7 Myths About SOC 2 ComplianceThere are still many questions around the process and purpose behind SOC 2. Let's break it down by going over a few common myths.
There’s a lot of misinformation out there surrounding Service Organization Control, or SOC 2 compliance. While it’s a critical measure of data security and proof of an organization’s commitment to keeping customer data safe, there are still many questions around the process and purpose behind SOC 2.
Is SOC 2 compliance necessary? Does it produce a certification? What’s required to be SOC 2 compliant?
We’ve answered these questions and more to clear the fog of misinformation around SOC 2.
What is SOC 2 Compliance?
SOC 2 is a framework for service organizations that access, receive, or store customer data. It is designed to assess how an organization protects and processes customer data, either at a single point in time (Type 1) or over a period of time (Type 2).
Although SOC 2 compliance can apply to any type of organization across industries, if you’re a cloud-based company responsible for protecting customer data, you’ve more than likely heard of the framework and received requests from customers for your attestation report.
Not only does SOC 2 compliance help companies scale securely, it ultimately builds trust with their customers in that it provides assurance of their security posture.
We’ve taken the time to dispel the most common myths surrounding SOC 2 compliance.
1. Companies Pass or Fail SOC 2 Certifications
A SOC 2 audit does not result in a certification. After an audit firm performs an audit, they will produce an attestation report and render their opinion on the design and operating effectiveness of controls. This is why you will hear companies offer their SOC 2 report after an audit, because SOC 2 is not a type of compliance certification unlike HIPAA.
SOC 2 also audits offer more comprehensive results than simply passing or failing. Below are four possible results of an audit.
Unqualified: Controls were designed appropriately and operating effectively to meet the applicable criteria.
Qualified: Controls were designed appropriately and operating effectively to meet most of the applicable criteria, but a couple criteria were not met.
Adverse: Controls were not designed appropriately and were not operating effectively to meet the applicable criteria.
Disclaimer: The auditor could not render an opinion due to limitations in performing audit procedures.
It’s important to note that you can receive control exceptions during the audit and still receive an unqualified opinion.
2. SOC 2 Has Required Controls
SOC 2 does not have required or prescriptive controls. Instead, SOC 2 has a set of criteria known as the Trust Services Criteria that is classified into five categories:
Organizations are responsible for implementing controls that simultaneously meet both their needs as a company and the data they manage, and that meet the applicable criteria associated with the categories they’re choosing to address in their SOC 2 audit. This can look slightly different for every company.
During a SOC 2 audit, an auditor from a Certified Public Accountant (CPA) firm will test the design and operating effectiveness of your controls to determine if the controls meet the applicable criteria.
3. Companies Can Use Their Vendor’s SOC 2 Report
Organizations need to undergo their own SOC 2 audit to obtain a SOC 2 report of their own, even if their SaaS application is hosted in the cloud (AWS, AZURE, GCP, etc.).
There is a standard called the Shared Responsibility Model that means organizations are responsible for security in the cloud and hosting providers are responsible for security of the cloud.
Because of the Shared Responsibility Model, customers will expect organizations to understand their responsibilities for securing their environment and undergo their own SOC 2 audit to confirm that the controls within their responsibility are operating effectively.
4. SOC 2 Proves Compliance to Other Frameworks
This is another popular myth—SOC 2 does not prove compliance to other standards. While at Drata we’re excited to tell customers that if you’re SOC 2 compliant, you may be on your way to meeting the criteria set forth by other standards, achieving SOC 2 compliance doesn’t automatically mean you’re compliant with a framework like PCI DSS.
To meet multiple frameworks, companies can consider a SOC 2+ audit, which requires expanding controls to meet the additional framework like HIPAA.
5. SOC 2 Only Covers Infrastructure and Software Controls
SOC 2 can cover a range of controls, depending on your specific organization and vertical. Potential controls in addition to infrastructure and software controls will include policies, onboarding/offboarding procedures, risk management, training, governance, and vendor management.
6. Auditors Don’t Want to Interact During Your Audit
It’s a common misconception that auditors don’t want to interact during an audit and they want companies to fail, a misconception we’ve addressed. Auditors should not be made out to be your enemy. They actually want the organizations they are auditing to succeed.
Auditors prefer to collaborate with their customers well ahead of the planned audit start date, so that audit procedures are conducted efficiently and customers are set up for success. The last thing auditors and the organizations want are surprises during the audit. Collaborating early and often with your auditor is a better approach for success than engaging in any advertised touchless audit (beware of such terms).
7. SOC 2 Audits Can Be Completed in Weeks
While it’s possible for smaller organizations to use a SOC 2 automation platform and obtain a SOC 2 Type 1 report from a CPA firm within two to three weeks of purchasing a platform, this is not typical for most companies.
Obtaining compliance with SOC 2 is important, but most organizations are also seeking an automation platform that can grow with them and help them build trust with customers by building a strong security program. Building a strong security program will most certainly take longer than two to three weeks—though one of Drata’s customers achieved their SOC 2 compliance in as little as eight weeks.
In addition, organizations will also want to engage a CPA firm to perform a SOC 2 Type 2 audit, since the Type 2 audit covers a period of time and includes testing the operating effectiveness of controls.
An organization should not start their Type 2 audit period until their controls have been implemented. Therefore, even if it only took an organization two to three weeks to set up all of their controls, they would then need to wait a minimum of three to four months before an auditor could perform the Type 2 audit.
Easy, Continuous Compliance With Drata
With Drata, there are no myths, misconceptions, or misinformation—we can help you achieve continuous compliance for SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, and many other frameworks through automation.
With more than 75 integrations across your tech stack, Drata makes sure you stay compliant and that your customers’ data stays protected. To learn more about how Drata can put security and compliance on autopilot for you, schedule a demo today.