SOC 2 Type 2 Guide: Compliance and Certification - Part 1
Learn about SOC 2 compliance. Why it matters when choosing a SaaS provider. Protect your clients' privacy
Every day, the way we use the internet continues to evolve. And as a result, it’s now easier for people to access their data from anywhere in the world. While this is good, this level of access has a downside. There’s an increasing threat to stored data. There is almost always news of accidental leak or data breach.
Additional precautions are required to ensure the security of data. And this is where SOC 2 compliance comes in.
Organisations that are managing data in the cloud need to be SOC 2 compliant. This will show their customers that they care about their data. And that will bring in more customers in return.
From data such as email addresses to sensitive financial information, users expect organizations to properly manage their data.
Here’s all you need to know about SOC 2 compliance and why it’s important when choosing a SaaS provider.
What is SOC2 Type II and who needs it?
To start with, SOC is a system of service organization controls. The acronym stands for “system and organization controls,” and the controls refer to a series of standards designed to help measure how well a given service organization regulates and conducts its information.
SOC standards exist to provide peace of mind and confidence for organizations when they work with third-party vendors. A SOC-certified organization has been audited by an independent certified public accountant.
The Service Organization Control 2 (SOC 2) Type II examination shows that an independent auditing and accounting firm has examined and reviewed an organization’s control activities and objectives, and tested those controls to ensure that they are effectively operating.
It is based on Communications, Policies, Monitoring and Procedures.
SOC 2 Type II audits are meant to help organizations attain a reasonable level of confidence that their service providers comply with the applicable privacy and security standards, and that their systems are being operated efficiently and effectively.
With SOC 2 Type II examination, customers of service providers can evaluate the processing activities of service providers that have impact on the security, confidentiality, processing integrity and availability of the customer’s information.
And for the service providers, SOC 2 Type II examination helps them to understand the adequacy of their controls and in the demonstration of conformity with the applicable privacy and security standards.
The entities responsible for performing the SOC 2 Type are known as "qualified security assessors" (QSAs) and AICPA maintain the standards that govern SOC 2 Type II examinations.
A brief history of SOC 2
Before SOC 2, the main auditing service organisations’ standard was referred to as SAS 70 (Statement of Auditing Standards No. 70). These audits were done by Certified Public Accountants (CPAs) with the main intent of reporting on the effectiveness of internal financial controls. These started in the early 1990’s.
With time, the audit was being used as a way of reporting on the effectiveness of an organisation’s internal controls around information security more deeply.
Sometime in 2010, the AICPA (The American Institute of Certified Public Accountants) introduced SOC 1 and SOC 2 reports with the primary purpose of addressing the increasing need of companies to externally validate and communicate the state of their security.
Today, SOC 1 reports focus on controls that have impact on financial reports. On the other hand, SOC 2 reports are written on audits against the Trust Services Criteria (TSC) standard. This is an ideal standard if you’re looking for a way to simultaneously grow your company’s maturity around business processes and security.
Types of SOC 2 Report
- The SOC 2 Type I Report
SOC 2 type I reports detail the suitability and design of the company’s controls, its scope and its management at a given point in time. It demonstrates proof of compliance with the American Institute of Public Accountants (AICPA) and other recognized accounting bodies’ auditing procedures and industry best practices. This benefits companies by assuring potential customers that their data will be safe in the hands of a SOC II compliant company.
There has been increased demand for SOC 2 type I compliant providers as cyber-attacks continue to rise in frequency and sophistication. While not legally required, SOC 2 type I compliance is highly sought after for companies handling customer data like healthcare providers and financial institutions to assure their customers that they have protective controls in place.
Depending how well a company is prepared for their SOC 2 type I, they can be audited immediately, and the report created. If a service organization has already performed a readiness assessment, has their controls in place and well documented, an approved auditor can begin the examination right away.
Generating the SOC 2 type I report typically takes between 2 to 4 weeks, unlike the SOC 2 type II report, which takes 6 months to a year – making the SOC 2 type I report is ideal for companies assessing multiple potential vendors or looking to engage 3rd parties in a relatively short amount of time.
- The SOC 2 Type II Report
Like the SOC 2 type I report, the type II report is a description of a company’s system and the suitability of the design of controls, but it also assesses the operating effectiveness of said controls. While there are many benefits to SOC type I compliance, SOC type II provides a much higher level of assurance in comparison.
