You’ve been asked for your SOC 2, and you’re just diving into figuring out how to get it done. In this post we’ll share an overview of what organizations are looking for when they request your SOC 2, outline the SOC 2 controls that make up the report, explain how CPAs are involved in the process, and show how automation can help your company earn its SOC 2.
Why did my company get asked for a SOC 2?
If you’ve been asked for your SOC 2, you might be a B2B, Software as a Service (SaaS), or Platform as a Service (PaaS) provider, and your company likely processes or stores personal or confidential customer information. Your company may work with organizations in the retail or financial sectors, in healthcare, or in other industries that collect and manage customer data.
As organizations outsource various functions of their work — and come to you to utilize your company’s services — outsourcing means that customer data and information is shared among increasing numbers of service providers. With more companies accessing and storing an organization’s data to provide multifaceted services, the risk of data breaches increases. Organizations (known as user entities) may engage the work of service organizations to streamline their business, but they maintain overall responsibility for the safety and security of their customers’ data. As orgs partner with vendors to deliver key services, they need a way to ensure that vendors are keeping data safe and secure — and service organizations need to demonstrate that they can maintain appropriate security practices. That’s where the SOC 2 comes in.
The American Institute of CPAs (AICPA) has developed three different SOC for Service Organization assessment frameworks: these are the SOC 1, SOC 2, and SOC 3. A SOC 2 report is often the primary document that security departments reference to assess a vendor’s security risk. SOC 2 reports assure customers and other business partners that you have security guidelines in place and that you follow through on them. (A SOC 1 documents controls relevant to an audit of a customer's financial statements, and a SOC 3 summarizes a SOC 2 report for general consumption.) SOC audits and their resulting reports were created to provide a trustworthy third-party review of the security controls in place at a service organization — helping user entities choose vendors who employ verified security practices, and helping service organizations build credibility and trust with the organizations they serve.