Protecting customers’ data is a concern for all organizations regardless of industry or size. Most organizations outsource key aspects of their business to third-party vendors such as Software-as-a-Service (SaaS) solutions or cloud hosting providers (i.e. Amazon Web Services or AWS). As companies continue to share the responsibility of protecting sensitive data, there is increased importance and scrutiny on the cybersecurity practices implemented at these organizations.
Third-party assessments are a common way in which organizations prove their cybersecurity practices to vendors, customers, and prospects. SOC 2 examinations have become one of the de facto standards for organizations to prove how they are securely managing their customers’ data to protect their interests and privacy. For most organizations conducting business with a SaaS provider, a SOC 2 examination is a minimum requirement. SOC 2 reports are also common for other service organizations as well such as law firms, marketing agencies, accounting firms, healthcare organizations, and more. This guide will provide an overview of:
- What is SOC 2 (and Why Does It Matter)?
- Key SOC 2 Terms to Know
- SOC 2 Report Use
- Types of SOC 2 Reports
- Sections of a SOC 2 Report
- SOC 2 Trust Services Categories
- When To Consider Pursuing a SOC 2 Examination
- Automating SOC 2 Examinations
- Five Benefits of Earning a SOC 2 Report
What is SOC 2 (and Why Does it Matter)?
System and Organization Controls or SOC 2 is a reporting framework developed by the American Institute of Certified Professional Accountants (AICPA) intended to meet the needs of a broad range of customers or vendors that require information and assurance about the controls at a service organization relevant to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
A SOC 2 report is an internal control report, which independent CPAs provide, on the services a service organization provides. These reports are:
- Useful for evaluating the effectiveness of controls related to the services performed by a service organization
- Appropriate for understanding how the service organization fits into the supply chain of providing services to customers
- Help reduce the compliance burden by providing one report that addresses the shared needs of multiple users
- Enhances the ability to obtain and retain customers
With the prevalence of SaaS companies in the industry, organizations are outsourcing information technology infrastructure to service organizations such as cloud hosting providers (e.g., AWS). These organizations are often tasked with proving to their customers and vendors that they are adequately protecting the sensitive data of their customers. For some, it’s a legal obligation, for others it’s critical for customer validation. Service organizations receive SOC 2 reports to demonstrate they have certain controls in place to mitigate security, availability, confidentiality, processing integrity, or privacy risks. A SOC 2 report includes a CPA firm’s, such as Bytechek Assurance, opinion on control design and potentially operating effectiveness over a period of time.
Using AWS as an example, AWS is the market leader in cloud computing, commanding over 30% of the cloud computing market share. That is a lot of customers! These customers are often concerned with how AWS is protecting their sensitive data and how AWS is addressing the risk of AWS’ systems and data being compromised. AWS does not want to respond to each individual customer’s request related to the security of the cloud infrastructure. AWS, along with most service organizations, has opted to undergo a SOC 2 examination by an independent CPA firm to answer these requests. This report answers most, if not all, of the questions asked by their customers related to security, availability, confidentiality, processing integrity, and privacy.
Key SOC 2 Terms To Know
- applicable trust services criteria
- The criteria codified in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy used to evaluate controls relevant to the trust services category or categories included within the scope of a particular examination.
- American Institute of Certified Public Accountants
- Control activity
- An action established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.
