What is SOC2 and do we need it?

SOC 2 is one of the more common compliance requirements that tech companies should meet today to be competitive in the market. SOC stands for Service and Organization Controls, is introduced by AICPA and is based on the Trust Services Criteria (explained later). Each Trust Services Criteria (TSC) is divided into some Points of Focus which can be a security control or a combination of some security controls or linked to one or some security controls.

You can find all required TSCs and their Points of Focus in this pdf document on AICPA website. First 52 pages are TSCs for SSAE 18, effective May 1, 2017 SSAE 16 has been superseded by SSAE 18. Do not go beyond page 52!

SOC 2 is about the ability to report on the design of controls (and/or testing and operating effectiveness of those controls) for a service organization.

SOC 2 is something like ISO 27001 which allows more flexibility for the company on how to meet the criteria. On the other side, PCI DSS, HIPAA and most of other security frameworks are very well-defined standards and have very explicit requirements. For example PCI DSS asks for password complexity and accepts the passwords that are at least 7 characters and are combination of numbers and letters while SOC 2 and ISO 27001 leave the details of such a technical security control to you to decide. SOC 2 just ask for some sort of authentication (see CC6.1 in Trust Services Criteria document). ISO 27001 does not even ask for password!!!

Per AICPA, “The trust services principles on which the report is based, the controls a service organization would include in its description, and the tests of controls a service auditor would perform for a specific type 2 SOC 2 engagement will vary based on the specific facts and circumstances of the engagement. Accordingly, it is expected that actual type 2 SOC 2 reports will address different principles and include different controls and tests of controls that are tailored to the service organization that is the subject of the engagement.”

We can simply say that The SOC 2 audit is the auditor’s opinion on how your organization’s security controls/safeguards fit SOC 2 requirements and that’s because auditor’s reputation is very important to SOC 2 audit and reporting just like ISO 27001 audit.

SOC 2 Trust Categories

  • Security
  • Confidentiality
  • Processing Integrity
  • Availability
  • Privacy

Or you can easily say it is a combination of Security and Privacy as Security itself covers all other 3: Confidentiality, Integrity, and Availability in classic security triad model.

The Trust Service Criteria are modeled around these areas:

  • Security: Control Environment (CC1.x), Communication and Information (CC2.x), Risk Assessment (CC3.x), Monitoring Activities(CC4.x), Control Activities (CC5.x), Logical and Physical Access Controls (CC6.x), System Operations (CC7.x), Change Management (CC8.x), Risk Mitigation (CC9.x)
  • Additional criteria for Availability (A1.x)
  • Additional criteria for Confidentiality (C1.x)
  • Additional criteria for Processing Integrity (PI1.x)
  • Additional criteria for Privacy (P1.x)

Bear in mind that your report should not necessarily covers all of five mentioned items or cover all systems and procedures in your organization. You can for example become ready for an audit on Security and Availability areas and restrict your scope to systems and processes which supports your receiving department. Such a SOC II audit report does not show that all systems, departments, processes and procedures are secure enough!

Difference between SOC 1 and SOC 2

  • SOC 1 report is a report generated by auditors for other auditors but a SOC 2 report usually has more confidential internal information which is not supposed to be shared with anyone outside the company (Actually this statement is not always true as most of the time customers ask for the reports and if you do not share the report, they may consider another provider)

Who needs a SOC 2 report?

Type 1 or Type 2?!

Why not SOC 3?

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB