What does SOC 2 compliance involve?
What does SOC 2 compliance involve?
Businesses around the world use SOC 2 compliance to demonstrate their security posture and earn customer trust. It’s become such a recognized standard that it’s now expected for many organizations that handle customer data.
However, going through a SOC 2 audit and getting your SOC 2 report can be a time-consuming and complicated process for organizations going through it for the first time. This guide offers an overview of SOC 2, what criteria you’ll need to prepare for your audit, and tips for getting started.
What is a SOC 2 compliance report?
To obtain a SOC 2 report, you’ll need to hire a third-party auditor to assess your information security practices and determine if you meet the SOC 2 compliance criteria. Your auditor will then create a SOC 2 report, which will detail the results of your audit. This will include an overview of your security controls and how they align with the SOC 2 requirements. You’ll share this report with the prospects, customers, and partners who ask to see it.
What are the SOC 2 compliance requirements?
SOC 2 is unique compared to other compliance standards. It’s not a list of controls to implement; instead SOC 2 takes a risk-based approach and presents business problems and broad circumstances you’ll need to solve for. For example, instead of telling you to implement firewalls to protect your data, it says: “The assessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information.”
Because the SOC 2 criteria are broad, the way each organization sets up its SOC 2 controls will look different. As you pursue SOC 2 compliance, you’ll create security controls and practices that work for your business to satisfy the necessary criteria.
Trust Services Criteria 101
The core of SOC 2 consists of the five Trust Services Criteria (TSC). During your audit, your auditor will assess your infrastructure and verified security practices against these criteria.
The five TSC are security, privacy, confidentiality, processing integrity, and availability. The security criteria, also called the common criteria, are required controls for all SOC 2 reports. The other four categories only need to be included if they’re applicable to your organization’s operations. For example, if your company doesn’t process data on behalf of your customers, processing integrity won’t be within the scope of your SOC 2 report.
Let’s take a closer look at each TSC category and the role they play in the SOC 2 requirements.
The security criteria are the foundation of SOC 2. There are more than 30 controls within the security criteria, all of which are required for any organization seeking SOC 2. This category's purpose is to protect your organizational and customer data from unauthorized access.
Some example security criteria include:
- CC2.2: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
- CC3.2: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
- CC6.1: The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
If employees and customers need the data you manage for a particular purpose, they’ll need to have consistent access to that data. This principle ensures your data is available when needed for its intended function and that it can be recovered in case of a technical failure or data breach.
Example availability criteria include:
- A1.1 The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
- A1.3: The entity tests recovery plan procedures supporting system recovery to meet its objectives.
If your organization manages confidential data, like your customer’s business secrets, intellectual property, or personal information then you may need to include confidentiality in your SOC 2. The controls within this category ensure this data can only be accessed by the right people.
Some of these criteria include:
- C1.1: The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.
- C1.2: The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.
If you process data on behalf of your customers, you’ll need to include processing integrity controls in your SOC 2. This includes processes like running analytics, calculations, or otherwise manipulating data to produce a result. This category ensures that you’re providing your customers with accurate calculations and information.
Processing integrity includes criteria such as:
- PI1.1: The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.
- PI1.2: The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity’s objectives.
- PI1.3: The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives.
The privacy criteria protect the rights of consumers and their data, giving them control over the way their data is collected and used. It includes things like providing notice about data collection, ensuring consent, and requesting for their data to be deleted.
Some example privacy criteria include:
- P1.1: The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy.
- P2.1: The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice.
SOC 2 Type 1 and Type 2 requirements
There are two types of SOC 2 reports: SOC 2 Type 1 and SOC 2 Type 2. A SOC 2 Type 1 report analyzes your controls at a single point in time while SOC 2 Type 2 tests and monitors your controls over a period of time to assess their effectiveness.
The requirements and controls are the same for both types of reports, however a SOC 2 Type 2 audit will provide more insight about how effective your controls are.
Get started on your SOC 2
The average SOC 2 process takes roughly a year from the moment you start preparing the controls to when you have a completed SOC 2 report in hand. This is because you’ll need to scope your SOC 2 based on the TSC that apply to you, set up the proper controls, test them, collect evidence, and then find an auditor. However, you can cut this time in half with compliance automation.
With Vanta’s trust management platform, you can streamline your SOC 2. Here’s what an automated SOC 2 can look like:
- Connect your infrastructure with our 200+ built-in integrations.
- Assess your risk with one unified view
- Identify areas of non-compliance.
- Automate evidence collection and centralize all your documents.
- Find a Vanta-vetted auditor within the platform.
- Complete your SOC 2 in half the time.
You can save time and money during your SOC 2 audit process by using Vanta. Learn how you can get your SOC 2 faster by requesting a demo.