SOC 2, formally known as Service Organization Control 2, reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy. The standard for regulating these five issues was formed under the AICPA Trust Services Principles and Criteria. SOC 2 is divided into type 1 and type 2.
SOC 2 TYPE I
SOC 2 Type I evaluates an organization's cybersecurity controls at a specific time. The goal is to determine whether internal controls are in place sufficiently and properly designed to provide the right protection for customer data. Type I audits and reports can be completed in a matter of weeks.
SOC 2 TYP II
A SOC 2 Type II report examines how well the system and controls of a service organization have been operating for a specific period of time (usually 3-12 months). It examines operational activity to determine whether the systems are working as originally intended throughout the audit period. The time required for a Type II audit is typically between 3 and 6 months.
SOC 2 TYP I vs. SOC 2 TYP II
Both types of SOC 2 report need to be performed by an audit firm.
When selecting a report, it is always crucial whether it is realistic to carry out a verification for the whole audit period or whether it is a first verification and compliance with all requirements is not ensured. If it is not possible to carry out a verification for the whole period (for example, controls have only recently been introduced) it is preferable to select Type I and then implement Type II. The second example is the implementation of the first SOC2 audit. Now, when the client already knows whether controls are in place and it is needed to confirm those before implementing Type II, a Type I report is prepared. A third option is to perform a completely default validation of the existence of controls, in which case we recommend clients to implement a preassessment of the compliance of internal controls with SOC2 requirements.
CHOOSE YOUR REPORT TYPE
Before you invite an auditor into your office, you need to decide first what type of SOC 2 report your service organization needs. Alternatively, an auditor can help you and suggest the most appropriate method for you.
DEFINE THE AUDIT SCOPE
First, decide whether you will seek a SOC 2 audit at the company level or for a specific product/service. Next, decide what period of time you will require (the recommended length for Type II is at least 6 months). Finally, select from the five trusted service criteria for which you need to conduct an audit. You can select only few to start with and then add others. Certain industries have some criteria that are mandatory. For example, healthcare companies must meet the requirements of HIPAA, so choosing Privacy over Security should be the right choice. After selecting the period and criteria, you need to determine which information security controls and systems are relevant.
Then collect all documentation on these systems and controls. During the audit, the auditor will review this documentation along with your systems and controls to determine operational effectiveness. Some of the documents, you may need to provide, include:
asset inventories, change management information, equipment maintenance records, system backup records, code of conduct and ethical policies, business continuity and incident response plans,...
It is also advisable to discuss all criteria with the auditor to ensure that they are chosen correctly.
PERFORM A GAP ANALYSIS
Now when you have all your systems, controls, and documents in place, you need to compare where you stand with what SOC 2 compliance requires. This gap analysis allows you to identify any areas, where your system falls short in protecting customer data. That way you can create a remediation plan to bring them in line before your formal SOC 2 audit.
The auditor may also carry out a readiness assessment. During the readiness assessment, the audit company will perform its own gap analysis and provide you with some recommendations. These will also explain the requirements of the trust service criteria you have selected.
COMPLETE THE READINESS ASSESSMENT
In preparation, a SOC auditor may provide you with answers on any questions or concerns you may have.
The SOC is based on the five criteria for trust services (Trust Services Principles) as defined by the American Institute of Certified Public Accountants (AICPA).
These trusted service criteria are essential elements of cybersecurity. They include organisational controls, risk assessment, risk mitigation, risk management and change management.
THE FIVE CRITERIA FOR TRUSTED SERVICES ARE:
Trust security criteria relate to the protection of information from unauthorised disclosure of information and sensitive client data. The security criteria demonstrates that the service organisation's systems and control environment are protected against unauthorised access or other risks. It is also the only criteria that is mandatory for SOC reports. Others may be added at will.
The Availability Criteria determine whether your employees and clients can rely on your systems to do their work. Some examples are data backups, disaster recovery, and business continuity planning. Each of these minimizes damage in the event of an power cut. For instance, if your data center is flooded, you have multiple power and computing redundancies. This ensures that data is available in the event of hardware failure.
We recommend you include this criterion in your SOC report if your services require you to operate at an appropriate level of availability. An outage would put your services to your clients at risk.
The Confidentiality Criteria evaluates how organizations protect confidential information. i.e., by limiting its access, storage, and use. It can help organizations define which individuals can access what data and how that data can be shared. This ensures that only authorized people can view sensitive information, like legal documents or intellectual property.
We recommend including this criterion in your SOC report if your organization handles confidential information. Examples include financial reports, passwords, business strategies, and intellectual property.
The Processing Integrity Criteria determine whether a system works properly. Moreover, whether it performs its intended functions without delay, error, omission, or accidental manipulation.
We recommend adding this criterion to your SOC if you provide financial reporting services, or you are an e-commerce company, or you process client data through your environment.
This criterion examines how an organization's control activities protect customers' personal information (PII). It also ensures that the system that uses PII complies with generally accepted AICPA privacy principles. Name, physical address, email address, and social security number are a few examples of information that falls under this category of privacy. For some companies and service providers, information such as health, race, and sexuality may also be relevant from a privacy perspective.