SOC 2 Compliance: What is it? Why do you need it?
Today's digital landscape continues to outpace most companies’ ability to adapt. The staggering amount of data amassing from our collective passive and active digital footprint is a case in point: IDC estimates data generated from connected IoT devices to be 73.1 zettabytes by 2025, growing from 18.3 zettabytes in 2019.
This data, much of it derived from industrial IoT applications, is under constant threat of security attacks. NETSCOUT Threat Intelligence reported 26,000 attacks per day in the first half of 2021, which equates to18 attacks per minute.
These facts beg the question: What is the current best practice for business owners and security leaders seeking to navigate this potentially treacherous situation?
This is where Service Organisation Controls (SOC) 2 certification comes in.
What is SOC 2?
Designed and introduced by the American Institute of Certified Public Accountants (AICPA), SOC 2 is a rigorous external audit performed to assess a company’s internal security controls.
While SOC 2 Compliance is not a government-mandated requirement, savvy security leaders may find that this certification is just what their company needs to proactively and objectively scrutinise their organisation’s current data management strengths and weaknesses.
Put simply, SOC 2 certification evaluates an organisation’s ability to manage customer data based on five Trust Services Criteria (TSCs): security, availability, processing integrity, confidentiality and privacy.
Are your systems protected against unauthorised access and disclosure of information? This criterion focuses on security policies and their respective procedures for protecting information and systems. These often include users’ control, risk assessment, device configurations, communication and information, familiarity and compliance with laws and regulations, and crisis management.
All organisations working towards SOC 2 Compliance are required to have a security audit, as this is the only required common TSC.
Are your systems and information readily available for your operation to your stakeholders to meet your organisation’s objective at any given point? This criterion examines the handling capacity of the system’s overall infrastructure, data, and software. This often includes data backup and recovery plans, detection measures, and response to environmental threat events.
This TSC applies to organisations that offer financial services or deal with e-commerce transactions and are particular with downtime concerns and Service Level Agreements (SLAs).
Do your systems process information in a way that aligns with your confidentiality requirements, and do they continuously adhere to your contractual obligations and commitments? This specific criterion is used to evaluate the handling of classified information such as banking information, legal documents, business plans, transaction details; and it tests the degree of protection based on corresponding controls and processes.
Organisations dealing with highly confidential and sensitive data regularly should pay attention to this TSC.
Are your systems’ operations completely functional, accurate, and timely with authorised inputs that are consistently aligned with your policies? Processing integrity focuses on the stability of documentation and implementation. Its scope also includes corrective measures and data maintenance.
This PSC is applicable for organisations whose stakeholders execute crucial operational tasks on the systems such as data processing and business processing.
Does your organisation collect, use, retain, and disclose personal information in conformity with your published privacy notice? Are your policies and processes in compliance with the 10 points outlined in the Generally Accepted Privacy Principles (GAPP): Management, Notice, Choice and Consent, Collection, Use, Retention, and Disposal, Access, Disclosure to Third Parties, Security for Privacy, Quality, and Monitoring and Enforcement? As the largest of the five principles, Privacy is the standard that narrows down on privacy incidents and breach control.
A privacy TSC audit is particularly important for organisations that deal with individuals directly and collect personal information for processing, storing, and safekeeping.
In general, organisations can proceed with only having the required Security criterion for their SOC 2 report. But depending on the scope of your organisation, you can also ask to assess for any combination of the other TSCs.
Do you need SOC 2? A Quick Self-Assessment
Here are some prompts to further assist you in making an informed decision on whether to consider SOC 2 compliance. Check all the boxes that apply to you:
- You have any kind of web application that stores data from end-user customers.
- You own e-commerce sites or have a cloud platform like a SaaS application.
- You value security and transparency in the way you conduct business.
- You aspire to be reliable at all times for your team and stakeholders.
- You plan to go big and scale your business in the near future.
If you’ve checked any of the boxes above, you may find that SOC 2 compliance is a worthwhile endeavour to take on.
