Table of Contents
- SOC 2 Compliance
- What Is SOC 2 ?
- Who Should Get SOC 2?
- SOC 2 Type 1 vs. Type 2
- SOC 3 vs. SOC 2
- What Is a SOC 2 Audit?
- What Are the 5 Trust Services Criteria?
- SOC 2 Policies and Controls
- Why Is SOC 2 Important?
- How Long Does It Take to Get SOC 2?
- How Much Does SOC 2 Cost?
- How To Prepare For a SOC 2 Audit
- How Tugboat Logic Helps With SOC 2 Compliance
What is SOC 2? Everything You Need to Know.
SOC 2 Compliance
In today’s market, SOC 2 has become table steaks. It’s necessary to provide security assurance to existing customers, sell to new enterprise customers and gain traction in the marketplace.
Problem is, the amount of information out there about SOC 2 compliance is overwhelming to say the least. Finding reliable information about how to get your certification can feel like an uphill battle.
(When I was working towards SOC 2) I spent most of my time looking all over the place for viable sources of SOC 2 information. Then I had to find an effective way to store that information to reference it. Having everything in one place from a trusted source would have been so helpful.
Well, we’re here to fill this gap. In this piece, you’ll find an overview of everything you need to know to get started with SOC 2, all in one place. And, straight from our team of SOC 2 experts and previous SOC 2 auditors.
What Is SOC 2 ?
Systems and Organization Controls 2 is an audit process that evaluates your company’s ability to securely manage the data you collect and use in your everyday business operations.
By completing your audit, you’re demonstrating that customers can trust your business with their data. In short, it’s your license to sell.
In preparation for your audit, you’ll have to implement policies and controls. Controls ensure the security, availability, and processing integrity of the systems that hold your business’ data. For example, ensuring previous employees no longer have access to customer data or encrypting sensitive data like healthcare information are both controls. You’ll also have to collect evidence that proves to your auditor your controls are working as intended.
As every business is different, the SOC 2 policies, controls and evidence needed to meet SOC 2 requirements will be different for every business.
Learn more about what SOC 2 is in this video from SOC 2 U, our free, expert and on-demand SOC 2 course.
Learn more about the course here.
Who Should Get SOC 2?
SOC 2 is not mandatory to do business in any given industry. Unlike HIPAA, for instance.
But, any company that handles and stores client data should pursue and maintain SOC 2 compliance.
Why? Data breaches and cyber-security attacks are more common than ever before. SOC 2 indicates your organization maintains secure practices and ensures sensitive information is protected in your current environment.
This is why companies of all sizes and stages are being tasked with proving their compliance with SOC 2 and even more advanced security frameworks. SOC 2 can act as a sales advantage, especially for small to midsize SaaS companies, as it proves you are a trusted business partner.
SOC 2 Type 1 vs. Type 2
If you’re getting compliant with SOC 2, you’ll need to choose between a Type 1 or Type 2 audit. Here are the major differences:
A SOC 2 Type 1 audit provides fast insight into your company’s data controls, security, and privacy practices at a point in time. Preparation for a Type 1 audit can take between 3 and 4 months, however the audit itself typically takes less than 1 day to complete.
- An audit of your system and security controls at a point in time.
- Demonstrates that you understand security best practices and are working on implementing them.
- Auditor only needs to see that you’ve designed the right controls.
Your Type 1 report can be useful in generating security documentation and certification for prospective clients on relatively short notice. It provides good gap control while you pursue Type 2, proving that you haven’t just implemented the right controls, but operationalized them too.
A Type 2 audit is a much more comprehensive, longer and more expensive version of the former.
- Looks at the same controls as Type 1, but over the course of 6-12 months.
- Observation period is longer because your auditor needs to see that you’ve designed AND operationalized the right controls.
- Auditor can gather samples at random and attest that you’re compliant.
- To maintain Type 2 attestation, you need to get an audit every single year.
Once you have passed a SOC 2 Type 2 audit, however, it is relatively easy to maintain. You can then easily prove your policies and practices are secure to customers old and new.
SOC 3 vs. SOC 2
You may have heard of SOC 3, which is different from SOC 2. Although SOC 2 is much more common than SOC 3, one is not better than the other. Each attestation just serves different functions for different organizations.
SOC 3 is pretty much the same as a SOC 2 in terms of controls. Auditors perform the same work for both SOC 2 and SOC 3.
Compared to a SOC 2, a SOC 3 certification for B2B companies is not as useful because it doesn’t share any of the details and results of the controls your auditor tested. In other words, it does not demonstrate the ways in which you keep your business partner’s data secure. A SOC 3 report only shows your auditor’s opinion of how you did during the audit.
