SOC 2: What It Is and Why You Want It

SOC stands for System and Organization Controls, and is a product of the American Institute of CPAs. This certification regime is not the only one available on the market, however, SOC2 is flexible enough to be applicable and relevant to much of the software industry today. It is a mature framework, which is well-known, and well respected.

In these ways SOC2 has become a go-to for software vendors to confidently demonstrate that their security processes are best-in-industry. This is a strong selling point during the customer acquisition funnel, and will typically significantly reduce the friction to contract in terms of auditing and approval time.

A Note On SOC Report Types

Type I demonstrates controls for a single snapshot in time.

Type II is a little more comprehensive, and evaluates controls over a period of time.

Contents of a SOC Report

SOC certifications come with a few key documents, namely: an opinion letter, a document of assertion, a detailed description of the system under certification, details around the chosen trust categories, and tests of the controls in place.

The Five Trust Categories

SOC 2 auditors can focus on one, or up to all five of the following trust categories. Security is the only necessary category, however covering additional categories will improve the overall strength of the resulting certification.

  • Security - the system has basic physical and logical protections in place against unauthorized access.
  • Availability - evidence that the system under test is available, meeting contractual commitments.
  • Processing Integrity - PII is processed timely, accurately, and most importantly securely.
  • Confidentiality - data sharing is within the terms outlined in policies and contracts.
  • Privacy - do privacy practices align with policy and contractual obligations?

Which Trust Categories Do I Need?

There is no hard and fast rule here. And certainly any SOC2 audit is better than none. That being said, it makes sense to include any trust category that is relevant for your core business.

Practical Tips For Effective Controls

  • Use versioning, whether it’s a wiki, repository, or collection of shared documents. This is strong evidence that the process is followed at any given point and not just when people are looking.
  • Require peer approval for all updates to controls, reports, and related documents (it’s not really that burdensome in practice if the process is automated).
  • Issue a linkable report for each control update, and keep the reports organized by control and date of audit.
  • Reports should be self-contained, including all evidence needed to support the claims in the report.
  • Evidence can take the shape of screen shots, metrics, log snippets, external documents (copied into the report with a reference to the public document), test methodologies, or something else entirely. The point is to be persuasive.
  • Make sure to test, test, test. Test that the control scoping is right. Test that the evidence provided is reproducible. Test in order to ensure your assumptions are right, before the auditor does.
  • Talk to a couple of audit firms. Find a firm that understands your business processes, technology, and culture. This will help both sides significantly when you do engage with the auditors.
  • Take an even approach when implementing controls. Don’t focus exclusively on one trust category to the exclusion of the rest if all five trust categories are relevant to your business.

Other Benefits

Earlier in this article, the author mentioned the reduced friction during vendor vetting and approval.

In addition to that, having a SOC2 report shows that your organization takes security and privacy seriously. Competitors, potential customers, and even malicious actors will want to know if your organization has a report, as well as what the report states.

Now, a SOC2 attestation is not a panacea. It is not a guarantee against exploitation in any way. Instead, your organization is making a statement of posture, preparedness, and responsibility, in the face of question or adversity.

Thank You For Reading

I hope this article has been helpful and informative. Let us know!