<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

We're blowing the whistle on Legacy PAM 🏀 Join us for an Access Madness Webinar on March 28

Search
Close icon
Search bar icon

SOC 2 Compliance: 2024 Complete Guide

Everything you need to know about SOC 2 in one place
Last updated January 9, 2023 • 5 min read •
Justin McCarthy, author of SOC 2 Compliance: 2024 Complete Guide | StrongDM
Written by Co-founder / CTO StrongDM
Andrew Magnusson
Reviewed by Customer Engineering Expert StrongDM

Summary: In this article, we’ll take a comprehensive look at SOC 2 and the requirements for certification. You’ll learn what SOC 2 is, who it applies to, why it’s important, and how it benefits an organization. By the end of this article, you’ll have a clear understanding of the differences between Type 1 and Type 2 assessments, the SOC 2 Trust Principles underlying these assessments, and the criteria auditors use to evaluate and report on the associated controls.

What is SOC 2?

SOC 2 stands for “Systems and Organizations Controls 2” and is sometimes referred to as SOC II. It is a framework designed to help software vendors and other companies demonstrate the security controls they use to protect customer data in the cloud. These controls are called the Trust Services Principles and include security, availability, processing integrity, confidentiality, and privacy.

For organizations evaluating SaaS or cloud services providers, compliance with SOC 2 is a minimum requirement. This is because it confirms to the customer that you have a certain level of maturity around security best practices.

What SOC 2 is not

It’s important to note that SOC 2 compliance is neither a legal requirement nor a proxy for actual security best practices. While the assessment covers the core departments and processes that interact with sensitive data, it’s not driven by HIPAA compliance or other regulations and standards.

Certification is performed by external auditors and not by the government, and the resulting report merely confirms that the processes you self declare are actually being followed in practice.

Nevertheless, the significance of the role of SOC 2 in data security cannot be underestimated. Understanding its origins can help to explain why.

History of SOC 2

SOC 2 evolved from the Statement on Auditing Standards (SAS) 70, an old audit that Certified Public Accountants (CPAs) used to assess the effectiveness of an organization’s internal controls.

While security was included under the umbrella of internal controls, it came to the attention of the American Institute of Certified Public Accountants (AICPA) that some organizations were offering SAS 70 reports as proof they were safe to work with. In response, AICPA replaced SAS 70 with the Statement on Standards for Attestation Engagements (SSAE) 16 report, which was later renamed Systems and Organizations Controls 1 (SOC 1).

A SOC 1 report gives your company’s user entities some assurance that their financial information is being handled safely and securely. SOC 1 reports come in two flavors: Type 1 and Type 2. A Type 1 report shows that your company’s internal financial controls are properly designed while a Type 2 report demonstrates that your controls operate effectively over a period of time (e.g., over a 12-month period).

Then in 2009, AICPA introduced SOC 2 as an audit report with a strict security focus and issued the five Trust Services Principles. These principles were defined as “a set of professional attestation and advisory services based on a core set of principles and criteria that address the risks and opportunities of IT-enabled system and privacy programs.”

SOC 1 differs from SOC 2, which can be summarized as follows:

  SOC 1 SOC 2
What is it? Assess and report on a service organization’s internal controls’ impact on customers’ financial statements Assess and report on a service organization’s internal controls regarding the security, availability, processing integrity, confidentiality, and/or privacy of customer data (i.e., the “Trust Services Principles”)
What's the scope? The processing and protection of customer data, spanning both business and IT processes Any combination of the five Trust Services Principles
Who uses it? Executive teams, external auditors Executive teams, sales teams, business partners, prospective customers, regulators, external auditors
What's an example?

A company provides outsourced billing services for hospitals.

The hospitals that want to audit the security controls of the billing provider can be given a SOC 1 report as evidence.

A SaaS company provides a service of storing and protecting customer data.

Instead of having customers inspect the security measures and systems in place to protect their data, the SaaS company can just give customers a copy of the SOC 2 report that details the controls in place to protect their data.

Simply stated, the SOC 2 principles represent the criteria to be used to evaluate and report on an organization’s controls over the security, availability, processing integrity, confidentiality, or privacy of information and systems.

AICPA further stipulated that it was not necessary to address all the Trust Service Principles, and that an organization should select only those relevant to their own services.

Who Does SOC 2 Apply To?

SOC 2 is specifically designed for service providers that store customer data in the cloud, as a way to help them demonstrate the security controls they use to protect that data. As such, it applies to nearly every SaaS company and cloud vendor, as well as any company that uses the cloud to store customer information.

If you’re reading this, there’s a pretty good chance SOC 2 applies to you.

Importance of SOC 2 Compliance

From the point of view of a potential customer, working with a vendor that has fulfilled the SOC 2 requirements is a guarantee of sorts. It means you can provide the information and assurances they need regarding how you process users’ data and keep it private.

But facilitating organizational oversight isn’t the only point of SOC 2 compliance.

According to AICPA, the reports produced during the process of achieving compliance can also play an important role in:

  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight

Benefits of SOC 2 Compliance

SOC 2 makes requests for information (RFI) easier to manage

Credibility

At a fundamental level, SOC reports show potential customers that you’re serious about integrity, ethics, and security throughout your operations. Being able to demonstrate that you have the proper people, policies, and procedures in place to handle a security incident and respond accordingly places you firmly on the candidate list—which is the first step towards being selected as the preferred provider.

Faster Sales Cycles

Showing compliance can also speed up your sales cycle. Pitching new businesses can be easier on your sales team because they will very likely be spared the burden of completing endless RFIs during the sales process. Instead, they can simply submit the company's SOC 2 reports.

Long-term Business Success

Perhaps the most important benefit arises from the work required in terms of preparation for the SOC 2 Type 2 assessment. This is covered in more detail below, but it essentially requires you to install long-term, ongoing internal practices that will ensure the security of customer information. By their very nature, these practices will ensure the long-term success of your business.

SOC 2 Types

Becoming compliant typically takes six months and requires the completion of two audits by third-party assessors. The SOC 2 Type 1 audit is designed to assess the design of your security processes at a particular point in time, while the subsequent SOC 2 Type 2 audit involves verifying the operating effectiveness of your internal controls over the longer term. Completion of the Type 1 audit is a prerequisite for Type 2.

SOC 2 Type 1 (Type I)

You’ll begin by forming a multidisciplinary team, electing an executive sponsor, and identifying an author who can collaborate with each team lead and translate their business needs into policies.

Using the AICPA Trust Services Principles as your base and selecting only those that apply to your services, you’ll then define the scope of the audit and write and refine the appropriate policies.

You can expect this to take around two months to implement, test, and fine-tune the policies before you’re ready to book a formal assessment. The assessment typically includes interviews with staff, walkthroughs of your physical space, and a thorough review of your documentation. Once the auditor has worked with you to clarify any necessary exceptions, the SOC 2 Type 1 report will be generated.

To take a deeper dive, check out: SOC 2 Type 1 Guide: Everything You Need To Know

SOC 2 Type 2 (Type II)

You can’t embark on the preparations for the Type 2 audit until you’ve been through the Type 1 process. This is because while the Type 1 audit assesses processes and policies, the Type 2 audit verifies the effectiveness over time of the controls you’ve instituted to ensure those processes and policies are followed.

To walk through the complete path to a Type 2 audit, read: SOC 2 Type 2 Guide: Everything You Need To Know

SOC 2 Controls

The 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy documents the control criteria which have been established by the Assurance Services Executive Committee (ASEC) of the AICPA. These are the criteria your selected auditor will use to evaluate and report on the controls you have put in place to ensure the security, availability, processing integrity, confidentiality, or privacy of information and systems.

The Trust Services Criteria consist of:

SOC 2 Certification

To attain SOC 2 certification, you must ensure compliance across the Trust Services Criteria. Five main principles are used to measure and report upon this, which include:

Security This principle gives a customer reasonable assurance that their data is safe and secure, and demonstrates that systems are protected against unauthorized access (both physical and logical).
Availability Besides the security principle, availability is the second most common principle chosen for the SOC 2 examination. It focuses on systems being available for operation and use.
Processing Integrity This principle focuses on system processing being complete, accurate, timely, and valid.
Confidentiality The confidentiality principle ensures information deemed confidential is protected as committed or agreed.
Privacy The privacy principle refers to how personal information (first name, last name, address, phone number, etc.) is collected, used, retained, disclosed, and disposed of. It ensures your data handling practices align with your privacy notice and use the criteria defined in privacy principles issued by the AICPA.

Not every SOC 2 report must include all five principles, so figuring out which Trust Services Principles apply is key to defining the system boundaries and the scope of the audit—and to maintaining your sanity.

For example, if you run a data center and offer data storage to customers, but your client does all the data processing on their own systems, then the security and availability principles—but not the processing integrity principle—would apply. If the stored data contains personal information, then the privacy principle would also be in scope for your service organization.


About the Author

, Co-founder / CTO, originally developed empathy for Operations as a founding and pager-carrying member of many operations and data teams. As an Executive, he has led Engineering and Product in high-throughput and high-stakes e-Commerce, financial, and AI products. Justin is the original author of strongDM's core protocol-aware proxy technology. To contact Justin, visit him on Twitter.

Table of Contents
StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen
StrongDM app UI showing available infrastructure resources
Connect your first server or database, without any agents, in 5 minutes.