There’s a lot of misinformation out there surrounding SOC 2 compliance. While it’s a critical measure of data security and proof of an organization’s commitment to keeping customer data safe, there are still many questions around the process and purpose behind SOC 2. Is SOC 2 compliance necessary? Does it produce a certification? Can an organization rely on a hosting provider’s SOC 2 report as proof of compliance?
Let’s break it down.
What is SOC 2 compliance?
SOC 2 is a framework for service organizations that access, receive, or store customer data. It is designed to assess how an organization protects and processes customer data, either at a single point in time (Type 1) or over a period of time (Type 2).
Although SOC 2 compliance can apply to any type of organization across industries, if you’re a cloud-based company responsible for protecting customer data, you’ve more than likely heard of the framework and received requests from customers for your attestation report.
Not only does SOC 2 compliance help companies scale securely, it ultimately builds trust with their customers in that it provides assurance of their security posture.
Before pursuing SOC 2 compliance, however, it’s important to dispel the most common myths surrounding the framework itself.
1. SOC 2 has required controls
SOC 2 does not have required or prescriptive controls. SOC 2 has a set of criteria classified into five Categories: Security, Availability, Confidentiality, Processing Integrity and Privacy. Organizations are responsible for implementing controls that simultaneously meet both their needs as a company and the data they manage, and that meet the applicable criteria associated with the Categories they’re choosing to address in their SOC 2 audit. This can look slightly different for every company. During a SOC 2 audit, an auditor from a Certified Public Accountant (CPA) firm will test the design and operating effectiveness of your controls to determine if the controls meet the applicable criteria.
2. Companies can provide their customers with their application or data center hosting provider’s SOC 2 report (e.g. AWS, AZURE, GCP) instead of undergoing their own SOC 2 audit
Organizations need to undergo their own SOC 2 audit to obtain a SOC 2 report of their own, even if their SaaS application is hosted in the cloud. Organizations are responsible for security in the cloud and hosting providers are responsible for security of the cloud (Shared Responsibility Model). Because of the Shared Responsibility Model, customers will expect organizations to understand their responsibilities for securing their environment and undergo their own SOC 2 audit to confirm that the controls within their responsibility are operating effectively.
3. SOC 2 can be used on its own to prove compliance to other security frameworks and standards (ISO 27001, PCI, HIPAA, HITRUST, GDPR, etc.)
This is another popular myth: SOC 2 does not prove compliance to other standards. It cannot be used to meet the criteria set forth by other standards. For example, achieving SOC 2 compliance doesn’t automatically mean you’re HIPAA compliant. To meet multiple frameworks (like HIPAA), companies can consider a SOC 2+ audit, which requires expanding controls to meet the additional framework.
4. SOC 2 is a certification and results in a pass/fail
A SOC 2 audit does not result in a certification. After an audit firm performs an audit, they will produce an attestation report and render their opinion on the design and operating effectiveness of controls.
Likewise, you cannot pass or fail a SOC 2 audit. There are four possible results of an audit:
- Unqualified – Controls were designed appropriately and operating effectively to meet the applicable criteria
- Qualified – Controls were designed appropriately and operating effectively to meet most of the applicable criteria, but a couple criteria were not met
- Adverse – Controls were not designed appropriately and were not operating effectively to meet the applicable criteria
- Disclaimer – The auditor could not render an opinion due to limitations in performing audit procedures
It’s important to note that you can receive control exceptions and still receive an unqualified opinion.
5. SOC 2 will only cover infrastructure and software controls
SOC 2 can cover a range of controls, depending on your specific organization and vertical. Potential controls in addition to infrastructure and software controls will include policies, onboarding/offboarding procedures, risk management, training, governance, and vendor management.
6. It’s best not to interact with your auditor during your SOC 2 audit
An auditor should not be made out to be your enemy – they actually want the organizations they are auditing to succeed. Auditors prefer to collaborate with their customers well ahead of the planned audit start date, so that audit procedures are conducted efficiently and customers are set up for success. The last thing auditors and the organizations want are surprises during the audit. Collaborating early and often with your auditor is a better approach for success than engaging in any advertised “touchless” audit (beware of such terms).
7. SOC 2 audits can be completed in two or three weeks
While it is possible for smaller organizations to use a SOC 2 automation platform and obtain a SOC 2 Type 1 report from a CPA firm within two to three weeks of purchasing a platform, this is not typical for most companies. Obtaining compliance with SOC 2 is important, but most organizations are also seeking an automation platform that can grow with them and help them build trust with customers by building a strong security program. Building a strong security program will most certainly take longer than two to three weeks.
In addition, organizations will also want to engage a CPA firm to perform a SOC 2 Type 2 audit, since the Type 2 audit covers a period of time and includes testing the operating effectiveness of controls. An organization should not start their Type 2 audit period until their controls have been implemented. Therefore, even if it only took an organization two to three weeks to set up all of their controls, they would then need to wait a minimum of three to four months before an auditor could perform the Type 2 audit.
Easy, continuous compliance with Drata
With Drata, there are no myths or misconceptions – we can help you achieve continuous SOC 2 compliance with minimal effort via automation. With more than 50 integrations across your tech stack, Drata makes sure you stay compliant–and that your customers’ data stays protected. To learn more about how Drata can put security and compliance on autopilot for you, schedule a demo today.