You may be hearing the term “SOC 2” more and more as you bid on jobs, apply for insurance coverage, raise capital, or satisfy regulators. So, what is it, and why should you care?
Simply put, a SOC 2 report demonstrates that a service provider has the systems and controls to protect your information and your interests. Customers, insurers, and investors ask about SOC 2 to limit their exposure to risk from third-party service providers. In some instances, customers and investors may scrutinize your entire supply-chain for SOC 2 compliance before they award bids or release funds.
Further, business leaders are accountable for how private information is transmitted and stored, including information handled by third-parties. New federal regulations mandate controls and timely disclosure of data breaches. Therefore, if you use service providers who manage, secure, or host your data, you should care about SOC 2.
The Problem SOC 2 Reporting Solves
Business leaders choose to improve efficiency, enhance operations, or offload risk by outsourcing functions to service organizations. Examples include IT services, data center hosting, cloud software solutions, and managed security. These service providers collect, transmit, store, secure, and dispose of information. Your information. Your customers’ information. Perhaps, your investors’ information.
Unlike other mature professions, no standards body is overseeing IT, cloud, software-as-a-service, or security providers. No association or college monitors and disciplines bad actors. This lack of governance should concern you, given the broad access and power technology professionals possess.
How can a business leader trust that a service provider is taking its obligations seriously? How can a business leader evaluate data protection systems and procedures? This is the problem SOC 2 reporting solves. The American Institute of Certified Public Accountants, (AICPA) and the Canadian Institute of Charted Accountants, (CICA) created SOC 2 to fill the need for rigorous independent examinations of the operational controls in service organizations.
What Does SOC Stand For?
The SOC acronym has recently changed. SOC now stands for System and Organization Controls. SOC used to mean Service Organization Controls. The new name reflects the larger audience for SOC reports.
SOC arose out of SAS 70 auditing as the need for specific assurance around information handling, rather than financial administration, grew. Along the journey, a slew of evolving standards came to underpin today’s SOC (SSAE 16, SSAE 18, AT-C 205, AT-101, ISAE 3402) including specific Canadian criteria (CSAE 3416, CICA 5970).
What Does SOC 2 Type 2 Mean?
There are several different kinds of SOC for Service Organizations reports:
SOC 1 evaluates controls for service providers which affect the financial statements of customers, for example, payroll processing firms.
SOC 2 evaluates the operational policies, communications, procedures, and monitoring concerning five Trust Service Categories (TSC):
- Security – Information and systems are protected against unauthorized access (both physical and logical), unauthorized disclosure, and damage
- Availability – Information and systems are available for operation and use as committed
- Processing integrity – System processing is complete, valid, accurate, timely, and authorized
- Confidentiality – Confidential information is secured, and access is controlled
- Privacy – Personally Identifiable Information (PII) is appropriately collected, used, retained, disclosed, and disposed
There are two types of SOC 2 reports:
- Type 1 examines the design and the suitability of the controls
- Type 2 also tests the “operating effectiveness” of the controls over time, usually 12 months
SOC 3 reports are similar to SOC 2 reports but shorter and less detailed. SOC 3 reports are for general consumption; organizations may publish their SOC 3 report on public websites.
What Type of SOC Report is Best For Tech Providers?
Type 2 reports provide more value than Type 1. Having well-designed policies and procedures is good. However, testing adherence to those policies and procedures is even better. Type 1 is analogous to a “note to reader” financial statement whereas Type 2 is analogous to an audited financial statement.
Therefore, the most involved, detailed, and valuable SOC certification that evaluates your service providers’ operations is a SOC 2 Type 2 report. The AICPA regularly updates the standard, so ongoing certification shows a service provider commits to continuous improvement and is open to regular external scrutiny.
Finding SOC 2 Service Providers
Now that you know what SOC 2 means and why it matters you may want to know if your service providers are SOC 2 compliant. Your first step should be to ask your existing service providers if they have a recent SOC 2 Type 2 report and, if not, what their current plans are to prove SOC 2 compliance.
When you evaluate new service providers be sure to ask if they have a recent SOC 2 report. Be aware that some managed service providers (MSPs) proudly advertise that they resell SOC 2 compliant data centres or cloud services. However, if the MSP manages these services for you then the service provider itself must demonstrate SOC 2 compliance.
If you are looking for IT support, managed IT services (MSP), infrastructure-as-a-service (IaaS), cloud services, or managed security services, we hope F12.net is on your list of potential partners. F12.net has been audited annually under SOC 2 Type 2 by Auditwerx since 2015.