If your company stores customer data in the cloud and sells to other businesses, it’s likely you’ll be asked to prove your commitment to security via a SOC 2 report. This guide will walk you through the purpose of SOC 2 reports, when and why your organization might obtain one, and how best to prepare for doing so.
What is a SOC 2 report?
A SOC 2 report is often the primary document that security departments rely upon to assess a vendor’s security risk. Created by the American Institute of CPAs (AICPA), SOC 2 reports assure customers and other business partners that you have security guidelines in place and that you follow through on them. That might mean performing background checks on all employees, ensuring employee laptops are password-protected, or configuring your company’s Amazon Web Services (AWS) utilities in safe ways. No two SOC 2 reports look the same, because companies follow different security practices.
What a SOC 2 report covers
A SOC 2 report can include up to five categories, known as the Trust Service Criteria:
All SOC 2 reports include the Security category; the others are optional. Many early-stage startups choose to start with the Security criteria only. Determine whether you should add additional categories by evaluating the commitments your customers expect; Vanta’s “SOC 2's Trust Service Categories and your business” guide may help.
The latest set of Trust Service Criteria, TSP 100 – 2017, includes 33 main requirements (“Trust Service Criteria and Points of Focus”) and 28 optional requirements. Each requirement should be broken down into 1-5 sub-requirements that describe security best practices.
The trick is figuring out how to fulfill the necessary requirements and commit to practices your company can sustain. Often, companies will hire an auditor or consultant to verify their practices uphold the SOC 2 criteria. In addition, the AICPA revises the rules every few years, introducing more complexity.
Type I versus Type II reports
You can choose from two types of reports—Type I or Type II. A Type I can be obtained faster, but a Type II report is more detailed and trusted. Customers and prospects generally prefer – and sometimes even require – a SOC 2 Type II report.
For more information on Type I and Type II reports see Vanta’s “SOC 2 Type I or SOC 2 Type II?” guide.
It used to take months of effort and many steps to obtain a SOC 2 report in the traditional way:
Obtaining a SOC 2 report with Vanta
The process of obtaining a SOC 2 report with Vanta is faster, requires much less manual work, and proceeds with more certainty: