Who is responsible for SOC 2?

Who is responsible for SOC 2?

Most people think of SOC 2 as a technical or engineering project, and in part, this is true. SOC 2 controls are built around protecting your data, and many of those controls involve creating and maintaining electronic or code-based barriers that keep your data away from unsafe hands. However, data security doesn’t only exist in cyberspace.

Through our years of working with businesses on their SOC 2 reporting, we’ve noticed that this common misconception tends to slow down and delay the reporting process. We often see businesses that don’t have the engineering staff they need to put the SOC 2 security controls in place, so they put off the process until they’ve carried out a lengthy talent search and hiring process. Or, they may have the engineers they need, but those engineers may be working on a higher-priority project so the SOC 2 compliance is put on hold until the current project is done.

The truth is that there are plenty of non-technical staff members that have roles to play in your SOC 2 compliance, and getting started with those tasks while you’re hiring engineers or waiting for engineers to finish other projects will allow you to get your compliance process underway so it can finish sooner.

To help your business better plan your SOC 2 compliance, we’re breaking down the roles that both technical and non-technical staff have to play.

Human resources and administrative staff

In hacking and data theft, much of the process is actually done through social engineering rather than programming or technical hacks. As a result, every employee and contractor in your business affects your information security, and that is why human resources and administrative professionals play a key part in SOC 2 compliance.

For one, these members of your team are generally responsible for employee onboarding and offboarding. Part of onboarding and offboarding needs to involve your specific security protocol for each employee. For example, you may need to set up an access control key for each employee when they join your organization, as well as teach them your security practices. When an employee leaves, that access control key must be deactivated and you may need to take other measures to keep your data secure.

Your HR and administrative teams are also responsible for developing and maintaining security policies for your SOC 2 compliance. For instance, you’ll need policies for security practices employees need to follow, policies for reporting potential data breaches, and so on. Members of your non-technical staff will need to draft these policies in addition to getting employees’ signatures to ensure that everyone is aware of and prepared to follow the policies.

Another important way HR and administrative staff take part in SOC 2 compliance is by organizing and implementing security awareness training. This training must bring your employees up to speed on common tactics used by hackers and data thieves and teach employees how to avoid these security threats.

Engineering staff

In general, your administrative and HR staff will be spearheading the employee-focused aspects of SOC 2 compliance. Your engineering team, on the other hand, focuses on all the technical security components to prepare for your SOC 2 report.

The exact duties of your engineering team will depend on your business, your information security system, and so on. It could include implementing firewalls, establishing encoding practices, selecting and installing antivirus software, programming access controls, investigating the security of your various platform and tool integrations, and so on.

What does this breakdown of responsibilities mean?

Now that you have an understanding of how both technical professionals and certain non-technical professionals play a role in SOC 2 compliance, why does this matter? How does it impact your SOC 2 reporting process?

It means that you don’t have to wait until you have a team of security engineering specialists hired and available before you start working toward SOC 2 compliance. While you’re hiring engineers or waiting for your own engineers’ time to become available, your administrative and HR staff can be working on security policies, employee onboarding and offboarding processes, planning and organizing security awareness training, and so on.

If you’re in this stage and you’re ready to get started, the best way to jump in is to get the guidance of an automated platform.

How does Vanta make SOC 2 compliance easier for both technical and non-technical professionals?

Vanta is an automated SOC 2 compliance platform that helps you through the necessary security controls in your SOC 2 report. It assesses your system’s readiness and gives you detailed checklists of what you’ll need, and that’s just a start. In fact, Vanta can make the work easier for both technical and non-technical professionals.

For your HR and administrative staff, Vanta allows you to create custom workflows for employee onboarding and offboarding. This way, you can ensure that no security measure is missed during these workflows. You’ll also have an access control center where you can see each employee’s access at a glance, so you can make sure everyone has the permissions they need but nothing more.

Vanta helps with policy development as well. In fact, this tool includes in-depth templates for your security policies. There’s no need to start from scratch and spend hours with an attorney trying to make sure all your bases are covered.

Further yet, Vanta eases your burden with security awareness training by including detailed training plans you can easily implement. Your staff doesn’t need to invest hours into researching and designing a training program of their own or finding one elsewhere.

When it comes to your engineering team, Vanta offers straightforward help with SOC 2 compliance. The automated software scans your system for the necessary security controls and gives you a precise list of which controls you’ve already met and which ones are lacking so your engineers can cut straight to the chase.

Written by
No items found.
Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

PCI Compliance Selection Guide

Determine Your PCI Compliance Level

If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.

When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.

Answer a few short questions and we’ll help identify your compliance level.


Does your business offer services to customers who are interested in your level of PCI compliance?


Identify your PCI SAQ or ROC level

The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.

Good news! Vanta supports all of the following compliance levels:


A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.

Get PCI DSS certified


A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.

Learn more about eCommerce PCI

for service providers

A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.

Use our PCI checklist

Level 1 for service providers

A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).

Automate your ROC and AOC

Download this checklist for easy reference


Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

The compliance news you need. Delivered securely to your inbox.

Subject to Vanta's Privacy Policy, you agree to allow Vanta to contact you via the email provided for marketing and other purposes