SOC 2 Compliance Requirements
SOC 2 standard
SOC stands for Service Organization Controls (SOC). The controls that you design and implement inside your control environment will vary based upon the people, technology, and products your company develops. SOC 2 is based on five principles, which are:
- Processing Integrity
SOC 2 requirements
When reviewing the nine SOC 2 trust service criteria (TSC) of the security principle, it is important to note that not all of the nine TSCs have to be met in order to obtain a satisfactory SOC 2 report. The security principle is the only mandatory requirement for a business to obtain their SOC 2 attestation. The nine SOC 2 TSCs are as follow:
- Control Environment
- Communication and Information
- Risk Assessment
- Monitoring Activities
- Control Activities
- Logical and Physical Access
- System Operations
- Change Management
- Risk Mitigation
There are 4 additional TSC that relate to the other four principles, but they are not mandatory. These principles are normally included in the scope of review when they support the business requirements (e.g. the company stores confidential information, which means the confidential principle should be included or a customer requests them to be included).
SOC 2 certification process
Considering there are a lot of steps in a SOC 2 certification process, they can generally be broken down into the following 6 steps:
Find a SOC 2 consultant or partner
This step is optional but very important in terms of time and money spent. Management can directly contact a CPA-certified organization to initiate the SOC 2 process, or they can contact a SOC 2 consultant to assist them in this process.
Identify your scope
The process by which an organization obtains a SOC 2 attestation can be very flexible. As long as the specific criteria are achieved, the controls you “map” to each criterion are up to you, as long as the control addresses the relevant criteria.
Perform the gap analysis
Gaps can be identified as controls that are not in place or controls that are unable to satisfy a criterion. The SOC 2 framework gives you a couple of criteria, backed up by points of focus to help you get the proper controls in place to satisfy the mandatory criterion.
Gather evidence for each control
All controls that have been scoped for the SOC 2 audit need to have evidence to show that the controls are (1) designed and implemented and (2) operating effectively. If a Type 1 audit is being performed, then the evidence is only needed for the first point. If a Type 2 audit is being performed, then the evidence will be needed for points 1 and point 2.
Currently, a SOC 2 audit process uses the “trust but verify” approach by an auditing team from a CPA-certified organization. The theory behind this approach is that the auditing team receiving the evidence produced by management is forthright and not tampered with or altered. This approach allows for the auditing team to stay independent of pulling the evidence.
SOC 2 report
Once the audit has concluded, the company will be notified by the auditing team that the audit review has ended and the SOC 2 report should be finalized within 2 to 4 weeks. This phase of the SOC 2 process requires little involvement from management and is mostly covered by the auditor.