SOC 2 Reports Explained

SOC 2 compliance is an essential component of information security for many businesses and organizations.

What is a SOC 2 Report?

Introduced in 2011, Service Organization Control (SOC) reports are becoming more and more popular in data security and compliance discussions with every passing year, especially SOC 2. But what is a SOC report? Which one do you need? Why is a SOC 2 report so important?

There are three types of SOC reports, which are “designed for the growing number of technology and cloud computing entities that are becoming very common in the world of service organizations,” according to ssae16.org. If a SOC 1 report handles the financial transactions a company makes, SOC 2 reports on the security behind those financial transactions, making it more relevant than ever in the growing wake of credit card fraud and data breaches.

SOC 2 Demystified

What is SOC?

A service organization controls (SOC) report is a way to verify that an organization follows some specific best practices before you outsource a business function to that organization. These best practices are related to finances, security, processing integrity, privacy, and availability.

It is a standardized report that gives service providers a mechanism to deliver insight into the design and operating effectiveness of internal controls relevant to user entities (i.e., customers). There are three primary types of reports:

A SOC 1 is related to internal controls that impact financial reporting or internal controls of the service organization’s customers.

SOC 2 and SOC 3 are related to internal controls that impact system security or availability, processing integrity, confidentiality, or customer data privacy.

Why is SOC 2 Important?

SOC 2 compliance is an essential component of information security for many businesses and organizations. This rings especially true for third-party service providers such as cloud storage, web hosting, and software-as-a-service (SaaS) companies or any organization that stores its customer data in the cloud. As you can imagine, that expands the list a lot.

Basically, SOC 2 audits and reports help service providers show that the privacy, confidentiality, and integrity of the data they handle — meaning their customers’ or their customers’ users’ data — is a priority. While it’s not saying that they’re 100% secure as organizations as a whole, they’re ahead of their competitors who lack these reports. This helps their customers understand that those vendors are doing what they should be doing to keep said data secure in the cloud.

SOC 2: Type 1 vs. Type 2

There are two types of SOC 2 reports, Type 1 and Type 2. When evaluating a cloud vendor, always look for a Type 2. While a Type 1 audit provides a snapshot of an organization’s controls at a point in time, a Type 2 audit examines them over a specified period. The Type 1 is, thus, only preliminary to the Type 2. A SOC 2 Type 1 demonstrates that the provider has controls in place but has not yet audited them. A Type 2 demonstrates that they have tested the controls over a period of time and proven that they work.

SOC 2 Type 2 reports benefit both cloud vendors and their clients. Client organizations can rest assured knowing that their cloud vendors’ controls meet the highest standards of data governance and security. Cloud vendors are able to differentiate themselves in a crowded marketplace and enjoy their own peace of mind, knowing that they have proactive data governance and cyber security controls in place to protect their systems and their clients’ data.

While SOC 2 audits are time-consuming and rigorous, GRC automation technologies can make the process take far less time and go far more smoothly.

Trust Services Categories for SOC 2

The SOC 2 criteria are comprised of 5 categories (formerly the SOC 2 principles), security, availability, confidentiality, processing integrity, and privacy, with the standard criteria encompassing security.

  • Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
  • Availability. Information and systems are available for operation and use to meet the entity’s objectives.
  • Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
  • Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
  • Privacy. Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.

Integration with the 2013 COSO Framework

To better address cybersecurity risks and expand the assessment environment, the SOC 2 Trust Services Criteria have been integrated with the 2013 COSO Framework. Developed by the Committee of Sponsoring Organizations of the Treadway Commission, the framework was designed so that publicly traded companies could assess and report on their internal controls. This integration was the driving force behind renaming the SOC 2 Trust Services Criteria, as the old nomenclature would have confused with the terms used in the 2013 COSO Framework.

The 2013 COSO Framework contains 17 principles, which are grouped under five internal control classifications:

  • Communication and Information
  • Control Environment
  • Monitoring Activities
  • Risk Assessment
  • Control Activities

If your organization has issued a SOC 2 report previously, you will likely have to restructure your controls to comply with the new integration.

Additionally, service organizations will have to include the “points of focus” required by COSO, which are new to SOC 2 attestations. Each Trust Services Criteria category now has several focuses that details the features that should be included in the design, implementation, and operation of the control related to that criterion. Not all points of focus will apply to every organization.

What is the Difference Between a SOC 1 and SOC 2 Report?

The Trust Services Criteria are in a SOC 2 report only. So how is a SOC 1 different? A SOC 1 report has a little more flexibility in what is tested and opined on by the auditor. In addition to reviewing security, a SOC 1 audit includes more of a focus on the service organization’s controls that may be relevant to an audit of their client’s financial statements. The service organization (with the help of the auditor) will figure out the key control objectives for the services they provide to clients, and that is what is included in the report. Control objectives in a SOC 1 always include objectives around IT general controls but also include business processes at the service organization that impacts their clients.

Conclusions

The SOC audit professionals at Lazarus Alliance are wholly committed to you and your business’ compliance success. Regardless of whether you represent the private sector or the public sector, we stand ready to partner with your organizations.

The cyber security experts at Continuum GRC have in-depth knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies worldwide sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

Want to learn more?

    Continuum GRC

    Website: