If your enterprise is a service provider that handles customer data, it should have a System and Organization Controls for Service Organizations 2 (SOC 2) report attesting to its SOC 2 compliance. If you outsource work, your sub-contractors should be SOC 2 compliant, as well.
Developed by the American Institute of Certified Public Accountants (AICPA) in response to growing concerns over data privacy and security, SOC 2 applies to all service providers that process and store customer data. Auditors use AICPA’s Statement on Standards for Attestation Engagements No. 18 (SSAE 18), which emphasizes data security, as a framework.
SOC 2 compliance demonstrates your organization’s commitment to protecting the privacy and security of customer and client information—increasingly important in our connected digital age.
However, SOC 2 is not mandated by government or industry regulators: Compliance is voluntary.
Still, most service providers choose to comply. Why?
Six Reasons for SOC 2 Compliance
- Customer demand: Protecting customer data from breach and theft is top-of-mind for your clients, so without a SOC 2 attestation, you could lose business.
- Cost-effectiveness: Think audit costs are high? In 2018, a single data breach cost, on average, $3.86 million, according to a study by Ponemon and the IBM Institute. That figure rises every year.
- Competitive advantage: Having a SOC 2 report in hand will give you the edge over competitors who cannot show compliance.
- Peace of mind: Passing a SOC 2 audit provides assurance that your systems and networks are secure.
- Regulatory compliance: Because SOC 2’s requirements dovetail with other frameworks including HIPAA and PCI DSS, attaining certification can speed your organization’s overall compliance efforts.
- Value: A SOC 2 report provides valuable insights into your organization’s risk and security posture, vendor management, internal governance, regulatory oversight, and more.
Which SOC Report Do You Need?
SOC 2 reports discuss five Trust Services Categories, also known as Trust Services Criteria (formerly Trust Services Principles).
- The security, availability, and processing integrity of the systems the service organization uses to process users’ data, and
- The confidentiality and privacy of the information processed by these systems.
SOC 2 and SOC 3 both use these categories. SOC 1, however, differs completely.
- SOC 1 governs financial reporting. A SOC 1 report will answer these kinds of questions: Are internal service organization controls on financial reporting well designed? Do the organization’s controls work, helping it to meet financial goals?
- A SOC 2 report discusses controls that affect the organization’s information security, availability, processing integrity, data confidentiality, and privacy.
SOC 2 and SOC 3 reports cover the same subject matter, but the difference lies in their intended audience.
- SOC 2 reports are written for an informed, knowledgeable audience whose members may have a vested interest in the audit findings.
- SOC 3 reports address a more general audience and tend to be shorter and less detailed than SOC 2 audits. They are often used to demonstrate SOC 2/3 compliance for prospective clients and for marketing.
SOC 2 reports are applicable to these industries, among others
- Cloud computing
- IT security management
- Software as a Service (SaaS) vendors
- Financial processing
- Accounting and auditing
- Customer support
- Sales support
- Medical claims processing
- Legal
- Pharmaceutical
- Insurance claims processing
- Human resources
- Data analysis
- Document and records management
- Workflow management
- Customer relationship management (CRM)
- Technology consulting
Which Type of Report Do I Need?
To complicate the question even more, SOC 2 reports come in two types, with each covering a different period of time.
- Type 1, often an organization’s first-ever SOC 2 report, looks at controls governing data security and privacy at the time of the audit. Type 1 takes a “snapshot-in-time” approach, setting a baseline for future audits.
- Type 2 reports discuss the effectiveness of your organization’s information security and privacy controls since your last SOC audit, which typically means one year.