Understanding and Navigating SOC 2 Requirements
In this blog, we will take a look at System and Organization Controls requirements and audits. Starting with a description of what SOC 2 is, we will then explore the different types and scopes of a SOC 2 compliance assessment.
What is SOC 2?
The SOC 2 security framework is an auditing procedure, designed to combat the increase in information security incidents and cyber-attacks.
It was developed by the American Institute of Certified Public Accountants (AICPA), enabling service organisations to provide assurance to their clients that they operate in a secure manner.
Having been widely adopted in America, we are now seeing an increasing number of UK-based service organisations, which deliver services to US customers, being asked to provide assurance via a compliance audit.
What is SOC 2 Compliance Audit?
A SOC 2 compliance assessment or audit involves a SOC 2 compliance auditor, or certified public accountant (CPA), assessing the service organisation and delivering a SOC 2 report.
Unlike other standards, such as the Payment Card Industry Data Security Standard (PCI DSS), service organisations are expected to design their own systems and controls, to comply with ‘Trust Services Criteria’ (TSC) categories, based on their service offerings and business requirements.
The TSC categories are: Security, Availability, Processing integrity, Confidentiality and Privacy.
The service provider, or more likely their customer(s), need to define which of the TSC categories they will be implementing. As such, the SOC 2 compliance report typically is detailed and specific to the service provider.
There are 2 forms of report – a Type 1 and a Type 2. A Type 1 report includes an opinion on whether the organisation’s systems are fairly presented and if they meet the SOC 2 compliance controls and identified TSC categories at a specific point in time.
Typically, Type 1 reports are produced where an organisation’s systems and controls are immature or where significant changes have been made to the systems or controls.
CPAs can also provide Type 2 reports, which include the same information as in a Type 1 report but rather than being conducted at a point in time, they provide additional opinions on how the SOC 2 compliance controls have been operating during the audit period (typically a minimum of 6 months).
Descriptions and results of the tests conducted by the CPAs are also documented.
What TSC Categories and Controls Does an Organisation Need to Comply With? Will ISO 27001 Help?
Whilst SOC 2 defines 5 TSC categories, only the Security TSC is mandatory. The others can be excluded and requirements typically reflect the service offering and the customers’ expectations.
For example, a service organisation providing hosted data centre services, may only require Security and Availability in its report, whereas a service organisation providing software as a service (SAAS), might include Security, Availability and Processing Integrity.
The 5 TSC categories cover 61 criteria, some relate to governance and others relate to information security controls. In fact, there is a strong correlation between TSC SOC 2 compliance and ISO 27001 Annex A controls.
That said, SOC 2 is more focused on governance and includes criteria also relating to processing integrity and privacy.
The processes and the SOC 2 compliance controls required to satisfy the TSC categories are collectively known as the Control Framework.
Each of the 61 criteria also include ‘points of focus’, of which there are over 200.
These ‘points of focus’ are characteristics of each criterion, which can help an organisation to design its controls.
How Do You Obtain a SOC 2 Report?
Initially, a service organisation will need to establish when the SOC 2 report will be required, which TSC categories are to be included in the control framework and which type of report is required.
Some interested parties will accept a Type 1 report as long as a Type 2 follows in an agreed time frame.
The scope could be the entire organisation or a specific system or function.
Whatever the scope, the service organisation will be required to provide a comprehensive system description document, which must describe the organisation or function, the in-scope system or systems and the governance and security arrangements that relate to the selected TSC categories.
The CPA will review the system description document and confirm if it is a reasonable representation of what is actually in place.
The CPA will also test the controls to verify their design meets the TSC and that they are operating effectively, as intended.
How Can URM Help?
We have extensive experience in conducting information security assurance projects, including supporting organisations complete SOC 2 reports.
Our consultants can help your organisation to identify the best route for acquiring a SOC 2 report and can assist in designing and implementing the control framework, including:
- A review of your requirements and recommending a scope, the TSC categories, the report type(s) and the project timescales
- The provision of required documentation such as policies and procedures.A readiness assessment using a SOC 2 compliance checklist
- The development of a draft control framework and a report, including recommendations for business process and information security control changes, to satisfy the applicable TSC
- An integration of the SOC 2 control framework with existing information security governance arrangements or management system frameworks
We can also identify a suitable CPA or CPA firm and support your organisation through the SOC 2 audit process.
More about SOC 2
Information Security Training
Our office is open 08:00 – 17:30 Monday to Friday.