SOC 2 Frequently Asked Questions

Businesses are increasingly concerned about the security, privacy, confidentiality, availability and processing integrity of the data they share with vendors. If your company outsources—or provides—critical technology services like payroll, data processing, analytics, SaaS applications, cloud hosting and so on, chances are good that you’ve heard about the Service and Organization Controls (SOC) 2 Report.

This page answers several of the questions we’re most often asked about SOC 2.

What is SOC 2?

Developed by the American Institute of Certified Public Accountants (AICPA) in response to the ongoing move to cloud computing, a SOC 2 Report attests to the ability of a service organization’s internal controls to manage client data in a secure and trustworthy manner. This independent report, issued by a CPA firm, attests to the results of a comprehensive audit that focuses on system-level controls that process clients’ data. This is in contrast to a SOC 1 report, which focuses on financial reporting controls.

Generally, when someone asks if you have a “SOC 2” they are referring to a SOC 2 Type 2 Service Auditors report that includes the Security and Availability Trust Services Criteria.  A SOC 2 Type 2 report covers the design and documentation of controls and provides evidence as to how the organization actually operated the documented controls over an extended period of time (usually a year).

What is SOC 2 Type 1 (SOC 2 Type I)?

When a service organization undergoes a SOC 2 audit, they specify whether the auditor will perform a SOC 2 Type 1 or SOC 2 Type 2 audit.

A SOC 2 Type 1 report attests to the design and documentation of a service provider’s controls and procedures as of a specific date. However, the SOC 2 Type 1 report does not cover the actual operation of the controls.

What is SOC 2 Type 2 (SOC 2 Type II)?

Like a SOC 2 Type 1 report, a SOC 2 Type 2 report covers the design and documentation of controls. A SOC 2 Type 2 report also provides evidence as to how the organization actually operated its controls over a period of time (usually six months or more).

It is important to note that the scope of the controls covered in a SOC 2 Type 1 versus SOC 2 Type 2 report could be the same. That is, a Type 2 report is not inherently more stringent than a Type 1 report. The key difference is whether controls are examined “on paper” at a point in time or in operation over a period of time.

What are the SOC 2 Trust Services Criteria?

The SOC 2 Trust Services Criteria (formerly called the SOC 2 Trust Services Principles) are the full set of criteria that can potentially be included in a SOC 2 examination. The latest Trust Services Criteria are required to be used in any SOC 2 report issued on or after December 15, 2018.

There are currently five Trust Services Criteria: Security, Availability, Confidentiality, Privacy and Processing Integrity. Of these five, only Security is mandatory to be covered in every SOC 2 examination. The others can be covered or not based on their applicability to the service being offered. Each of these five criteria include many other criteria, and there is significant overlap among them.

What are the SOC 2 compliance requirements?

As SOC 2 is not a standard but a report, there is no SOC 2 “compliance” per se. Instead, you need to pass a technical audit that determines whether your organization has created, has documented, and is following a wide range of policies and procedures that encompass the Security Trust Services Criteria and any other criteria that are within the scope of your audit.

For many service organizations, the Security criteria are of primary interest to their clients and other stakeholders. Therefore, the scope of a SOC 2 examination, and thus the requirements for SOC 2 “compliance,” might only include the Security criteria.

What is SOC 2 versus SOC 1?

A SOC 2 Report is an independent report, issued by a CPA firm, that covers a service organization’s internal controls that relate to securing and managing client data. A SOC 1 report focuses on financial reporting controls rather than security controls.

What does a SOC 2 Report look like/include?

The American Institute of CPAs (AICPA) specifies the components of a SOC 2 report and what information each component needs to include. But it does not specify a format for SOC 2 reports. This allows auditors to organize their reports as they see fit.

Here is an example SOC 2 report created by the AICPA for illustrative purposes. An actual SOC 2 Type 2 report would address different criteria and include different controls and tests of controls specific to the organization being audited.

What are the SOC 2 requirements?

Unlike some other information security standards like PCI DSS that have very specific requirements, the policies, procedures and technical controls you need to put in place to comply with SOC 2 are unique to each organization.

What is the SOC 2 controls list?

A company designs its own controls, in line with its business practices, to comply with the relevant SOC 2 Trust Service Criteria.

Where can I find a SOC 2 audit checklist XLS?

SOC 2 isn’t a one-size-fits-all framework. It audits the controls your company must put in place to protect and manage client data in the cloud based on your unique business practices. The AICPA provides no “official,” authorized or formal checklist for SOC 2 compliance.

So while you probably won’t find an “audit checklist” with control-level details, reviewing the Trust Service Criteria linked above is a good alternative.

What is SOC 2 versus ISO 27001?

SOC 2 and ISO 27001 are very different “animals,” but they can serve similar purposes for service providers that need to demonstrate to clients, prospects and other stakeholders that they have a solid security posture. Both are internationally recognized, and both offer the high level of confidence that comes from an independent, third-party audit.

The ISO 27001 standard is a best-practice guide or framework to implementing an information security program end-to-end. Your organization’s information security management system (ISMS) can be certified as compliant with the ISO 27001 standard. Once certified, organizations need to be recertified every three years or they lose the certification.

SOC 2, in comparison, serves to demonstrate that an organization has adequate security practices in place and is operating them effectively. There is no SOC 2 certification per se—SOC 2 is an attestation report, which provides an independent auditor’s opinion about an organization’s control environment.

How much does SOC 2 audit cost?

As SOC 2 pricing varies with organizational size, Trust Services Criteria selected, number of locations, and the CPA firm selected, the best answer to this question is “it depends.”  A typical audit, delivered by a reputable nationally recognized firm, for a small to midsized technology service provider against the Security and Availability criteria is usually about $40–$45K per year.

Other factors that can impact the cost of a SOC 2 audit might include:

  • The size of your organization and how many locations are involved
  • The complexity and inherent risk associated with the services you offer
  • How quickly you need to get ready for the audit
  • The experience level and background of the security professionals who will be supporting you

More and more SaaS providers and other companies that use the cloud to store client data are under pressure to provide a SOC 2 report, ISO 27001 certification or another information security attestation. While the process can be complex, it needn’t be overwhelming. If you are interested in learning more about the potential scope, cost and timeframe to become SOC2 attested or to conduct a “readiness assessment/internal audit” ahead of your external SOC2 audit, contact Pivot Point Security to speak to an expert today.