What is SOC2 and do we need it?

SOC 2 is one of the more common compliance requirements that tech companies should meet today to be competitive in the market. SOC stands for Service and Organization Controls, is introduced by AICPA and is based on the Trust Services Criteria (explained later). Each Trust Services Criteria (TSC) is divided into some Points of Focus which can be a security control or a combination of some security controls or linked to one or some security controls.

You can find all required TSCs and their Points of Focus in this pdf document on AICPA website. First 52 pages are TSCs for SSAE 18, effective May 1, 2017 SSAE 16 has been superseded by SSAE 18. Do not go beyond page 52!

SOC 2 is about the ability to report on the design of controls (and/or testing and operating effectiveness of those controls) for a service organization.

SOC 2 is something like ISO 27001 which allows more flexibility for the company on how to meet the criteria. On the other side, PCI DSS, HIPAA and most of other security frameworks are very well-defined standards and have very explicit requirements. For example PCI DSS asks for password complexity and accepts the passwords that are at least 7 characters and are combination of numbers and letters while SOC 2 and ISO 27001 leave the details of such a technical security control to you to decide. SOC 2 just ask for some sort of authentication (see CC6.1 in Trust Services Criteria document). ISO 27001 does not even ask for password!!!

Per AICPA, “The trust services principles on which the report is based, the controls a service organization would include in its description, and the tests of controls a service auditor would perform for a specific type 2 SOC 2 engagement will vary based on the specific facts and circumstances of the engagement. Accordingly, it is expected that actual type 2 SOC 2 reports will address different principles and include different controls and tests of controls that are tailored to the service organization that is the subject of the engagement.”

We can simply say that The SOC 2 audit is the auditor’s opinion on how your organization’s security controls/safeguards fit SOC 2 requirements and that’s because auditor’s reputation is very important to SOC 2 audit and reporting just like ISO 27001 audit.

SOC 2 Trust Categories

SOC II five trust categories (Formerly known as principals in SSAE-16) are:

Or you can easily say it is a combination of Security and Privacy as Security itself covers all other 3: Confidentiality, Integrity, and Availability in classic security triad model.

The Trust Service Criteria are modeled around these areas:

Bear in mind that your report should not necessarily covers all of five mentioned items or cover all systems and procedures in your organization. You can for example become ready for an audit on Security and Availability areas and restrict your scope to systems and processes which supports your receiving department. Such a SOC II audit report does not show that all systems, departments, processes and procedures are secure enough!

Difference between SOC 1 and SOC 2

Who needs a SOC 2 report?

If you are a service provider or a service organization which stores, processes or transmits any kind of information you may need to have one if you want to be competitive in the market exactly like the decision to have an ISO 27001 certifications.
Tremendous amount of of technology and cloud computing entities are now have these reports handy and will provide it to their customers upon request.

Type 1 or Type 2?!

SOC 2 has 2 different types like SOC1. Type 1 reports cover the description of systems and suitability of design of controls (Known as criteria in SOC terminology) whereas type 2 reports have everything in type 1 reports
and the effectiveness of the controls over a period of time. Type 2 SOC 2 reports are considered more useful since the auditor verifies that the controls work in an appropriate manner over a period of time.

Why not SOC 3?

SOC 3 report is designed to be shared publicly. This report does not have the details of SOC 2 in order to make you comfortable to share it on your website to be seen by public. SOC 3 reports cover just a high level overview of information in SOC 2 reports.

Written by

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store