SOC 2 Overview and Guides
SOC 2 is the most widely adopted and requested compliance certification for SaaS vendors in the United States. In this overview, we will explain the basics of SOC 2, the concepts involved in the SOC 2 compliance readiness process, along with an outline of what you can expect as you work towards compliance. This guidance is based on our cumulative experience of being former auditors, as well as working closely with our customers and auditor partners who are involved in many SOC 2 attestation processes.
What is SOC 2?
SOC 2 is a comprehensive framework applicable to any service provider that stores any kind of client data in the cloud or on-prem. This includes the vast majority of SaaS start-ups. The SOC 2 framework is built on the concept of Trust Service Criteria (TSC), which are grouped into five overarching categories. Each TSC is further divided into corresponding common criteria (often described as CC 1.1, CC 2.0, etc.). The individual common criteria are used for evaluating and reporting on the robustness of an organization’s systems (this usually means your technology and business stack) and policies.
In a SOC 2 audit, it is mandatory for you to show proof of adherence to the first TSC category called – Security. Proving adherence to all other TSC categories is optional and decided by the organization based on the type of data you store and the expectations your enterprise customers have from you.
The five TSC are:
- Security (Required): Demonstrates to an auditor that your systems are protected against unauthorized access and other risks that could impact your organization’s ability to provide services to your clients.
- Availability (Optional): Applicable when you, as a service organization, are required to demonstrate that your systems meet a certain standard of high availability.
- Confidentiality (Optional): Applicable to organizations that need to demonstrate that data that is classified as confidential is protected.
- Processing integrity (Optional): Applicable to organizations that must demonstrate that system processing is occurring accurately and in a timely manner.
- Privacy (Optional): Included when a service organization is in possession of personal information to demonstrate this information is protected and handled appropriately.
At the end of the day, each individual business must choose which category, along with their corresponding set of common criteria, they would like an auditor to evaluate. There isn’t a one-size-fits-all approach, and you will need to decide what aspects of your business you would like observed and audited as part of this process based on the commitments you have communicated to your customers and other stakeholders.
For example, if you have committed to delivering a secure product that is available 99% of the time, you might consider including common criteria from the Availability TSC in your SOC 2 attestation. If your commitments include keeping your customers’ confidential data secure, you might think of adding Confidentiality criteria as well. Finally, if your service creates, collects, transmits, uses, or stores personal information, you should consider adding criteria from the Privacy TSC. In every case, you will have to prove adherence to the Security TSC, which lightly touches on all of the other principles as well, forming the required baseline for SOC 2.
Now that you’re familiar with the framework behind SOC 2, it’s time to decide which type of SOC 2 audit you will need to pursue.
Do I choose a Type I or Type II audit?
If you’re a very young company pursuing SOC 2 for the first time, get a Type I. If you’re pursuing enterprise sales, consider getting a Type II.
Difference between Type 1 and Type II:
A SOC 2 Type 1 is different from Type 2 in that Type 1 assesses the design of the security controls at a specific point in time, while the Type 2 report assesses how effective those controls are over a period of time, such as three, six months, or a year.
It’s important to understand that there are valid reasons to choose either type of audit and that you don’t have to have both; many organizations pick one or the other. While Type II is the more popular of the two — it’s more comprehensive and cheaper in the long run — a Type I audit can be the right choice for you if:
- You’re pursuing a SOC 2 audit for the first time and don’t have the requisite organizational maturity to pass all of the required controls.
- You need a report quickly.
- You’re going after small-to-medium-sized enterprise deals.
- Before preparing for a full audit, you want to show that you understand the necessary procedures to achieve the SOC 2 standard.
In Type I, your controls are verified only once. In contrast, the SOC 2 Type II audit process involves a typical three-to-six month (though it can range up to 12 months) period for which you have to prove to the auditor that your controls were being satisfied during that time (this period is called an “observation period”). During the observation period, the third-party auditor verifies your continual adherence to your controls.
You will need a Type II attestation if:
- You have mature information security programs, systems, and processes and can prove that you’re consistently adhering to controls over a long period of time.
- You are planning a major funding round or exit.
- You’re pursuing enterprise-level deals.
What will this cost me?
Traditionally, SOC 2 can cost anywhere from $30,000 to $100,000 when you factor in the cost of the audit firm, as well as internal costs, including productivity, staff training, and resources needed to meet specific requirements.
At Kintent, we believe compliance shouldn’t cost an arm and a leg. We want to make the readiness and audit process both affordable and simple. We’ve broken the cost down into two areas:
- Cost of a SOC 2 compliance readiness using the Trust Cloud platform – FREE for startups… By automating much of the process and a transparent and straightforward pricing structure, we make it easier for you to manage the overall cost of achieving SOC 2 readiness.
- An auditor. We’ve developed strong relationships with a number of audit firms. Not only does this mean that they are trained on the platform and know how to evaluate your business, but they are also able to pass along sizable discounts as a result of a referral from Kintent. SOC 2 audit partners in the Kintent network charge between $8,000 – $28,000 for SOC 2 audits, based on the maturity and complexity of the engagement.
If you think about it, we’ve created a win-win-win scenario.
How long is the SOC 2 process going to take?
When using tools such as TrustOps, that automate much of the process for you, the timeline for your Type I or Type II certification could look like the following:
Without Trust Cloud, you would be looking at a very manual and tedious process that could take up to a year. During this time, you would need to understand each requirement and how it applies to your business, conduct the necessary testing, accumulate all the evidence proving your compliance in a single location, and draft the right documentation. This estimate doesn’t include the time an auditor needs to evaluate your business and observe your practices.