SOC 2 Compliance is Nothing To Be Afraid Of

SOC 2 is all about handling, managing and storing data correctly. While being essentially a technical audit, it can be pretty extensive. SOC stands for System and Organizational Controls, and was developed by the American Institute of Certified Public Accountants or AICPA. SOC 2 is part of a larger framework, which addresses the shift in how corporate technology systems are accessed and data is stored as SaaS application use and cloud environments have grown.

There are several internal controls related to SOC 2 compliance. SOC 2 looks at those related to security, availability, processing integrity and confidentiality of customer-related data. While security controls—or specifically access controls—include things like your implementation of two-factor authentication and encryption as part of your security practices, confidentiality looks at your maturity in user permissions and your ability to protect access to customer data like intellectual property or trade secrets.

There are some major advantages of being SOC 2 compliant and being able to communicate that compliance to a partner or prospective client. Much of this centers around trust. This is the major currency of any long term business relationship, and SOC 2 compliance helps establish it. While some companies may see a privacy notice and trust badging on their website to be enough, there is a much higher level and broad range of scrutiny that comes with larger companies. SOC 2 compliance demonstrates that your company has the internal controls—specifically security controls—in place to protect the privacy of customer data from a security incident like cyber attacks or other malicious activity like using your customer or business partner data for gain. Your security standards and practices directly address risk mitigation concerns of potential customers. The fact that your security measures and security systems are verifiable via a third party through a standard set of criteria means it is not just your assertion, but the industry as a whole recognizes your adherence to these business practices. In a prospect risk assessment, the effectiveness of controls you have in place shouldn't give them pause.

This trust can be leveraged well within a sales process or even larger business plan. Instead of slowing the sales process down for lengthly requests for information (RFIs), you can provide a recognized evaluation that speeds you time to close a prospective client. This can be a competitive advantage over smaller or less mature vendors in your space who may see the time period of their sales cycle increase.

There are some important differences between SOC 2 type 1 and SOC 2 type 2. While both are regulated by the AICPA, they focus on different things. SOC 2 type 1 evaluates the design of security procedures at a specific point in time. SOC 2 type 2 looks at controls related to operations and compliance. These are outlined in the AICPA’s Trust Services Criteria (TSC).

For IT teams, SOC 2 type 2 is primarily what they'll deal with, often on a quarterly basis. From a practical standpoint, it means ensuring you have the correct controls in place and are regularly doing things like access reviews of the SaaS products you license at your company.

A SOC 2 audit starts with a readiness assessment and is then done, or at least certified, by an external auditor at a licensed CPA firm as your service provider. They use the Trust Services Criteria (TSC) and look at the security, availability, processing integrity and confidentiality controls you have in place. It does this over a period of time in data, typically 6 - 12 months. The resulting audit reports from external auditors will acknowledge you comply with TSC. It includes test results for trust categories as well as specifics about systems and services.

Pricing can range quite a bit, but generally readiness assessments can cost upwards of $20K with the SOC audit from an independent auditor costing an additional $20K - $30K. Having Identity Governance systems and processes in place by company personnel can help reduce this cost. There are SaaS solutions or cloud services like Lumos that can accelerate this.

The typical first objective in a readiness assessment or compliance checklist is to map what you have in place currently in your control environment to related controls defined in the SOC 2 framework. This includes looking at relevant organizational structure and processes, documentation of control activities and settings in systems as part of the audit process. While not necessarily looking for suspicious activity, it is meant to look more broadly at privacy controls—as well as additional controls—that are part of SOC 2.

Once you understand how what you have measures up to the SOC 2 framework, you can begin on the next objective of documenting gaps you have. Based on this you can formulate an ideal future state and create a remediation plan that has set deliverables and milestones to address control standards. This will help you identify the team and resources you need for successful management of a SOC 2 audit.