- Service Auditor
- As used in this guide, a CPA who performs a SOC 2 examination of controls within a service organization’s system relevant to security, availability, processing integrity, confidentiality, or privacy aka Bytechek Assurance
- Service Organization
- An organization, or segment of an organization, that provides services to user entities aka your company
- SSAE 18
- Attestation standard for SOC Engagements. Relevant sections include AT-C Section 105 and AT-C Section 205
- Sub-service Organization
- A vendor used by a service organization that performs controls that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved
- Trust Services Categories
- Five categories a service organization can be evaluated against including Security, Availability, Confidentiality, Privacy, and Processing Integrity
SOC 2 Report Use
SOC 2 report readers should understand who the service organization is, what services they provide, and how those services are delivered and managed. Without this knowledge, the report can be confusing and cause misunderstandings. Examples of intended users of a SOC 2 report are:
- Service organization internal personnel
- Customers of the system
- Business partners subject to risks from interactions with the service organization or system
- Prospective customers going through vendor due diligence on the service organization
- Regulatory agencies or authorities
Because of the sensitive nature of the SOC 2 report and intended users of the report, a SOC 2 report is considered a restricted use report and should only be provided to readers under a non-disclosure agreement or other confidentiality agreements. In the event, your company needs or wants a report that is for general use, they can opt to undergo a SOC 3 examination. A SOC 3 report is a general use report that can be made publicly available. A SOC 3 report does not include the full system description (section 3) or the description of service auditors’ tests of controls and the results thereof (section 4). Distribution of a SOC 2 report for marketing purposes is ill-advised as section 3 and section 4 contains sensitive information about the system and results of control design or operating effectiveness. This is why SOC 2 reports are considered restricted-use reports. SOC 3 reports can be posted on the company website and include limited information about the system and results of the examination. For example, AWS makes its SOC 3 report available for download as a PDF.
Types of SOC 2 Reports
In a SOC 2 examination, organizations can undergo a SOC 2 Type 1 or SOC 2 Type 2 examination. A Type 1 examination is a report on the controls at a service organization at a specific point in time, whereas, a Type 2 examination is a report on the controls at a service organization over a period of time. The period of time evaluated in a SOC 2 Type 2 examination is typically between 3-12 months.
A Type 1 examination is generally seen as the first stepping stone for an organization pursuing a SOC 2 examination. This report is a great way for companies to prove to their customers and vendors that they take security seriously and have partnered with a third-party auditing firm to prove their security. At Bytechek, we recommend that all companies pursue a SOC 2 Type 1 examination prior to beginning their SOC 2 Type 2. The level of effort and time it takes to earn a Type 1 examination is significantly lower than a Type 2 examination.
The level of effort decreases because your company is being evaluated at a point in time. This reduces evidence requirements and eliminates any requirement to sample test controls over a period of time. For example, in a Type 2 examination, your auditors may ask you to provide evidence of security awareness training for a sample of new hires over a three month period. Whereas in a SOC 2 Type 1 examination, your auditors should only ask you for an example of a new hire’s completion of security awareness training.
There is no AICPA requirement to undergo a Type 1 examination before a Type 2 but at Bytechek this is the recommended way to reduce the risk of exceptions or deviations in your first Type 2 report. Earning a Type 1 before your first Type 2 does not guarantee that your Type 2 report will not have exceptions or deviations but it does mitigate the risk by providing clear and direct insight into the type of evidence and processes expected for every control that will be evaluated. Your customers can rest assured knowing that your Type 1 is a stepping stone to your Type 2. Bytechek provides every customer with a confirmation of the engagement letter that can be provided to your customers outlining the scope and timeline of Type 1 and Type 2 reports.
Sections of a SOC 2 Report
In a SOC 2 report, there are five sections to be aware of. Below is an overview of these sections and their components:
Section 1: Independent Service Auditor’s Report:
- Service Organization’s Responsibilities
- Service Auditor’s Responsibilities
- Inherent Limitations
- Description of Tests of Controls
- Restricted Use
- Service Auditor Signature (Bytechek Assurance), city and state, date of the report
Section 2: Management’s Assertion
- Facts and assertions made by the management of the service organization
- A statement that management confirms, to their best knowledge and belief, that the description was presented in accordance and controls were suitability designed and, in type 2 examinations, operating effectively over a period of time
- The service organization is responsible for the completeness and accuracy of what is provided during the assessment
Section 3: System Description
- Overview of services provided
- Principal Service Commitments and System Requirements
- Components of the system (Infrastructure, software, data, people and procedures)
- System Incident Disclosures
- Applicable Trust Service Criteria
- Complementary User Entity Controls and Responsibilities
- Complementary Subservice Organization Controls
- Non-applicable TSCs
- Significant changes during the review period
Section 4: Trust Services Categories, Criteria, Related Controls and Tests of Controls Relevant to In-Scope TSCs
- Trust Services Criteria and Control Activities
- Bytechek Assurance Tests of the Controls (Type 1 reports do not include tests of controls or results of testing)
- Results of Tests
Optional Section 5: Other Information Provided by Management That Is Not Covered by the Service Auditor’s Report
- This section is not audited by your service auditor, management has control over what is documented and presented in Section 5. In our experience, this section generally includes:
- Management’s responses to any deviations or exceptions. This section allows you to explain the circumstances surrounding the deviation and outline the remediation steps you have taken since the identification of the deviation. For example, if your service auditor found a deviation related to a new hire completing security awareness training. You could explain to the readers of your report that this new hire missed training because they were out of the office but have since completed the training.
