So you’re thinking about compliance and you keep hearing about a SOC 2 Type 2 report. You want to keep your data safe, or you want to make sure your partners are keeping your information secure. Maybe you’re not sure where to start and why your clients keep asking for your report. We have you covered.
What is SOC 2?
Let’s start with the basics.
SOC 2 is the gold standard of information security reports. The AICPA created SOC 2 to judge and measure information security controls. Financial institutions, SaaS businesses, healthcare organizations, and any large corporations handling data use the standard to build and publicize their security posture.
This compliance framework contains 61 principles met through a series of non-prescriptive steps, from implementing endpoint security to securing physical assets. SOC 2 reports need to be maintained and businesses go through an audit annually.
Trust Service Criteria
The AICPA established five Trust Service Criteria: security, privacy, availability, processing integrity, and confidentiality. When pursuing a SOC 2 report, businesses choose the TSCs that are most applicable to their information security posture and work to fulfill them specifically.
While the chosen TSCs do not significantly change the SOC 2 audit, it does change the controls a business needs to implement. Businesses are required to implement Security as a TSC, while the others are optional. Ideally, your chosen TSCs provide a lens for auditors to review evidence and policies.
SOC 2 Type 2
SOC 2 Type 2 tests the operating effectiveness of your information security posture. Businesses compile evidence of SOC 2 controls in operation over a 6 to 12-month period, which is analyzed and tested by an independent auditing body.
Type 2 reports take longer to attain because of the time needed to gather evidence and prove that controls are operational. From gap analysis to audit, getting a SOC 2 Type 2 can take anywhere from 6 – 18 months.
Do I need a SOC 2?
As regulations and tech scrutiny increase, SOC 2 is becoming a requirement for doing business. If your sales team struggles to close deals because prospects ask to see your SOC 2 report, it’s time to get your compliance in check.
If your business stores or transmits sensitive information, information security should be a priority. Tech-based service organizations that use the cloud should pursue and maintain a SOC 2 report. The security, privacy, and confidentiality practices implemented will help protect you and your clients from disaster. These best practices will limit exposure and minimize risk.
How to get a SOC 2 Type 2 report
Getting a SOC 2 report requires implementing best practices, processes, and policies into the way a business handles and secures information. A business provides auditors with evidence that the controls are designed correctly and operating safely.
Laika’s clients typically start with a Type 1 then build to a Type 2, unless a specific client requires a Type 2 immediately.
But what is SOC 2 Type 1?
Many businesses pursuing a SOC 2 report tackle a Type 1 first. The difference between Type 1 and Type 2 is design versus operating effectiveness. Type I tests design by looking at your description of controls at a particular point in time.
SOC 2 Type 1 is a snapshot. Auditors examine the controls a business has in place, like newly-authored policies, as the first step toward SOC 2 compliance. We recommend businesses pursue a Type 1 to ensure the design is correct before moving onto operational effectiveness.
Think of it like this: you’re building a house. You run all the electrical wiring and make sure it’s all in place before closing up your walls. That’s the Type 1 report; the initial inspection. A Type 2 takes place when an inspector comes through the house, examines everything, and tells you that it’s up to code.
Not sure if SOC 2 is right for your business? Take our compliance quiz to find out.