SOC 2 – System and Organization Controls

What is SOC 2?

SOC 2 is a USA-based auditing procedure.  It is designed to enable service organisations to provide assurance to clients that they operate in a secure manner and will protect their data appropriately. It was developed by the American Institute of Certified Public Accountants (AICPA) and defines criteria for managing client data based on 5 Trust Services Criteria (TSC) categories.

What is a SOC 2 report?

A SOC 2 audit involves an external certified public accountant (CPA) assessing a service organisation and delivering a SOC 2 report. Unlike more rigid standards such as ISO 27001 and PCI DSS, there is an expectation with SOC 2 that organisations will design their own systems and controls to comply with the TSC based on the services they are offering and their specific business requirements. As such, SOC 2 reports are typically quite detailed and very specific to the organisation in question.

A SOC 2 report is considered to be broadly comparable to an ISO 27001 certificate. However, due to its detailed nature it is typically only shared with the organisation’s clients upon request.

There are 2 types of SOC 2 report:

Type 1 report – This is where the CPA expresses an opinion on whether the description of the organisation’s systems is fairly presented and whether the controls included in the description are suitably designed to meet the applicable TSC at a point in time.

Type 2 report – This is where the CPA’s report contains the same opinions as expressed in a Type 1 report, but also includes an opinion on the operating effectiveness of the organisation’s controls over a period of time.  A Type 2 report also includes a description of the CPA’s tests of operating effectiveness and the results of these tests.

Circumstances, where a Type 1 report may be produced, include where an organisation’s systems and controls have not been in operation for a significant length of time or where an organisation has recently made significant changes to its systems or controls.

What are the requirements of SOC 2?

The fundamental requirement of SOC 2 is for the organisation to be able to demonstrate that it has a set of processes and information security controls in place to comply with the 5 TSC categories:

  • Security
  • Availability
  • Confidentiality
  • Processing Integrity
  • Privacy

Of these categories, only Security is mandatory.  An organisation may choose to exclude any of the other 4 categories dependant on the type of service it is delivering and the expectations of its clients.  An organisation providing a hosted data centre service, for example, may elect to only include Security and Availability in its report whereas an organisation providing software as a service (SAAS) may elect to include Security, Availability and Processing Integrity in its report.

What are the SOC 2 TSC?

The 5 categories cover in total 61 criteria, some of which relate to governance, such as the board’s independence from management, and others which are more recognisable information security controls, such as restricting physical access and developing an incident response programme.

There is a strong correlation between the TSC and the ISO 27001 Annex A controls.  SOC 2, however, places more focus on governance compared to ISO 27001 and includes criteria related to processing integrity and privacy, which ISO 27001 does not. Having said that, a mature ISO 27001 compliant ISMS would typically make a very significant contribution to the development of a SOC 2 control framework.

The processes and controls that are needed to satisfy the TSC are collectively known as the Control Framework.  Each of the 61 TSC also includes some ‘points of focus’ (there are nearly 300 in total). These points of focus are characteristics of each criterion which are intended to help the organisation design their controls in a suitable manner. They are, typically, also used by the auditor to determine whether the controls are suitable and effective.

How does an organisation acquire a SOC 2 report?

The first things to establish are:

  • When is the SOC 2 report required?
  • Which TSC categories are to be included in the control framework?
  • Is a Type 1 or Type 2 report required? Some interested parties are willing to accept a Type 1 report initially, with a Type 2 following after an agreed time period, e.g. 1 year.  In both cases, however, the control framework and the cost of implementation will be the same. The main cost difference will be in the additional auditing carried out by the CPA for the Type 2 report.
  • What is the scope to be covered by the report? This could be the entire organisation or a specific system or function within it.

The organisation is required to provide a system description document.  This is a comprehensive document describing the organisation, the in-scope system or systems along with the governance and security arrangements that relate to the selected TSC.

The CPA’s role is to review the system description document and attest that it is a reasonable representation of what is actually in place.  The CPA must also test the controls in place to verify that their design meets the TSC and that they are operating both as intended and effectively.

Selecting a CPA

CPAs are qualified by the AICPA and they and the firms that employ them are typically based in the USA.  Organisations providing SOC 2 auditing services range in size from large multi-national accountancy firms to smaller, more specialist firms.  Many of these provide services in the UK, EU and globally.

Is SOC 2 more expensive than ISO 27001?

While there is some correlation between the two frameworks, the SOC 2 TSC are broader than the ISO 27001 process and control requirements, not least due to the fact that SOC 2 is more governance orientated.  This can mean that developing a SOC 2 control framework incurs greater cost, but the principal cost difference is in the attestation process.  Commissioning a CPA firm, to provide a SOC 2 Type 1 report can be significantly more expensive than obtaining an ISO 27001 certificate from an accredited certification body. A SOC 2 Type 2 report will add further cost due to the fact that the audit is testing for evidence across the assurance period.

How can URM help?

If you are looking to acquire a SOC 2 report, URM can assist by:

  • Reviewing the requirement and recommending scope, TSC categories, report type(s) and project timescales
  • Conducting a readiness assessment
  • Developing a draft control framework and report including recommendations for business process and information security control changes to satisfy the applicable TSC
  • Integrating the SOC 2 control framework with existing information security governance arrangements or management systems
  • Identifying a suitable CPA or CPA firm and supporting the audit process.

URM has extensive experience in information security assurance projects, including supporting organisations seeking a SOC 2 report. URM’s consultants can guide you in identifying the optimal route for acquiring a SOC 2 report and can assist in designing and implementing the control framework, including the provision of tools such as templates, checklists and policies.

Want to Learn More?

If you are new to SOC 2 and are looking to gain more detailed knowledge, URM can provide a one-day SOC 2 training and awareness workshop which should enable you to establish whether SOC 2 is appropriate for your organisation and how to approach acquiring a SOC 2 report and becoming SOC 2 compliant.

Let us know a bit more about your background and how we can help. Contact us now!