To achieve SOC type II compliance, a company must pass a thorough examination of its policies and controls over an extended period, requiring companies to dedicate even more time and resources. Most companies will select a period that overlaps the most with the company’s financial year. While there is no required minimum duration for the type II reporting period, the AICPA has suggested companies use a period of 6 months. To provide their clients with a continuous flow of reporting on their controls, companies usually decide in a 12-month reporting period to eliminate a break in the reporting period.
The SOC 2 type II compliance and reporting demonstrates superior data security and control systems to potential customers. Companies with SOC 2 type II compliance gain an advantage from the ability to engage larger, and more security-conscious organizations with their services.
SOC 2 type II compliance follows the same general principles of SOC type I but requires additional resources and working hours. SOC 2 type II compliance easier to acquire for companies with mature controls that are constantly monitored and updated accordingly. The SOC 2 type II audit is generally sought out by medium to large who operate with sensitive data or in heavily regulated industries with stringent security requirements.
SOC 2 major trust Principles
SOC 2 certification is issued by external auditors. They examine the level to which a vendor has complied with one or more of the five trust principles based on the processes and systems in place.
The trust principles are further broken down below:
The security principle has to do with the protection of system resources against unapproved access. Access controls help avoid potential system abuse, theft or unapproved removal of data, abuse of software, and inappropriate alteration or disclosure of information.
IT security tools like network and web application firewalls (WAFs), two-factor authentication and intrusion detection are handy in preventing security breaches that can result in unauthorized access of systems and data.
The availability principle refers to the availability of the system, services or products as stipulated by a service level agreement (SLA) or contract. Hence, the minimum level of performance that’s acceptable for system availability is set by both parties.
This principle does not include system usability and functionality but involves security-related criteria that may have an effect on availability. Monitoring network availability and performance, site failover and security incident handling are critical here.
3. Processing integrity
The processing integrity principle has to do with whether a system achieves its purpose or not (i.e., delivers the right data where it should be and at the right time). As a result, data processing must be valid, complete, accurate, authorized and timely.
Nevertheless, processing integrity does not always mean data integrity. If data contains errors before it is entered into the system, detecting them is usually not the responsibility of the processing entity. Monitoring of data processing, as well as quality assurance procedures, can help ensure processing integrity.
Data is considered confidential if its access and disclosure are limited to a specified set of individuals or organizations. Examples may include data meant only for company personnel, and also business plans, internal price lists, intellectual properties and other types of sensitive financial information.
Encryption is a critical control for the protection of confidentiality in the course of transmission. Network and application firewalls, in combination with rigorous access controls, can be used to protect information being stored or processed on computer systems.
The privacy principle deals with the system’s collection, use, disclosure, retention and disposal of personal information to conform with an organization’s privacy notice, and in line with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP).
Personal identifiable information (PII) is the details that can uniquely distinguish an individual (e.g., name, address, Social Security number). Some personal data related to health, sexuality, race and religion are also considered sensitive and usually require an additional level of protection. There must be controls in place to protect all PII from unauthorized access.
Why SOC 2 Compliance Matters
Majorly, SOC 2 compliance will let you have peace of mind that your processes and procedures correspond with what they say: protect your customers’ data. Apart from this, there are two additional benefits:
- SaaS providers with SOC 2 Type II certification are more trusted by clients than those who don’t have it because the certification shows a commitment to data security.
- Companies with plenty of data to handle—especially enterprise companies with numerous customers (up to thousands or millions of customers)—will more likely choose SOC 2-compliant SaaS providers to work with.
More SaaS companies are getting SOC 2-certified in order to gain users trust and protect their data. A good example is Intercom that announced that they are SOC 2 compliant. Intercom is developed as a platform to ease the way B2C messaging is exchanged.
One of their business goals is to develop innovative products, but they want to also make sure their customers can trust these products. In line with SOC 2 compliance, Intercom intends to conduct annual reviews to ensure their procedures are adequate to protect customer data and that they consistently meet the needs and expectations of customers.
SaaS providers depend on their customers to help them grow. Irrespective of how creative and cutting edge the products are; if customers are not confident in the fact that their data is safe, they won’t sign up. The commitment of companies to security, processing integrity, availability, confidentiality, and privacy will determine business success. In summary, SOC 2 compliance serves as a link between a tech innovation and developing trusting relationships with customers.
