Want to try it for yourself?
What is SOC 2 compliance?
SOC 2 (Service Organization Control 2) compliance demonstrates how well a cloud service provider’s internal controls protect data and comply with the standard developed by the American Institute of CPAs (AICPA).
The standard consists of five trust service principles: security (mandatory), availability, processing integrity, confidentiality, and privacy.
There are two types of SOC 2 audits: Type 1 and Type 2. A SOC 2 Type 1 audit evaluates an organization’s internal controls at a specific point in time (e.g., on March 1). A SOC 2 Type 2 audit evaluates and details an organization’s internal controls over a duration of time (e.g., between March 1 and December 31).
SOC 1 differs from SOC 2 in scope. Whereas SOC 2 focuses on the five trust principles, SOC 1 assesses a cloud service provider’s internal controls that are relevant to financial reporting. As such, it’s ideal for companies that handle sensitive financial information. Payment processors, collection agencies, and benefits administrators are examples of organizations that are a good fit for SOC 1.
What it reports on
Who uses it
Controls relevant to customers’ financial report
For service organizations that may impact their customer’s financial reporting
Controls regarding security, availability, processing integrity, confidentiality or privacy
For service organizations that hold, store, or process customer information or data
SOC 2 compliance is important because organizations must ensure they have the protocols and systems in place to keep customer information secure. Achieving SOC 2 compliance demonstrates to current and prospective customers and partners that the organization takes cloud security seriously. In fact, it’s not uncommon for client contracts to stipulate SOC 2 compliance. Also, SOC 2 reports are widely accepted and replace the need to undergo a custom cybersecurity audit each time a new customer onboards.
To achieve SOC 2 compliance, companies must comply with SOC 2 trust principles. However, only the security principle is mandatory — the others are optional. An organization can pick and choose from the optional principles to demonstrate an even greater commitment to protecting customer information.
The trust service principles are:
Security - risk-mitigating controls designed to protect information against unauthorized access, unauthorized disclosure, or damage throughout its lifecycle.
Availability - controls intended to support and maintain system operational uptime so that information is sufficiently available to meet business objectives and service agreements.
Processing integrity - controls designed to ensure data is processed predictably and free from errors for maximum accuracy and reliability.
Confidentiality - controls designed to ensure sensitive information such as intellectual property and trade secrets are kept confidential throughout its lifecycle, from collection to disposal.
Privacy - controls designed to ensure personally identifiable information (PII) captured by an organization is only accessible to appropriate parties.
SOC 2 audits must be performed by a licensed CPA. It’s normal for the process to take months, although completing a SOC 2 readiness assessment to examine any gaps in controls or processes prior to the start of the audit can help speed the process.
You can expect your audit team to generate an Information Request List (IRL) and narrow down which of the trust service criteria you’ll evaluate. You’ll submit evidence of your internal controls to the auditor, after which they’ll conduct a formal walkthrough of your environment. After that, the auditor will generate a SOC 2 report, which details the evaluation. You can learn more about this in SOC 2 Audits: Reporting & Certification in the Cloud.
The five SOC 2 trust principles each have their own subcategories. Here are the subcategories that are relevant to the mandatory security criteria as it relates to compliance in cloud environments.
CC2.0: Communication and Information - Addresses how organizations handle internal and external communication and information flows.
CC5.0: Control Activities - Addresses how an organization’s control activities account for risk management and technology.
CC6.0: Logical and Physical Access Controls - Addresses how an organization’s controls enable logical access to IT systems and credentials, regulate physical access to facilities, and contain security measures to detect and prevent unauthorized access.
CC7.0: System Operations - Addresses how an organization’s controls monitor systems for potential anomalies, events, and configuration changes that may carry security risks, and define incident response protocols to contain, remediate, and communicate security incidents.
CC8.0: Change Management - Addresses how organizations evaluate and determine necessary changes in infrastructure, data, software, and procedures, enabling them to securely make changes and prevent unauthorized changes.
Cloud environments add a new dimension to an organization’s infrastructure and must be secured to keep customer information safe. Snyk uses a unified policy as code engine to help teams develop, deploy, and operate safely in the cloud. It leverages cloud security automation for best-in-class cloud compliance right out of the box.
What are the SOC 2 trust principles?
The five SOC 2 trust principles are security, availability, processing integrity, confidentiality, and privacy. When undergoing a SOC 2 audit the security principle is mandatory, while service organizations can elect any of the other four for further evaluation to demonstrate they’re in compliance with that principle.
Who needs SOC 2 compliance?
SOC 2 compliance is intended for organizations that collect, process, or store client information in the cloud. These include cloud service providers, SaaS providers, managed IT and security service providers, as well as companies that provide business intelligence and analytics.
How do I bring my cloud into SOC 2 compliance?
To bring your cloud environment into SOC 2 compliance, start by performing external vulnerability testing, a gap analysis, and penetration testing to help you locate and resolve vulnerabilities and cloud security challenges within your infrastructure. Once resolved, you can engage with a third-party assessor to begin the SOC 2 audit process.
Next in the series
Everything You Should Know About SOC 2 Audits
A SOC 2 audit can give your company a competitive advantage. But what does the audit entail? Here’s everything you need to know.Keep reading