SOC 2 Compliance: What Organizations Should Know

SOC 2 (meaning Systems and Organization Controls 2) is a compliance standard designed to help service providers protect cloud-based customer data against vulnerabilities and threats. The American Institute of CPAs (AICPA) created SOC 2 in 2010. As such, only certified public accountants (CPAs) or accounting firms can perform SOC 2 audits. On average, an audit for SOC 2 compliance costs small and midsize organizations between $7,500 and $20,000. That said, organizations are not legally mandated to follow SOC 2 guidelines, though vendors often require their contractors to adhere to these standards.  There are five Trust Services Criteria (TSC) within SOC 2: security, confidentiality, availability, processing integrity, and privacy.

1. Security. Security controls, also known as common criteria, help prevent unauthorized users from accessing an organization’s systems. This is the only TSC that’s mandatory to check for a complete SOC 2 compliance audit.

2. Confidentiality. Within SOC 2, confidentiality refers to storing and processing information without allowing unwanted third parties to access or view the information. 

3. Availability. The standards in this category help ensure the data an organization needs is readily available for use.

4. Processing integrity. This category helps ensure an organization’s data and related processes are accurate, efficient, and complete.

5. Privacy. These criteria help secure clients’ personal identifying information (PII), as well as all processes for collecting, using, storing, and discarding it.

By complying with SOC 2 standards, organizations can show their customers they’re intentional about following standards that keep data safe. This can build meaningful trust. Customers will know the companies they’re trusting to properly handle their data are indeed doing so.

To determine how well they’re complying with SOC 2 standards, organizations often undergo assessments based on the following core SOC 2 areas.

1. Access controls

Access controls place restrictions and user permissions on data and high-security physical locations to help prevent unauthorized users from accessing them. Access controls can range from physical devices, such as ID cards, to digital methods, such as multi-factor authentication (MFA) and single sign-on (SSO).

2. System operations

This SOC 2 standard creates effective processes for monitoring an organization’s regular operations. This way, administrators can see when a process isn’t functioning properly and arrive at solutions that support the system as a whole.

3. Change management

As administrators update and develop IT systems, the processes for securing and managing them may also undergo adjustments. The controls within this standard help ensure the changes made to an IT system are authorized and that they uphold the system’s security.

4. Risk mitigation

This portion of the SOC 2 compliance checklist can help an organization identify vulnerabilities and respond with meaningful solutions. At the same time, these protocols can guard against future risks.

Below, learn about the steps auditors take to assess an organization’s SOC 2 compliance. 

Security audit

Auditors assessing this mandatory SOC 2 category will check whether an organization is protecting data at every point of its lifecycle with the organization. They’ll look for network monitoring and endpoint security tools, which are key to meeting this SOC 2 compliance criteria. Any measures to secure all parts of the organization also fall under this SOC 2 audit category.

Confidentiality audit

This portion of an SOC 2 compliance audit determines whether an organization keeps its data as secure as its customers expect. It covers how the organization obtains, stores, processes, and destroys data.  Auditors may use internal or external agreements, alongside government regulations, as benchmarks for this audit. They’ll typically assess an organization’s identity and access management tools and encryption methods. Organizations whose customers sign non-disclosure agreements (NDAs) or agreements requiring the organization to delete old data should prioritize this SOC 2 compliance audit.

Availability audit 

During this portion of an SOC 2 audit, the auditor will determine the organization’s uptime (how often its network is running and accessible). There is no explicit availability threshold for SOC 2 compliance, but most experts consider 99.9999% uptime ideal.  An auditor assessing an organization’s availability will look at its disaster recovery plans, data backups, and system performance. The results can help organizations show they’re adhering to service-level agreements (SLAs) with their customers.

Processing integrity audit

Carrying out a processing integrity audit typically involves looking at each system an organization uses. Within each system, the auditor should check for errors and advise on how to correct them. This audit may be especially important for organizations whose products allow for data or financial processing.

Privacy audit

This audit looks solely at PII and at how an organization is gathering and sharing it — and whether it’s getting adequate permission to do so. An SOC 2 privacy audit also verifies that all parties that need access to this data (but only those parties) have it.  Consent management mechanisms and organizational privacy policies are the best way to address this TSC. Any organization that stores or uses customers’ personal identifying information (PII), such as social security numbers, should conduct this audit.

An SOC 2 auditor can arrive at one of the four following results after reviewing an organization’s security operations.

1. Unqualified: The organization meets the SOC 2 criteria and passed its audit.

2. Qualified: The organization is generally operating according to SOC 2 standards, but there are some ineffective or compromising aspects.

3. Adverse: The organization doesn’t meet the Trust Services Criteria, and it failed testing on multiple controls.

4. Disclaimer of opinion: The auditor did not have enough information to arrive at a complete conclusion. It’s exceedingly rare that an audit yields this result.

SOC 2 reports

There are two types of SOC 2 reports that auditors can generate.

SOC 2 Type I

An SOC 2 Type I report assesses an organization’s controls at a certain point in time. In other words, this report is mainly a snapshot of a company’s processes at a particular period. As such, this type of report typically takes less time to generate than a Type II report. However, a Type I report may not be as well received among customers since it lacks long-term analysis.

SOC 2 Type II

A Type II report covers an organization’s controls over a longer period of time. This may have you wondering: exactly how long does SOC 2 compliance take? A Type II report typically covers a period of at least six months and no longer than 12 months.  Because SOC 2 Type II reports are more thorough, customers tend to appreciate them more than Type I reports. As a result, auditors often recommend that companies consider Type II reports when they want to be transparent about their processes and gain customers’ trust.

Below are some of the ways that SOC 2 compliance can benefit organizations.

1. Gives customers peace of mind and builds trust. Customers want to know an organization will handle and store their data securely. Organizations can give their customers extra assurance with an audit proving their SOC 2 compliance.

2. Creates opportunities for growth. SOC 2 compliance gives organizations a better foundation for securing the processes most important to their operations. As these organizations start more effectively securing their data, they can perform better, thus increasing their opportunities for growth.

3. Maintains high standards of security. No matter what type of data a company processes, effectively securing this information is foundational to keeping the organization running smoothly. SOC 2 compliance guidelines can help an organization create systems and protocols to minimize threats that could create security issues.