organization would include in its description, and the tests of controls a service auditor would perform for a specific type 2 SOC 2 engagement will vary based on the specific facts and circumstances of the engagement. Accordingly, it is expected that actual type 2 SOC 2 reports will address different principles and include different controls and tests of controls that are tailored to the service organization that is the subject of the engagement.”
We can simply say that The SOC 2 audit is the auditor’s opinion on how your organization’s security controls/safeguards fit SOC 2 requirements and that’s because auditor’s reputation is very important to SOC 2 audit and reporting just like ISO 27001 audit.
SOC 2 Trust Categories
SOC II five trust categories (Formerly known as principals in SSAE-16) are:
- Security
- Confidentiality
- Processing Integrity
- Availability
- Privacy
Or you can easily say it is a combination of Security and Privacy as Security itself covers all other 3: Confidentiality, Integrity, and Availability in classic security triad model.
The Trust Service Criteria are modeled around these areas:
- Security: Control Environment (CC1.x), Communication and Information (CC2.x), Risk Assessment (CC3.x), Monitoring Activities(CC4.x), Control Activities (CC5.x), Logical and Physical Access Controls (CC6.x), System Operations (CC7.x), Change Management (CC8.x), Risk Mitigation (CC9.x)
- Additional criteria for Availability (A1.x)
- Additional criteria for Confidentiality (C1.x)
- Additional criteria for Processing Integrity (PI1.x)
- Additional criteria for Privacy (P1.x)
Bear in mind that your report should not necessarily covers all of five mentioned items or cover all systems and procedures in your organization. You can for example become ready for an audit on Security and Availability areas and restrict your scope to systems and processes which supports your receiving department. Such a SOC II audit report does not show that all systems, departments, processes and procedures are secure enough!
Difference between SOC 1 and SOC 2
- Per aicpa.org, SOC 2 reports “are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy.” while SOC 1 reports are on just financial controls. They handle the financial transactions that a company makes.
- SOC 1 report is a report generated by auditors for other auditors but a SOC 2 report usually has more confidential internal information which is not supposed to be shared with anyone outside the company (Actually this statement is not always true as most of the time customers ask for the reports and if you do not share the report, they may consider another provider)
Who needs a SOC 2 report?
If you are a service provider or a service organization which stores, processes or transmits any kind of information you may need to have one if you want to be competitive in the market exactly like the decision to have an ISO 27001 certifications.
Tremendous amount of of technology and cloud computing entities are now have these reports handy and will provide it to their customers upon request.
Type 1 or Type 2?!
SOC 2 has 2 different types like SOC1. Type 1 reports cover the description of systems and suitability of design of controls (Known as criteria in SOC terminology) whereas type 2 reports have everything in type 1 reports
and the effectiveness of the controls over a period of time. Type 2 SOC 2 reports are considered more useful since the auditor verifies that the controls work in an appropriate manner over a period of time.
Why not SOC 3?
SOC 3 report is designed to be shared publicly. This report does not have the details of SOC 2 in order to make you comfortable to share it on your website to be seen by public. SOC 3 reports cover just a high level overview of information in SOC 2 reports.