Protecting customers’ data is a concern for all organizations regardless of the industry or size. Most organizations outsource key aspects of their business to third-party vendors such as Software-as-a-Service (SaaS) solutions or cloud hosting providers (i.e. Amazon Web Services or AWS). As companies continue to share the responsibility of protecting sensitive data, there is increased importance and scrutiny on the cybersecurity practices implemented at these organizations.
Third-party assessments are a common way in which organizations prove their cybersecurity practices to vendors, customers, and prospects. SOC 2 examinations have become one of the de facto standards for organizations to prove how they are securely managing their customers’ data to protect their interests and privacy. For most organizations conducting business with a SaaS provider, a SOC 2 examination is a minimum requirement. SOC 2 reports are also common for other service organizations such as law firms, marketing agencies, accounting firms, healthcare organizations, and more. This guide will provide an overview of:
- What is SOC 2 (and Why Does It Matter)?
- Key SOC 2 Terms to Know
- SOC 2 Report Use
- Types of SOC 2 Reports
- Sections of a SOC 2 Report
- SOC 2 Trust Services Categories
- When To Consider Pursuing a SOC 2 Examination
- Automating SOC 2 Examinations
- Five Benefits of Earning a SOC 2 Report
What is SOC 2 (and Why Does it Matter)?
System and Organization Controls or SOC 2 is a reporting framework developed by the American Institute of Certified Professional Accountants (AICPA) intended to meet the needs of a broad range of customers or vendors that require information and assurance about the controls at a service organization relevant to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
A SOC 2 report is an internal control report, which independent CPAs provide, on the services a service organization provides. These reports are:
- Useful for evaluating the effectiveness of controls related to the services performed by a service organization
- Appropriate for understanding how the service organization fits into the supply chain of providing services to customers
- Help reduce the compliance burden by providing one report that addresses the shared needs of multiple users
- Enhances the ability to obtain and retain customers
With the prevalence of SaaS companies in the industry, organizations are outsourcing information technology infrastructure to service organizations such as cloud hosting providers (e.g., AWS). These organizations are often tasked with proving to their customers and vendors that they are adequately protecting the sensitive data of their customers. For some, it’s a legal obligation, for others, it’s critical for customer validation. Service organizations receive SOC 2 reports to demonstrate they have certain controls in place to mitigate security, availability, confidentiality, processing integrity, or privacy risks. A SOC 2 report includes a CPA firm’s, such as ByteChek Assurance, opinion on control design and potentially operating effectiveness over a period of time.
Using AWS as an example, AWS is the market leader in cloud computing, commanding over 30% of the cloud computing market share. That is a lot of customers! These customers are often concerned with how AWS is protecting their sensitive data and how AWS is addressing the risk of AWS’ systems and data being compromised. AWS does not want to respond to each individual customer’s request related to the security of the cloud infrastructure. AWS, along with most service organizations, has opted to undergo a SOC 2 examination by an independent CPA firm to answer these requests. This report answers most, if not all, of the questions asked by their customers related to security, availability, confidentiality, processing integrity, and privacy.
- Applicable trust services criteria
- Control activity
- Service Auditor
- Service Organization
- SSAE 18
- Subservice Organization
- Trust Services Categories
SOC 2 Report Use
SOC 2 report readers should understand who the service organization is, what services they provide, and how those services are delivered and managed. Without this knowledge, the report can be confusing and cause misunderstandings. Examples of intended users of a SOC 2 report are:
- Service organization internal personnel
- Customers of the system
- Business partners subject to risks from interactions with the service organization or system
- Prospective customers going through vendor due diligence on the service organization
- Regulatory agencies or authorities
Because of the sensitive nature of the SOC 2 report and intended users of the report, a SOC 2 report is considered a restricted use report and should only be provided to readers under a non-disclosure agreement or other confidentiality agreements. In the event, your company needs or wants a report that is for general use, they can opt to undergo a SOC 3 examination.
A SOC 3 report is a general use report that can be made publicly available. A SOC 3 report does not include the full system description (section 3) or the description of service auditors’ tests of controls and the results thereof (section 4). Distribution of a SOC 2 report for marketing purposes is ill-advised as section 3 and section 4 contains sensitive information about the system and results of control design or operating effectiveness. This is why SOC 2 reports are considered restricted-use reports. SOC 3 reports can be posted on the company website and include limited information about the system and results of the examination. For example, AWS makes its SOC 3 report available for download as a PDF.
In a SOC 2 examination, organizations can undergo a SOC 2 Type 1 or SOC 2 Type 2 examination. A Type 1 examination is a report on the controls at a service organization at a specific point in time, whereas, a Type 2 examination is a report on the controls at a service organization over a period of time. The period of time evaluated in a SOC 2 Type 2 examination is typically between 3-12 months.