- A mapping of SOC 2 controls (from Section 4) to additional frameworks such as ISO 27001, HIPAA, HITRUST, CSA STAR & more. Prior to investing the time and money into additional cybersecurity compliance frameworks or certifications, Bytechek recommends using Section 5 of your report to assess the business need or demand for additional certifications or frameworks. We have found that most customers will accept a mapping of your SOC 2 controls in Section 5 to answer any questions they may have about your compliance with other standards or frameworks.
SOC 2 Trust Services Categories
There are five Trust Services Categories (often mistakenly referred to as Trust Services Principles) that a client can choose to be evaluated against in a SOC 2 examination. The five Trust Services Categories and their definitions as defined by the AICPA are::
Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
Availability: Information and systems are available for operation and use to meet the entity’s objectives.
Processing integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.
Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
When To Consider Pursuing a SOC 2 Examination
The best day to consider pursuing a SOC 2 examination is when you started your company, the second-best day is today. In our experience, a SOC 2 examination is pursued as a reaction to a request from a customer or vendor. This reactionary response leads to the nightmare stories you have probably read about regarding the SOC 2 process. Undergoing your first SOC 2 examination when you have a big deal or potential strategic partnership on the line can be a stressful and operationally draining experience.
Starting your SOC 2 journey prior to receiving a request from a customer or vendor is analogous to the famous quote by Benjamin Franklin, “An ounce of prevention is worth a pound of cure.” Preparing for your inevitable SOC 2 examination does not mean you have to undergo an audit by a third-party professional services auditing firm or pay exorbitant auditor fees. The Bytechek platform is designed for organizations that are taking a proactive approach to cybersecurity preparedness and readiness. Our fully integrated platform quickly assesses your technology stack against the SOC 2 criteria, providing detailed recommendations and implementation guidance in minutes.
Automating SOC 2 Readiness Assessments
It is possible to automate your readiness assessment using the fully integrated Bytechek platform. Our platform is built to quickly assess your organization’s gaps related to the Security, Availability, and Confidentiality Trust Services Categories. Instead of spending weeks working with a large auditing team, long arduous remote interviews, and archaic evidence collection procedures.
You can quickly integrate the cloud hosting, system information & event management, version control, human resources information system, and other relevant tools with the Bytechek SaaS platform. This eliminates the need for third-party auditors because our intelligent platform automatically provides recommendations for controls or security weaknesses identified. This frees up your team and resources to begin remediation efforts and ultimately earn your SOC 2 Type 1 report.
Five Benefits of Earning a SOC 2 Report
- Enable Sales to unlock new markets and close deals faster
- Prove security to customers and vendors with one report (audit once, use many)
- Leverage the flexibility of the SOC 2 reporting framework to differentiate your company from its competitors
- Demonstrate the maturity of your security program
- Accelerate the customer onboarding and due diligence process, eliminating vendor security questionnaires
Potential and existing customers want to know that organizations have taken all necessary measures to protect the sensitive data processed by the service. SOC 2 examinations, facilitated by an independent CPA firm, enable the service organization to demonstrate the safeguards in place that are relevant to the security, availability, processing integrity of the systems used to process sensitive data, and confidentiality and privacy safeguards in place to protect the data. These reports allow organizations to demonstrate security as a differentiator, accelerate the vendor due diligence process by undergoing one audit to respond to multiple customer requests, and, most importantly, assess the information security risks your organization is facing.
Talk to us to schedule a consultation for your SOC 2 needs or see a demo of our product so we can show you how compliance can suck less!