When most prospects, especially large enterprises, do their due diligence they want you to demonstrate how your processes are secure. This is why most prospects won’t accept a SOC 3 report.
However, if you’re at a B2C company, then a SOC 3 might be enough to prove your organization follows good security practices at a high level.
SOC 2 or SOC 3? Or Both?
As with most things in information security, it depends. But, get the SOC certification that your customers have explicitly asked you to get.
Now, that’s not to say you should blindly follow your customers’ requests. You also need to make sure that you select the certification that makes the most sense for your business.
This is why finding the right auditor is crucial. They can speak with your customer to clarify which certification is really needed AND set expectations upfront about what certification would meet both their requirements and your organization’s capabilities.
What Is a SOC 2 Audit?
A SOC 2 audit is a third-party review of your security policies and controls that proves they are working as intended. Your auditor will be a certified public accountant (CPA) that you select.
As part of the process, your auditor will review your SOC 2 report with you. This report documents controls, which ensure the security, availability, and processing integrity of your data systems and the confidentiality and privacy of the data itself.
See an example report here.
Preparing for your audit can be challenging as the process is not one size fits all. Every company or startup’s journey to SOC 2 is different. How your organization can meet requirements heavily depends on the particularities of your business like your size, industry and function.
Who Administers the SOC 2 Audit Process?
The American Institute of Certified Public Accountants (AICPA) developed SOC 2, and a CPA member will administer and conduct your audit.
The reason an accountant reviews your security controls instead of, say, an IT security specialist is that they are an objective third-party. Accountants further have the credentials needed to conduct audits and attest to the results.
What Are the 5 Trust Services Criteria?
Once you’ve decided on the type of audit you’ll be pursuing it’s time to select your Trust Services Criteria.
Before your audit, your organization will evaluate and report the information and systems you use to support the five Trust Services Criteria.
Hear from Chika Nwajagu, Tugboat Logic’s Information Security Senior Manager and previous Information Systems Auditor at Union Bank of Nigeria. In this video, she goes over the 5 Trust Service Criteria.
The 5 Trust Services Criteria
Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
Information and systems are available for operation and use to meet the entity’s objectives.
System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
Information designated as confidential is protected to meet the entity’s objectives.
Personal information is collected, used, retained, disclosed and disposed of to meet the entity’s objectives.
Each TSC contains points of focus or criteria that evaluate your controls to achieve SOC 2 requirements. These points of focus are meant to assist you when designing, implementing, and operating controls over security, availability, processing integrity, confidentiality, and privacy. This pyramid explains this process.
Expert tip: To comply with SOC 2, the only criterion you need to address is security.
Organizations add other categories beyond security if:
- Stakeholder requests a SOC 2 report covering specific trust categories
- Existing commitments (e.g. contracts) require certain criteria to be included
- The organization wishes to demonstrate unique properties of its system and controls in one or more categories
Determining which TSCs to choose should be based on what satisfies the business and trust relationship between the organization and its stakeholders. Refer back to the bottom pyramid tier. This is the part you are responsible for. This includes implementing and proving you have the right controls in place to satisfy the requirements.
SOC 2 Policies and Controls
Before you create your SOC 2 policies or controls you’ll have to complete a risk assessment. A risk assessment allows you to determine what policies and controls you need because it highlights the ways in which the data you use everyday needs to be protected.
Learn how to complete a risk assessment here.
You’ll also have to conduct a gap or readiness assessment. With guidance from your auditor or compliance software, you’ll compare your current policies, processes and technologies to the framework
Expert tip: Keep your gap assessment step simple. The purpose is to identify gaps early so that you have time to close them before the audit.
Once you have completed a risk and gap assessment, you’ll need to get started with policies. Policies are a critical component of any InfoSec program and they’re a requirement for SOC 2.
Every policy should have a purpose, which you or policy stakeholders will need to define. Next, you’ll tackle the policy scope at a high level. Finally, you’ll include policy statements.
For example, let’s explore the Information Security Policy. It is a mandatory requirement for SOC 2. The purpose of this policy is to manage the effectiveness of your overall information security within the organization.
The scope and policy statements answer questions like:
- How are you going to develop and implement this program?
- How do you continuously improve this program?
- What are the roles and responsibilities?
- How will it be monitored?
- How will it be communicated and distributed to your organization and how often?
You can have binders of documented policies, but they have no value if you’re not communicating them to your organization. Some policies may only be relevant to specific departments, while others must be read and acknowledged company-wide.
Security controls are the rules, processes, and technologies you’ve implemented to protect data that customers share with you.
The list of controls that your company needs to have in place covers 10 security dimensions, including:
- Access control
- Secure operations
- Risk management
- Business continuity
- Organization and management
- Asset management
- Information and communications
- Audit and compliance
- Data security
- Software development lifecycle security (SDLC)
Implementing (and documenting) security controls is one of the most intimidating and time-consuming parts of the SOC 2 process, which is why you need to get it right.