A Type 1 examination is generally seen as the first stepping stone for an organization pursuing a SOC 2 examination. This report is a great way for companies to prove to their customers and vendors that they take security seriously and have partnered with a third-party auditing firm to prove their security. At ByteChek, we recommend that all companies pursue a SOC 2 Type 1 examination prior to beginning their SOC 2 Type 2. The level of effort and time it takes to earn a Type 1 examination is significantly lower than a Type 2 examination.
The level of effort decreases because your company is being evaluated at a point in time. This reduces evidence requirements and eliminates any requirement to sample test controls over a period of time. For example, in a Type 2 examination, your auditors may ask you to provide evidence of security awareness training for a sample of new hires over a three month period. Whereas in a SOC 2 Type 1 examination, your auditors should only ask you for an example of a new hire’s completion of security awareness training.
There is no AICPA requirement to undergo a Type 1 examination before a Type 2 but at ByteChek this is the recommended way to reduce the risk of exceptions or deviations in your first Type 2 report. Earning a Type 1 before your first Type 2 does not guarantee that your Type 2 report will not have exceptions or deviations but it does mitigate the risk by providing clear and direct insight into the type of evidence and processes expected for every control that will be evaluated. Your customers can rest assured knowing that your Type 1 is a stepping stone to your Type 2. Bytechek provides every customer with a confirmation of the engagement letter that can be provided to your customers outlining the scope and timeline of Type 1 and Type 2 reports.
Sections of a SOC 2 Report
In a SOC 2 report, there are five sections to be aware of. Below is an overview of these sections and their components:
- Section 1: Independent Service Auditor’s Report:
- Section 2: Management’s Assertion
- Section 3: System Description
- Section 4: Trust Services Categories, Criteria, Related Controls and Tests of Controls Relevant to In-Scope TSCs
- Optional Section 5: Other Information Provided by Management That Is Not Covered by the Service Auditor’s Report
SOC 2 Trust Services Categories
There are five Trust Services Categories (often mistakenly referred to as Trust Services Principles) that a client can choose to be evaluated against in a SOC 2 examination. The five Trust Services Categories and their definitions as defined by the AICPA are:
Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
Availability: Information and systems are available for operation and use to meet the entity’s objectives.
Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.
Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
When To Consider Pursuing a SOC 2 Examination
The best day to consider pursuing a SOC 2 examination is when you start your company, the second-best day is today. In our experience, a SOC 2 examination is pursued as a reaction to a request from a customer or vendor. This reactionary response leads to the nightmare stories you have probably read about regarding the SOC 2 process. Undergoing your first SOC 2 examination when you have a big deal or potential strategic partnership on the line can be a stressful and operationally draining experience.
Starting your SOC 2 journey prior to receiving a request from a customer or vendor is analogous to the famous quote by Benjamin Franklin, “An ounce of prevention is worth a pound of cure.” Preparing for your inevitable SOC 2 examination does not mean you have to undergo an audit by a third-party professional services auditing firm or pay exorbitant auditor fees.
The ByteChek platform is designed for organizations that are taking a proactive approach to cybersecurity preparedness and readiness. Our fully integrated platform quickly assesses your technology stack against the SOC 2 criteria, providing detailed recommendations and implementation guidance in minutes.
Automating SOC 2 Readiness Assessments
It is possible to automate your readiness assessment using the fully integrated ByteChek platform. Our platform is built to quickly assess your organization’s gaps related to the Security, Availability, and Confidentiality Trust Services Categories. Instead of spending weeks working with a large auditing team, long arduous remote interviews, and archaic evidence collection procedures.
You can quickly integrate cloud hosting, system information & event management, version control, human resources information system, and other relevant tools with the ByteChek SaaS platform. This eliminates the need for third-party auditors because our intelligent platform automatically provides recommendations for controls or security weaknesses identified. This frees up your team and resources to begin remediation efforts and ultimately earn your SOC 2 Type 1 report.
Five Benefits of Earning a SOC 2 Report
- Enable Sales to unlock new markets and close deals faster
- Prove security to customers and vendors with one report (audit once, use many)
- Leverage the flexibility of the SOC 2 reporting framework to differentiate your company from its competitors
- Demonstrate the maturity of your security program
- Accelerate the customer onboarding and due diligence process, eliminating vendor security questionnaires
Potential and existing customers want to know that organizations have taken all necessary measures to protect the sensitive data processed by the service. SOC 2 examinations, facilitated by an independent CPA firm, enable the service organization to demonstrate the safeguards in place that are relevant to the security, availability, processing integrity of the systems used to process sensitive data, and confidentiality and privacy safeguards in place to protect the data. These reports allow organizations to demonstrate security as a differentiator, accelerate the vendor due diligence process by undergoing one audit to respond to multiple customer requests, and, most importantly, assess the information security risks your organization is facing.