For many business owners and security leaders, Service Organization Controls 2 Certification ticks a lot of boxes in ensuring their clients that their organisation strives to maintain best-practice in managing customer data by externally assessing their current procedures and protocols. As you consider this for your organisation, here are some factors to keep in mind:
Not all organisations see the need to prioritise and set aside a budget for audit purposes. However, the adage “an ounce of prevention is with a pound of cure” still rings true today. By adopting a forward-looking approach, you can save on compliance costs further down the road.
2021 brought a record number of cyber threats such as data breaches, identity theft, and unauthorised access. More and more users are mindful as to whom they entrust their information and business. SOC 2 compliance shows to clients that keeping their data safe is one of your top priorities.
While SOC 2 compliance might seem overwhelming especially when you don’t know where, when, and how to start, once you’ve decided to follow through with it, you’ll gain crucial insights that can help you get more industry certifications. You’ll also be able to strategically revise your policies and procedures making your organisation more able to proactively manage data.
In preparation to become SOC 2 certified, finding the right vendor is an important step to align the scope of your SOC 2 report with the industry expertise you’d like to highlight.
Victor Chin, Pragma’s head of Cloud Operations advises that “while you don’t have to screen for all five of the TSC categories, the current trend from organisations seeking the SOC 2 report leans toward the Security, Availability, and Confidentiality categories because those are more cybersecurity-related.”
To break down the process, Chin explains that security leaders or business owners do an “initial assessment to figure out, for example, what they currently have in terms of the procedures and the documentation required in SOC 2 based on AICPA TSC. We’ll read that document, what they have and what they do, and then see if it's meeting the requirements.”
He also added that for SOC 2 certification, it’s imperative to know that the organisations are collecting the evidentiary data they’ll need for the audit. Chin cautions that SOC 2 is not an easy audit, and therefore, without the foundations in place and initiatives to work towards the compliance requirements, the organisation is most likely to fail the audit.
However, this is how Pragma Consultancy can help with SOC 2 compliance. Chin leads a team that can work with the organisations, conduct a readiness and gap assessment, and help plan for which TSC category to include in the SOC 2 report.
Whether it’s a policy, procedure, a system that needs to be implemented, or any documentation work, Chin assures that “we can design the process for them. But of course, they have to go change the internal process to become compliant with whatever we propose. If they need to implement a system or some services like incident response services, or they want to use Cloud Control that would help them with their compliance as well.”
As a general rule, Chin suggests that “the more sensitive the data and storing, the more you should get the SOC 2.”
FAQs on SOC 2
What is SOC 2?
SOC 2 is a security compliance certification or assurance process for service organisations designed by the American Institute of Certified Public Accountants (AICPA).
How does it work?
You enlist a SOC 2 compliance consultant to conduct readiness and gap assessment within your organisation. The consultant will work with you on the variances until you have all the required policies and procedures for compliance along with their respective documentation. The consultant will then determine your overall preparedness. Note that only an independent, certified CPA can carry out the SOC 2 audit and provide the report.
How long does it take?
Depending on your existing policies and procedures and how seamless they function, as well as the TSC categories you’ve selected and other logistic factors, the preparation can take up to months.
How long is the report valid?
The SOC 2 report is valid for one year after the date of issue.
What does it do?
The SOC 2 report is a tangible, valuable tool that shows how your company has gone above and beyond to attain a significant level of competency and security within the way you conduct your business. As a result, more entities would feel confident to work and grow their business with you.
What is the difference between SOC 1, 2, and 3?
The SOC 1 report caters to addressing financial information. The SOC 2 report caters to any service organisation with internal controls for customer systems and data processes. The SOC 3 report is similar to SOC 2 but with less detail on internal operations and intended for the public mass and assurance.
Still unsure? Contact us and we’ll be happy to set up a free consultation.
Pragma is a global Cyber Security and Regulatory Consulting firm that helps leading businesses, governments, and not-for-profit organisations strengthen cyber and regulatory resilience with a pragmatic approach.