How to Guide: SOC2 compliance
As many organizations engage in audits to ensure that their operations are sufficiently safeguarded against data loss or breach, we have compiled the following information on the industry’s leading data assessment standard — Service Organization Control ("SOC 2").
SOC 2 outlined a set of voluntary compliance standards established by the American Institute of Certified Public Accountants (“AICPA”) that a vendor can use to manage sensitive data, such as financial or medical information, on premises and in cloud environments. An organization being deemed SOC 2 compliant is a major value-add to a company. In fact, according to CPO Magazine, “many B2B enterprise buyers might not even want to have a serious sales meeting until they know your company can demonstrate security best practices through a SOC 2 audit.”
According to this article published by The News Stack, SOC 2 has two types of compliance standards — Type I and Type II. Type I “ensures that security and compliance commitments are met through the development of infrastructure, software, processes, data and controls that an organization has put in place.” Type II “takes things a step further” by using a qualified third-party auditor evaluating and validating controls over time, as well as the “effectiveness of organizational security.”
According to the article, achieving either type of compliance “is a lengthy and challenging task.” The CPO Magazine article provides that Type 1 audits last between two to three weeks and could cost an organization between $10,000 and $20,000. Type 2 audits could take between six months and a year and might cost between $20,000 and $30,000.
Although both types will ensure compliance with the security frameworks’ minimum requirements, The News Stack article makes clear that “[a]chieving SOC 2 Type 2 compliance is a critical confirmation that your implemented security and compliance program is working.”
The audit process may proceed as follows:
First, the auditors thoroughly review the system documentation, including your organization’s policies and procedures.
Then, the auditor will interview “key personnel in the organization” to verify that the policies and procedures are being properly followed.
Finally, the auditors conduct an on-site inspection of your organization to examine your hardware and software configuration.
Under Type II, The News Stack article states that the auditor ensures that your organization “meets all applicable requirements in one or more of the following trust principles: security; availability; processing integrity; confidentiality; and privacy.” Although each of these principles plays a role in protecting your organization, security is the only principle that is mandatory for an audit. As such, an /organization is responsible for implementing measures that ensure security, such as “authorization, authentication, management, and identification,” and measures that will prevent data theft, such as “system and data manipulation, unauthorized access, misuse of software and many more security threats.”
The measures deployed by each organization may vary as the criteria for SOC 2 are “generally broad and flexible” — so long as the standard is being met. The CPO Magazine article provides the following steps for organizations to expedite the process and ensure efficiency:
Complete readiness assessments to “identify opportunities to improve your compliance processes and controls”;
Assign an internal team dedicated to preparing for the SOC 2 audit, impose documentation requirements and assign a dedicated team member with decision-making authority to “work as a liaison to manage communication between the SOC 2 auditor and your company’s technical teams.”
Hold the internal team to maintaining a progress timeframe and budget;
Select a reputable CPA firm that is familiar with SOC 2 audits to assist internal teams and auditors in achieving compliance.