SOC 2 compliance means having controls in place to meet industry standards for security, privacy, availability, processing integrity, and confidentiality.
In 2019, 86% of IT security pros ranked SOC 2 as an important, very important, or essential part of their cybersecurity strategy, according to a survey by the Ponemon Institute. And with 63% of companies reporting data breaches (up from 59% in 2019), it's no wonder that number is so high.
SOC 2 is about meeting industry standards for security, availability, processing integrity, privacy, and confidentiality--all growing priorities for companies across a variety of industries and niches.
So, what exactly is SOC 2? And what does your business need to know about getting—and staying—compliant? Here's a beginner's guide.
Wait…why SOC 2 instead of 1 or 3?
As you might have guessed, SOC 2 isn't the only SOC around. Developed by AICPA, there are two other types of SOC reports.
SOC 1 is focused on meeting financial standards, and SOC 3 is a high-level, public-facing report with no confidential information. When a customer or client requests a SOC report, it's always good to confirm which one they're after. But if they're talking about security and data, chances are what they're looking for is SOC 2, as it is considered the gold standard.
Why does SOC 2 compliance matter? (And why now?)
With risks rising and awareness about data security at an all-time high, it's no longer enough to say you have good security practices in place. A growing number of companies across a variety of industries are requiring that vendors prove it with a SOC 2 report.
This means getting your policies and controls in order and tracking your compliance religiously over time, and it applies to any service provider that stores, processes, or transmits customer or client data in the cloud (which is just about all of us, these days).
Now, if you haven't had a prospective client ask for a report yet, you might be tempted to put the process of compliance off. But the reality is that it can take companies months, if not years, to become SOC 2 compliant. Not to mention that most SOC 2 report requests are SOC 2 Type 2 report requests, meaning you're being asked to prove you have stayed compliant over a long period of time (more on this in a minute).
Since compliance itself is a process and you'll need to prove that compliance over time, experts recommend making it a priority now—before you're asked to provide a report. Once a company asks for a report, if you're not compliant, chances are you're already way behind the competition.
Steps to SOC 2 compliance
SOC 2 standards focus on five trust services criteria (TSC): security, availability, processing integrity, confidentiality, and privacy. Only security is required for a SOC 2 audit and report. However, many companies will opt to include additional scope, depending on their industry and the types of data they process.
No matter which criteria you're evaluating, auditors will look at how effectively your controls are operating, how quickly you respond to risks or incidents, and how well you communicate about risks, changes, and priorities within your organization.
According to the AICPA standards, security means:
"Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to achieve its objectives."
This means following best practices like two-factor authentication, access controls, identity management, encryption, breach alerts, and maintaining firewalls. It also means having well-documented security policies and procedures and a good security training program and enforcing best practices with your infrastructure provider and vendors, among other things.
Systems meet availability standards as outlined in a Service Level Agreement (SLA).
There is no set performance level required in the SOC 2 standard, so when auditors evaluate availability, they're looking at whether you keep your promises in the SLA (if you guarantee 99.95% availability, are you hitting that metric?) and what systems you have in place to ensure performance and support disaster recovery and incident management.
As the AICPA standards explain, processing integrity is when "system processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives."
In simple terms, this means the systems process as expected or promised. Auditors look for good monitoring and quality assurance practices, as well as error reports and how quickly system issues are addressed.
Data is safe from unauthorized access.
Meeting confidentiality standards typically means having encryption, access controls, and firewalls in place to protect customer data. It may also mean robust user permissions that ensure data is only accessible to those in the organization who truly need it.
In some cases, confidentiality or privacy laws like GDPR or the California Consumer Privacy Act (CCPA) come into play here and the auditor will be looking at compliance from a legal standpoint as well as an industry standard one.
While privacy standards apply specifically to customer data, confidentiality may also include protecting clients' intellectual property, trade secrets, etc.
Personally identifiable information (PII) is private and users have full control over its use.
This piece of the compliance puzzle is particularly important in light of ever-growing privacy regulations like GDPR and CCPA.
In this category, auditors are specifically looking for how well you communicate with customers about their data. This means customers should always know how you'll use their data, how they can access and update their data, and what their options are for opting out, limiting data use, deleting their data, etc. You'll also need to have practices in place to communicate with customers if there is a data breach or incident along the way.
Standards also ask auditors to look at best practices around data access, retention, and deletion and to make sure you monitor your privacy compliance on an ongoing basis, keeping track of privacy-related complaints, disputes, and incidents.
SOC attestation reports
When a prospective customer asks for a SOC 2 report, what they're asking for is a third-party attestation. These reports must be generated by licensed CPA firms and their goal will be to assess one or more of the trust service criteria above.
There are two types of SOC 2 reports: SOC 2 Type 1 and SOC 2 Type 2. Type 1 focuses on a single point in time (were you compliant last week?). Type 2 focuses on a period of time (were you compliant for the last continuous year?). The latter is more commonly requested, as it carries more weight and has a higher bar.
Typically, either report will contain five sections: an opinion letter/auditor report, management assertion, detailed description of the system or service being evaluated, details specific to each of the trust services categories being evaluated, and test results from testing done on the controls evaluated.
When hiring a CPA to handle your SOC 2 audit, be prepared to provide security questionnaires, documentation of your policies, practices, and security controls, and evidence that those policies, practices, and security controls are being consistently followed within the organization.
SOC compliance risks & best practices
While 86% of IT pros say SOC is important, less than half say their compliance efforts are effective. If you've ever managed SOC compliance, this makes a lot of sense. Meeting these standards is a time-consuming challenge—and if you don't have the right tools in place to monitor, alert, and automate, it can be hard to keep up with.
For companies that do stay compliant, the secret sauce starts with these best practices:
If compliance is a priority (and with more and more companies requiring it, it should be), that priority needs to be built into your teams' schedules, priority lists, and budgets from the top down. If it's an afterthought, it won't get done.
2. Consistent, gap-free monitoring (aka continuous compliance)
When it's time for your audit, you typically have to prove compliance for the last year. This means 24-7 monitoring is essential and you'll need proof of that monitoring to share with your auditor.
3. Security incident alerts
Keeping systems secure (and therefore compliant) means catching and resolving security threats fast. To do this, you'll need to set up system alerts for things like unauthorized file transfers, account logins, or access or modification of data, controls, or configurations.
4. Detailed reports of incidents
Incidents happen to the best of us. What matters for compliance is transparency. What happened? How was it resolved? How quickly was it resolved? What systems were impacted? How major was the incident? Make sure you have detailed records and evidence that shows how you handle incidents when they happen.
Simplifying SOC 2 compliance
If this sounds pretty overwhelming, we hear you. Becoming SOC 2 compliant is a complex, time-consuming process for most companies. And we have been there.
In fact, the reason we started Drata in the first place is that we were the people responsible for compliance at our previous jobs, so we know how complicated, frustrating, and lengthy the process can be. And we wanted to find a way to make it simpler.
Drata is the result of the simplification.
Automated 24-7 monitoring, real-time alerts, evidence collection, security training, simple dashboards and reports, and dedicated support from tech and compliance experts… everything we do is designed to take as much burden as possible off your teams while maintaining compliance. Because once you've done all that work to become compliant, you'll need systems in place to help you stay secure and compliant and prove it (which will keep you competitive).
If SOC 2 compliance is on your horizon, it's a good time to take a look at automation with Drata.