SOC 2 Type II is a compliance standard for service providers that store or handle customer data on the cloud. A type II audit takes six to twelve months to complete, and remains valid for one year – making compliance an ongoing process.
The point of SOC 2 compliance is to prove to customers that they can trust your business with sensitive data. Though it isn’t required by law, this standard is essential to many SaaS companies and other service providers.
Type I vs Type II
A SOC 2 Type II report takes six to twelve months to complete and offers a full portrait of how a company’s security policies and controls work in practice.
A Type I report, on the other hand, is more of a snapshot. It can be completed much more quickly, but only shows how your security systems work at a specific point in time.
If you need a one-off audit of your business’s security, a type I report might suffice. But in general, a Type II report will carry more weight with customers, investors, and other stakeholders, showing that your business’s security practices hold up year-round.
If you need to attain compliance quickly, it may make sense to get a Type I report and then begin the process to obtain a Type II report. That way, you can show customers that your business is SOC 2 compliant sooner rather than later – while still working towards the ongoing standard offered by SOC 2 Type II.
The Five Trust Services Criteria
SOC 2 reports also vary based on which of the IACPA’s five trust services criteria are being evaluated. These criteria are as follows:
- Security describes a company’s ability to protect data and systems from unauthorized access. It is the most commonly evaluated of all the trust services criteria.
- Availability entails how much of the time the service performs as intended. This means that the service is not only usable, but meets the expectations a company sets in contracts with clientele. If it takes ten minutes to load the service, for instance, that may be considered an unacceptable level of availability, even if it is still technically usable.
- Processing integrity refers to the company’s ability to keep data from being manipulated or tampered with, and the service’s ability to function without errors or other mishaps.
- Confidentiality refers to the company’s ability to restrict access to and protect sensitive data.
- Privacy describes a company’s ability to protect personally identifiable information pertaining to their customers.
Many businesses only need to get evaluated based on security. Others might see the value in getting a full evaluation, covering all five trust services criteria. It all comes down to the business itself – or, more fundamentally, what its clients look for in a service provider.
SOC 1 vs SOC 2 (and other compliance standards)
SOC 2 shouldn’t be confused with SOC 1, a similarly-named compliance standard. Both standards are administered by the AICPA, and focus on businesses that provide services to other businesses.
But where SOC 2 focuses on the trust services criteria outlined above, SOC 1 reports are more squarely focused on how companies handle financial information. If your company provides payroll services, for instance, you may need to attain both SOC 1 and SOC 2 compliance.
SOC 2 isn’t the only compliance standard focused on cloud security. The other big one is ISO 27001, which is administered by the International Organization for Standardization. Both SOC 2 and ISO 27001 offer customers proof a company is secure enough to trust with sensitive data.
The biggest difference between the two is regional: SOC 2 reports are more popular in North America, whereas ISO 27001 reports are more widely used elsewhere in the world.
SOC 2 Type II Reports
A SOC 2 Type II report typically has five sections. Let’s go over each of those in turn.
1.) Auditor’s Summary & Professional Opinion
The SOC 2 Type II auditor begins the report by summarizing the scope of their audit, detailing when it was conducted and which of the five trust services criteria were evaluated.
From there, the auditor offers their professional opinion. This is the most important part of the report: here they say whether a business passed or failed. Alongside their verdict, the auditor may offer one of several descriptors:
- Unqualified: The company passed the SOC 2 audit without qualifications. “Unqualified” might sound scary, but this is the best outcome a business can hope for.
- Qualified: The company passed the SOC 2, but with some qualifications.
- Adverse: The company did not pass the SOC 2 audit.
- Disclaimer: The auditor did not have enough information to form a definite conclusion. You don’t want to pay for a SOC 2 audit just for it to be inconclusive, so you’ll want to be as forthcoming and helpful as possible to ensure they can render a judgement.
2.) Management Assertion
In the next section, the company being audited offers their take on the scope of and background behind the report. This section usually looks pretty repetitive, coming off of the auditor’s summary. But that’s the point: unless something is amiss, this section should demonstrate that the auditor and the company being audited are on the same page regarding the nature of the report.
3.) System Services Description
From there, the auditor goes into detail regarding what security systems the business has in place. This section is descriptive: the author is not offering judgements on whether the system works or not. Instead, they’re simply focused on describing the security policies and controls were in effect while the audit was being conducted.
4.) Tests of Controls
In this next section, the auditor describes their examination of the company’s security systems. This section is often formatted as a table, in which the auditor lists which security control was tested, how the auditor tested the control, and how each particular control performed.
The Tests of Controls section is the longest section of a SOC 2 Type II report, often running 100 or more pages. But most clients won’t even read it, placing their focus instead on the auditor’s professional opinion at the front of the report. Still, the Tests of Controls is a key section; this is where the auditor shows their work in detail.
5.) Additional Information
Finally, the company being audited has a chance to respond to any concerns raised in the report. If any issues cropped up, this is the place to acknowledge them and describe how they will be remedied going forward.
Preparing for a SOC 2 Type II Audit
The work for a SOC 2 Type II audit often begins long before the audit itself is conducted. A Type II audit takes at least six months to conduct, so you want to make sure you get it right – a failed examination means at least six more months of working to attain compliance.
The first step in preparing for a SOC 2 audit is to appoint someone to take charge of the process. That can be an internal team member or it can be an outside contractor. Either way, you’ll need to make sure they have the company behind them. Without buy-in across all of a company’s employees, you’ll have a tough time meeting the standard set by the AICPA.
Even once the report is finished, the work isn’t over. Because SOC 2 Type II reports take six to twelve months to prepare and remain valid for only a year, SOC 2 compliance is a continuous process. As soon as one audit is finished, it’s time to begin getting ready for the next one.