At some point in the evolution from scrappy startup to category leader, you’ll need to go through a SOC 2 audit. Usually, SOC 2 becomes a priority because a customer or an RFP requires it. So, putting things off could lose your company business.
Sometimes big business.
If you’re the CTO or technology lead for your company, you’ll need to become a SOC 2 expert fast. That way, you’ll be able to steer your company through the process quickly and successfully.
In this article, we define the basic components of SOC 2 and help you formulate a plan of attack. And we do it in plain English.
What Is a SOC 2?
Systems and Organization Controls 2 (SOC 2) is an audit process that evaluates your company’s ability to securely manage the data you collect and use during business operations.
A certified public accountant (CPA) that you hire performs the audit. As part of the process, your auditor will review your SOC 2 report. This report documents controls, which ensure the security, availability, and processing integrity of your data systems and the confidentiality and privacy of the data itself. (We’ll define those security controls later on, so stay tuned.)
By completing a SOC 2 audit, you’re demonstrating that customers can trust your business with their data.
Who Administers the SOC 2 Audit Process?
The American Institute of Certified Public Accountants (AICPA) developed SOC 2, and a CPA member will administer and conduct your SOC 2 audit. The reason an accountant reviews your SaaS security controls instead of, say, an IT security specialist is that accountants have the credentials needed to conduct audits and attest to the results.
What’s the Difference Between SOC 2 Type 1 and Type 2?
If you’re leading a SOC 2 audit, you’ll need to choose between SOC 2 Type 1 or Type 2:
- Type 1 is a day-long audit of your system and security controls. It demonstrates that you understand security best practices and are working on implementing them. You can only get your Type 1 audit once.
- Type 2 looks at the same controls as Type 1, but over the course of 6-12 months. The reason for the long observation period is simple. For Type 1, an auditor only needs to see that you’ve designed the right controls. For Type 2, on the other hand, an auditor needs to see that you’ve designed AND operationalized the right controls. A longer observation period enables them to gather samples at random and attest that you’re compliant. To maintain SOC 2 Type 2, you need to get an audit every single year.
The Type 1 audit is much less extensive and resource-intensive. That said, most customers will want to see that your company is making an ongoing commitment to security and privacy. All this to say, eventually you’ll have to bite the bullet and get SOC 2 Type 2.
What Are the “Trust Services Criteria”?
No matter the audit, your organization will evaluate and report the information and systems you use to support the five Trust Services Criteria.
The five criteria include:
Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
Availability: Information and systems are available for operation and use to meet the entity’s objectives.
Processing integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.
Privacy: Personal information is collected, used, retained, disclosed and disposed of to meet the entity’s objectives.
To comply with SOC 2, the only criterion you need to address is security. The other four criteria are optional, and you can omit them unless otherwise specified.
What Are Security Controls?
Security controls are the rules, processes, and technologies you’ve implemented to protect data that customers share with you.
The list of controls that your company needs to have in place covers 10 security dimensions, including:
- Access control
- Secure operations
- Risk management
- Business continuity
- Organization and management
- Asset management
- Information and communications
- Audit and compliance
- Data security
- Software development lifecycle security (SDLC)
Implementing (and documenting) security controls is one of the most intimidating and time-consuming parts of the SOC 2 process, which is why you need to get it right. Unfortunately, AICPA doesn’t provide much guidance, but this is an area where Tugboat Logic can help. After guiding hundreds of companies through SOC 2, we know which controls auditors look for and the documentation you’ll need.
To learn more about controls, read Tugboat’s “Control of the Week” blog series.
How Much Does a SOC 2 Audit Cost?
The cost of a SOC 2 audit can vary widely depending on your organization’s size, the number of Trust Services Criteria you choose to support, and other factors. However, as a general rule, you can expect to spend anywhere from $30,000 to $70,000 on the SOC 2 process.
At the higher end, these costs will go towards an auditor and consultant’s services to provide risk assessments, audit readiness preparation, and help with writing the report. At the lower end, many of these costs can be significantly reduced by automating the process using audit workflow software.
Remember, this doesn’t include internal costs, like the time and effort you and other team members will need to spend on the process.
For a more detailed breakdown of the costs of SOC 2, read Tugboat Logic’s How Much Does SOC 2 Cost? Guide.
How Long Does a SOC 2 Audit Take?
Because every company is unique and SOC 2 doesn’t impose a rigid set of rules, the time required to complete the audit process can vary considerably.
Based on experience, we can tell you that a SOC 2 Type 1 audit typically takes between 1 to 3 months (including preparation). SOC 2 Type 2, on the other hand, takes between 6 to 12 months, or longer.
What Is the First Step in a SOC 2 Audit?
Once you’ve got the basics down, the best way to kickstart SOC 2 is to find a guide you can trust to walk you through the next steps, keep things on track, and help you make the best decisions.
When it comes to choosing a guide, you have three options, and the first one might surprise you: it’s your auditor. If you’re tackling SOC 2 for the first time, you might see the auditor as your adversary, but in fact, the right auditor will support you every step of the way. By selecting an auditor before you collect your first supporting document or write the first word of your report, you’ll save yourself time and frustration. For more information on choosing an auditor, read How to Choose a SOC 2 Auditor (And Why It’s the Most Critical Part of the Process).
The second option is to hire a consultant. This can be a very costly option, but if you have set aside a robust budget for the project, you need to complete the audit on a tight timeline, and you don’t have much time to spare, you might want to go this route.
The third option is to let SOC 2 audit workflow software guide you. This type of software automates the workflow and provides best-practice examples of the documentation and reporting required to guide you in creating an audit-ready report. It’s also very cost-effective: customers who use our software reduce their audit readiness costs by an average of 60%. Just saying.
Where Can I Get More Guidance on SOC 2?
If you’re looking for more information and practical advice on how to get through your first SOC 2 audit, download The Ultimate Survival Guide to SOC 2 Compliance, a complete resource developed by the SOC 2 experts and former SOC 2 auditors on the Tugboat Logic team. The guide includes compliance steps and timelines, advice on choosing an auditor, and tips on accelerating the process and getting through it successfully.
Got questions? Still uncertain about SOC 2? Feel free to get in touch with us. We’re always happy to help.