Unfortunately, the AICPA doesn’t provide much guidance, but this is an area where a compliance partner like a software provider or consultant can help. A SOC 2 partner with experience in your industry will guide you in determining which controls auditors look for and the documentation you’ll need.
Why Is SOC 2 Important?
Ongoing SOC 2 compliance is critical to establishing and maintaining trust between your company and your client base. Here are some more reasons why SOC 2 is so important:
SOC 2 Is a Competitive Advantage
It’s very likely your competitors already have or are working towards SOC 2. With SOC 2 they are clearing the security due diligence phase of the sales cycle faster than you. As we all know, time is money and this can be the reason a potential customer chooses a competitor’s services over yours.
SOC 2 Is an Investment That Pays Dividends
SOC 2 is expensive. But here are a few of the benefits:
- Increase your amount of customers. Customers will see that you’re following security best practices and taking the necessary steps to safeguard their data and information.
- Shorter sales cycles. Your sales team can leverage your SOC 2 report instead of making your engineering team waste hours filling out security questionnaires.
- Improved internal security culture. If your company goes through a SOC 2 process, security becomes everyone’s responsibility. Especially given that SOC 2 Type 2 certifications provide ongoing maintenance of your security practices.
SOC 2 Gets Your Security in Order
For many early-stage startups, it’s tempting to treat security as an afterthought.
Security attestations like SOC 2 force necessary players like your engineers and execs to participate in becoming more security-aware. As team members involved in your SOC 2 process will have to provide evidence that their processes are secure.
How Long Does It Take to Get SOC 2?
It’s hard to give a specific time frame for the compliance process because every organization is unique, and because SOC 2 is a flexible framework and not a hard and fast set of rules to follow. Every organization has a different starting point, and each one will choose to interpret and apply the Trust Services Criteria in its own way.
However, based on our experience guiding hundreds of companies through SOC 2 we can give you a broad timeline as a reference point.
You may have seen SOC 2 compliance software ads that say you can get your SOC 2 in 2 weeks through automation and integrations. Unfortunately, this is just not true.
There are many providers out there who make lots of promises about integrations and automations. However, there will always be a certain amount of manual work involved with getting any attestation done.
The process can take anywhere from 4 months – 1 year. How quickly you get through the process depends on many factors, including:
- The size of your organization
- The maturity of your existing processes and policies
- How many people will be involved in the process
- How many criteria you choose to include
- How much executive buy-in there is for the process
You may have clients snapping at your heels, demanding certification. But, even the most impatient among them would prefer a thorough inspection rather than a hasty conclusion full of oversights.
Here is each step and how long it takes, with and without compliance automation.
|Step||Time without Compliance Software||Time with Compliance Software|
|Define your project scope ||3-4 Weeks||1-2 Weeks
|Write and/or Update Policies||4-6 Weeks||1-2 Weeks
|Collecting Evidence||6-8 Weeks||3-4 Weeks
|The Audit||4-6 Months||3-4 Months
Learn more about what each step entails here.
How Much Does SOC 2 Cost?
The table below breaks down SOC 2 costs for auditing, readiness, type 1 and type 2.
The total cost of SOC 2 can be broken down into three phases:
- Risk assessment (define scope and plan)
- Audit readiness (implement policies and controls)
See explanations for the costs of each stage in our SOC 2 Cost Guide.
How To Prepare For a SOC 2 Audit
How you choose to navigate your SOC 2 audit preparation should make sense for your unique business. And you have options. Some organizations choose to prepare for their audit in house, with a consultant or a compliance software. Each method has its own challenges and benefits.
In order to be as objective as possible, we interviewed professionals and SaaS leaders (outside of Tugboat Logic) who have worked towards SOC 2 in each of these ways. In the linked pieces below, you’ll learn what they had to say about the pros and cons of each method.
- Preparing for a SOC 2 Audit with a Consultant
- Working Towards SOC 2 Internally
- SOC 2 Compliance Automation Software
How Tugboat Logic Helps With SOC 2 Compliance
There’s a lot to think about while you’re preparing for your SOC 2 audit.
The best thing you can do is start tapping into the expertise that’s out there waiting for you. Stop plugging “SOC 2” into search engines and doom scrolling the results and start taking steps to connect to the expertise you need.
Our SOC 2 experts would love to answer any questions you may have and help you find your best path to SOC 2.
No matter how you choose to prepare for a SOC 2 audit, at the end of this process you’ll be able to inspire confidence in your clients and keep business from the world’s biggest customer rolling in. Good luck!