SOC 2 – NOT A Compliance Framework!
People left wondering where it all went wrong
For years, companies (and even CPA firms) have been stating that their service is “SOC 2 compliant” or “SOC 2 certified”. To the surprise of many, SOC 2 is actually not a certification, but an attestation. “I had no idea, and I also don’t know what attestation means” one user said. This ByteChek reporter helped by providing a link to the ByteChek blog post titled, What is an Attestation Report to clear that up.
Because SOC 2 is an attestation, you should think of it more as a reporting framework as opposed to a compliance framework. In a compliance framework, you have to meet the specified requirements of that framework in order to “pass”. With SOC 2, there are criteria that are used to measure your controls, and those controls don’t have specified requirements. For example, in some frameworks for logical access, they might require 12 character passwords, with numbers, letters, and special characters. In SOC 2 you could, in theory, have 6 characters with letters only and you could still meet the criteria of logical access if you are preventing unauthorized access. (Although this reporter would recommend something stronger).
“This is why SOC reports have assertions and opinions,” says Jeff Cook, ByteChek CFO. For more information about understanding why SOC is a reporting framework, see ByteChek’s SOC 2 content pages.