Let’s closely examine additional reasons why SOC 2 compliance matters
- SOC 2 compliance reduces security risks over a period of time
There are two kinds of SOC 2 reports: Type I and Type II. Type I reports don’t take much time to make preparations for and obtain because they only focus on how well you’ve done at setting up standard procedures for your business. For instance, Type I reports will check to see if your procedures can take care of issues such as data breaches. Type I reports don’t really check whether these procedures work, just examines to know you have a plan. Also, Type I audits only check for compliance at one point in time.
On the other hand, Type II audits do not only ensure that your procedures are in place, but that they work and are supported for a period of time (for example, six months).
The process of auditing to get this level of certification is more stricter and meticulous than Type I, but it comes with greater benefits.
According to a SaaS management platform known as Blissfully, Type II audits are “more valuable in the hands of customers, prospects, board members, partners, insurance companies, and so on.” To have third-party auditors come to terms with the fact that your data security measures meet a high standard is pretty significant. Companies are much more likely to be interested in investing and doing business with you.
- SOC 2 compliance gives you the opportunity to show your strengths
Although there are five trust-service principles, SaaS companies aren’t expected to use all of them to protect data. For instance, if a SaaS business is mainly focused on storing data, safeguarding systems from unauthorized access is their priority. Hence, their SOC 2 audit will focus on Security Principle.
Before your SOC 2-compliance audit commences, think of how the five criteria relate with your business practices. Then decide which areas you’ll concentrate on. Checkout the following examples:
- If you provide CRM services, then all five principles might be applicable to you.
- If you provide sales and marketing services, then Confidentiality, Availability and Security might be applicable to you.
- If you provide analytics software services, then Processing Integrity, Availability and Security might be applicable to you.
Think of what your customers want from you, and the most relevant principles to you become clearer to you. For instance, find out whether customers are interested in access to features such as data recovery, end-to-end encryption or two-factor authentication for their end users. The answers will tell you which principles to concentrate on.
For instance, when Auth0 went for their SOC 2 report, they considered what their customers wanted from them. They discovered that customers wanted to be assured of two things:
- They wanted to know the type of security Auth0 had to avoid data breaches
- They wanted to know if services would be always available.
So, Auth0 chose Security and Availability as the two principles they needed to be audited on to get their SOC Type II report.
By the way, Auth is an authentication and authorization platform.
- SOC 2 compliance Bolsters Company Culture
Implementing new security controls can be tough. People may complain about the extra time it takes to log in to services using multi-factor authentication. However, the minor annoyances are worth the ultimate outcome. When it comes to building a secure and compliant company culture, the smaller and younger you are as an organization when new processes are put in place, the easier it will be to scale. Companies as small as three employees have gone through SOC 2 audits. It is also helpful to automate these processes as much as possible, baking them deep into your company culture.
- SOC 2 compliance Provides Documentation
It’s never too early to get your documentation in order. Do you have policies and procedures? Do you have internal standards documentation? Having these processes well-documented will improve internal communication and consistency, which in turn enables you to meet legal and compliance challenges, close more sales, and prepare for financial changes like a merger or acquisition or a new round of VC funding.
- SOC 2 compliance helps with Risk Management
Finally, preparing for a SOC 2 audit will give you a framework for acknowledging and mitigating risks. Many organizations who have not undergone a formal compliance audit are either unaware of security risks or addressing them in an ad hoc way. Approaching compliance systematically instead will ensure that even risks that aren’t top of mind receive attention and can be mitigated in a timely manner.
The Value of SOC 2 as a Vendor
If you don’t have SOC 2 compliance as a vendor, you will probably have to fill out more than a few security questionnaires before you can work with any enterprise-scale customers. While that might sound easier than a SOC 2 audit on the surface, the questionnaires can be quite detailed and overwhelming, and they are often hard to fill out if you don’t already know the security lingo, have tooling in place, and know how to document processes. In other words, if you haven’t already gone through the process of setting up and enforcing policies as you would for SOC 2, you may find yourself stuck when the questionnaires arrive.
In a nutshell, being SOC 2 compliant will both help you sell to the enterprise, and force you to follow a set of strong best practices when it comes to keeping your company’s and customers’ data safe. Security is (or at least should be) a major concern for all technology-focused companies today, as we’ve written about in our previous eBook: Blissfully’s Practical Guide to People-First SaaS Security. Achieving SOC 2 compliance is a good way to demonstrate that you do indeed have security at heart in all you do as an organization.
Continued in the second part
- What is SOC2 Type II and who needs it?
- A brief history of SOC 2
- Types of SOC 2 Report
- SOC 2 major trust Principles
- Why SOC 2 Compliance Matters
- The Value of SOC 2 as a Vendor