2) What Is SOC: Understand The Logics Behind it

Structure of SOC 2 Report:

1. Section 1 – Auditor's opinion.
2. Section 2 – Management Assertion.
3. Section 3 – Description of the process and procedure of the company.
4. Section 4 – Tests procedure and results of tests.

SOC 2 Methodology:

The SOC 2 report focuses on a business’s non-financial reporting controls as they Trust Service Criteria.

The American Institute of Certified Public Accountants (AICPA) is the entity that has written the framework. The SOC 2 framework includes five key sections,

forming a set of criteria called the Trust Services Principles:

• Security: the system is protected against unauthorized access, both physical and logical
• Availability: the system is available for operation and use as committed or agreed
• Confidentiality: Information designated as confidential is protected as committed or agreed
• Processing Integrity: System processing is complete, accurate, timely, and authorized
• Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in Generally Accepted Privacy Principles (GAPP)

When engaging in a SOC 2 project, a company will need to choose along with their auditor, the criteria that will be covered in the report.

It's not mandatory to cover all 5 principles, but Security will always be part of the scope.

SOC 1 vs. SOC 2 vs. SOC 3:

SOC concerns the internal controls in place at the third-party service organization.

SOC 1, SOC 2, and SOC 3 certifications all require a service organization to display controls regulating their interaction with clients and client data:

• SOC 1 reports on the service organization’s controls related to its clients’ financial reporting within information systems.
• SOC 2 reports evolved from SOC 1 to be focused on non-financial firms (e.g SaaS companies) for organizational oversight, vendor management, risk management, and regulatory oversight. A SOC 2-certified service organization is appropriate for businesses whose regulators, auditors, compliance officers, business partners, and executives require documented standards.
• SOC 3 reports are a simplified version of SOC 2 reports, that can be published in a website downloaded free without NDA consent from a prospective client. It aims to help the Marketing team to deliver compliance at the prospective first focal point with the company.

SOC Type 1 vs Type 2:

There are two options a company can choose when defining the Scope of Work:

• SOC 2 Type 1 will test the design of controls. It means that controls need to be in place, but the auditor will not check the operation and effectiveness of the controls. It's like a snapshot of the company at a certain moment. As a result, the project time is expected to be shortened by six months to a year. The downside is that the report will not be as robust as prospective customers want it to be.
• SOC 2 Type 2 will test the design of controls and operating effectiveness of the service organization controls. The scope will cover a specified time period, usually 6 months to 1 year. In this method, the auditor will examine how policies and procedures are operating, detail the test procedures, the result of tests and if deviations were noted. This procedure is more robust and gives a clear overview.
  Most of the prospective customers would prefer this method.

The Bottom Line:

In most cases, SOC 2 Type II compliance is the most desired compliance for cloud-based companies. The process assures the customers that the company has best-in-class safeguards and procedures in place to ensure the security of their information.

It's a journey that will take the security strategy of a tech company to the next level, and at the same time prepare the ground for collaborating with enterprises.

Go back to the SOC 2 Academy and start learning all you need to know!