Last Update: March 7, 2022
SOC 2 is a compliance framework used by service providers and their auditors in order to demonstrate the security and general trustworthiness of the providers’ services. The “SOC” in SOC 2 stands for “System and Organization Controls.” SOC 2 is governed by the American Institute of Certified Public Accountants (AICPA).
The framework consists of a set of criteria that specify what an organization needs to do in order to be certified as meeting the AICPA’s SOC 2 criteria. The criteria cover five different categories: security, privacy, confidentiality, availability and processing integrity. These five categories of criteria are referred to as “Trust Services Criteria” (TSC). (They used to be called Trust Services Principles, until the AICPA revised its terminology in 2017).
The only one of these five TSC categories which is required for compliance is security, while the other four are optional. Many firms initially opt to be audited for security only – typically if they have never been through a SOC 2 examination before – and then widen the scope in subsequent years’ audits.
SOC 2 is a compliance framework that is more “descriptive” than “prescriptive”. This means that the TSC criteria are more similar to guidelines than they are rigid requirements. So, service organizations like yours have broad leeway in designing and implementing the “controls” to satisfy the criteria. Controls have to meet a test of reasonableness, have to make sense in terms of the unique aspects of your business and its environment, and have to pass being examined and approved by your SOC auditor. This means SOC 2 will not be interpreted the same way for a 10-person SaaS company as for a 1000-person global company.
An attestation report is a document in which you (the client) and the auditor – whose work must be vetted by a CPA, if the hands-on auditor is not a CPA themselves – both attest that the content of the report fairly and accurately reflects that the organization is truly meeting the SOC 2 criteria. This document is usually called just a “SOC 2 report”, and provides confirmation that the client is compliant with SOC 2.
The four main sections of a SOC 2 report are:
Andromeda Compliance transforms the time-consuming, expensive and non-repeatable manual
compliance process into something far better and faster.
Akitra’s platform offers these TOP 10 benefits:
The AICPA states that SOC 2 reports are designed to “help service organizations that provide services to other entities, build trust and confidence in the service performed, and in the controls related to the services, through a report by an independent CPA.” In short, it’s designed to reassure your partners as well as the customers and prospective customers of your SaaS service that your company is secure and safe to do business with.
You need a SOC 2 report because your customers want you to be SOC 2 compliant or else they may not buy from you. Or if they do buy from you, they’ll first make you jump through more hoops – such as giving you lengthy security questionnaires to fill out – to demonstrate that you really are secure. (And of course, they may also care about the other categories of criteria than just security, which means even longer questionnaires to complete).
Instead of suffering the headaches of answering endless questionnaires from your prospects, just hand them the SOC 2 report and then the compliance conversation can be short and sweet. Then move on to closing more business, with shorter sales cycles and a higher percentage close rate.
All the compliance frameworks have different requirements, originating from different sponsoring bodies, such as the AICPA or the European Union’s GDPR compliance agency.
That said, YES, having SOC 2 will get you much closer to being compliant with the other frameworks as well, because of the heavy overlap between them. With SOC 2, you will have already built your framework of policies, controls and procedures, and you will already have instilled in your organization the discipline of following the necessary processes for security, confidentiality, availability and so on.
Akitra’s compliance automation platform offers a critical advantage: it uses a common architecture across all of the frameworks it supports, including SOC 1, SOC 2, ISO 27001, NIST 800-53, HIPAA and GDPR. This means that most policies and controls are common across these frameworks. It also means that if, for example, you collect evidence for one common control, then that evidence is updated across ALL frameworks. This ensures consistency and saves enormous amounts of time and expense.
A control is a statement of how your company meets the requirements of one or more of the SOC 2 criteria. For example, if the criterion is “The entity evaluates security events … then the entity evaluates why and how it can be avoided in the future”, and one of the controls that meets this criterion is that the company has ensured that “Identified security incidents are reviewed and investigated by an incident response team”, the auditor will assess two things:
If yes to both questions, the auditor approves the control.
You and your colleagues perform a gap analysis, customize your policies and controls and then collect supporting evidence (automated reports, policy documents, compliance reports from outside suppliers, etc). You can do all this starting from scratch: creating all your own policies and controls, and manually collecting all the evidence, and so forth. OR, far more easily, you can use a compliance automation platform such as Akitra’s and complete the work more effectively in a fraction of the time, with much less work, at much lower cost, and in a way that is continuous and easily repeatable for future audits.
Next, a certified auditor must then audit all this content and all these processes. This means that the auditor goes through all the controls and a sampling of the evidence that the controls were applied, performs some tests to confirm that you’ve done what you say you’ve done, records the results, and provides the necessary attestation that all is good. You then have a SOC 2 report to share with your partners, customers and prospects!
A compliance automation service such as Akitra’s Andromeda Compliance replaces the labor-intensive, traditional approach to compliance. That old approach uses lengthy spreadsheet task lists, endless emailing of questions and comments, and a great deal of emailing and uploading of documents – policies, screenshots, reports, even Slack conversations! All of these become increasingly difficult to track, and the activities of the multiple players involved on both the client and the auditor sides become harder and harder to coordinate.
Most frustrating of all, this entire process then needs to be repeated on at least an annual basis, with a great deal of relearning and repetition of all the steps taken earlier. It’s a terrible money and time sink.
In short, automated compliance is faster, less aggravating, more repeatable and lower cost than the traditional manual approach.
There are two kinds: Type 1 and Type 2.
With a Type 2 report, the key is that the company must be able to show that it was in compliance during the entire period covered by the SOC 2 report. That’s why SOC 2 Type 2 requires continuous monitoring and prompt remediation of any compliance problems as they arise – such as an AWS EC 2 instance that isn’t protected by multi-factor authentication access or an employee workstation that is not protected by an antivirus program.
It depends on several factors. For example, how mature are your organization’s processes, such as having well-defined policies covering security, employee onboarding, disaster recovery and confidentiality? If your firm lacks these, and the associated controls and procedures to implement them, it’s going to take you longer, even if you take advantage of the policy templates provided by a service such as Akitra’s Compliance.
For SOC 2 Type 1, performing a basic risk assessment, defining policies and controls, and collecting evidence might take a younger company that has never been through the compliance process about six weeks, followed by one week of auditing and one week to draft the final report. A more experienced company that has been through the SOC 2 process before and is using Akitra’s compliance automation can easily cut that time in half.
For SOC 2 Type 2, add in 3-6 months of monitoring, since evidence needs to be regularly collected over a period of time to demonstrate continuous compliance.
The single most important thing you can do to speed up the beginning-to-end compliance process is to use a compliance automation platform. Beyond that, some practices that can speed up the compliance process include having a dedicated compliance coordinator to manage the whole project, communicating to key players the importance of responding promptly to compliance information requests, and having an executive sponsor.
Pen testing (short for penetration testing) is conducted both for purposes of gap identification as well as for validating that the changes that have been made as part of the SOC 2 process have achieved their intended result. Both Akitra as well as independent firms such as Prescient Security offer this service, using a variety of tools, and probe the client’s network and service looking for vulnerabilities such as missing user authentications, applications with known vulnerabilities, SQL injection flaws and system misconfigurations.
Almost all auditors insist on the use of pen testing as part of the audit. It is an excellent practice that will make your security more robust and build confidence among your customers that your service is truly secure.
There are three main costs:
If your firm opts for third party pen testing services, this would be an additional cost.
A compliance automation service like Akitra’s will guide you through the process methodically and systematically, with many of the mundane tasks of evidence collection actually automated. But since SOC 2 is a flexible framework that allows a lot of freedom in how companies design and implement their controls, a simple checklist would never be adequate. Without automation, expect to be mired in lengthy spreadsheet task lists, tracking potentially hundreds of emails and text threads, and endlessly hounding your colleagues to meet their deadlines to provide needed evidence.
There are several potential areas where problems might arise. If the company’s policies and its controls are not aligned, then one or both needs to be changed. If evidence that the controls were actually implemented is not available, then the audit period may need to be reset to a later time period. If the evidence is sloppy – for example, screenshots provided without context or dates – the auditor may reject it. Compliance automation can typically solve all these problems.
Auditors will give their clients a remediation period to fix problems that have been identified — a week or two is typical. But, if the problems are severe enough and are not remedied in a timely way to the satisfaction of the auditor, she may issue a “qualified opinion”, which points out some of these flaws.
Your customers don’t want to see that. So, a qualified opinion is to be avoided at almost any cost – and Akitra’s compliance automation service will help you do so.
Life should be so easy but alas, no. A SOC 2 Type 1 report covers only a point in time — a specific date. A SOC 2 Type 2 report covers a specified period of time, such as one year. If another year passes by and you do not have your company re-audited, your customers are likely to worry that you may very well be no longer compliant. That’s the business reason that SOC 2 audits need to be performed regularly, typically once a year. In between audits, you and your compliance automation service provider need to be continually monitoring your compliance and collecting evidence to prove it.
It depends what you want the scope of the report to be. According to the AICPA, the report can cover (a) an entire company; (b) a subsidiary, division, or operating unit level; (c) a function relevant to the company’s operational, reporting, or compliance objectives; or (d) a particular type of information used by the company.