SOC 2 Overview and Guides

SOC 2 Overview and Guides explain the basics of the SOC 2 compliance readiness process and an outline of what you can expect as you work towards compliance. SOC 2 is the most widely adopted and requested compliance certification for SaaS vendors in the United States. This overview explains the basics of SOC 2, the concepts involved in the SOC 2 compliance readiness process, and an outline of what you can expect as you work towards compliance. This guidance is based on our cumulative experience as former auditors as well as working closely with our customers and auditor partners who are involved in many SOC 2 attestation processes.

What is SOC 2?

SOC 2 is a comprehensive framework applicable to any service provider that stores any kind of client data in the cloud or on-premise. This includes the vast majority of SaaS start-ups. The SOC 2 framework is built on the concept of Trust Service Criteria (TSC), which are grouped into five overarching categories. Each TSC is further divided into corresponding common criteria (often described as CC 1.1, CC 2.0, etc.). The individual common criteria are used for evaluating and reporting on the robustness of an organization’s systems (this usually means your technology and business stack) and policies.

In a SOC 2 audit, it is mandatory for you to show proof of adherence to the first TSC category called Security. Proving adherence to all other TSC categories is optional and decided by the organization based on the type of data you store and the expectations your enterprise customers have from you.

The five TSC are:

1. Security (Required): Demonstrates to an auditor that your systems are protected against unauthorized access and other risks that could impact your organization’s ability to provide services to your clients.
2. Availability (Optional): Applicable when a service organization is required to demonstrate that its systems meet a certain standard of high availability.
3. Confidentiality (Optional): Applicable to organizations that need to demonstrate that data that is classified as confidential is protected.
4. Processing integrity (Optional): Applicable to organizations that must demonstrate that system processing is occurring accurately and in a timely manner.
5. Privacy (Optional): Included when a service organization is in possession of personal information and to demonstrate this information is protected and handled appropriately.

All in all, each individual business must choose which category, along with their corresponding set of common criteria, they want an auditor to evaluate. There isn’t a one-size-fits-all approach, and you need to decide what aspects of your business you want to be observed and audited based on the commitments you have communicated to your customers and other stakeholders.

For example, if you have committed to delivering a secure product that is available 99% of the time, you might consider including common criteria from the Availability TSC in your SOC 2 attestation. If your commitments include keeping your customers’ confidential data secure, you might think of adding Confidentiality criteria as well. Finally, if your service creates, collects, transmits, uses, or stores personal information, you should consider adding criteria from the Privacy TSC. In every case, you need to prove adherence to the Security TSC, which lightly touches on all of the other principles as well, forming the required baseline for SOC 2.

Now that you’re familiar with the framework behind SOC 2, it’s time to decide which type of SOC 2 audit you need to pursue.

Do I choose a Type I or Type II audit?

If you’re a very young organization pursuing SOC 2 for the first time, get a Type I. If you’re pursuing enterprise sales, consider getting a Type II.

Difference between Type 1 and Type II:

A SOC 2 Type 1 is different from a Type 2 in that the Type 1 report assesses the design of the security controls at a specific point in time, while the Type 2 report assesses how effective those controls are over a period of time, such as three, six months, or a year.

It’s important to understand that there are valid reasons to choose either type of audit and that you don’t have to have both; many organizations pick one or the other. Type II is the more popular of the two; it’s more comprehensive and cheaper in the long run.

 You can consider a Type I audit if:

• You’re pursuing a SOC 2 audit for the first time and don’t have the requisite organizational maturity to pass all of the required controls.
• You need a report quickly.
• You’re going after small to medium-sized enterprise deals.
• Before preparing for a full audit, you want to show that you understand the necessary procedures to achieve the SOC 2 standard.

In Type I, your controls are verified only once. In contrast, the SOC 2 Type II audit process involves a typical three- to six-month (though it can range up to 12 months) period to prove to the auditor that your controls are being satisfied during that time (this period is called an “observation period”). During the observation period, the third-party auditor verifies your continual adherence to your controls.

You can consider Type II attestation if:

• You have mature information security programs, systems, and processes and can prove that you’re consistently adhering to controls over a long period of time.
• You are planning a major funding round or exit.
• You’re pursuing enterprise-level deals.

What will this cost me?

Traditionally, SOC 2 can cost anywhere from $30,000 to $100,000 when you factor in the cost of the audit firm as well as internal costs, including productivity, staff training, and resources needed to meet specific requirements.

At TrustCloud, we believe compliance shouldn’t be expensive. To make the readiness and audit process both affordable and simple, the cost has been broken down into two areas:

1. Cost of SOC 2 compliance readiness using the TrustCloud platform – FREE for startups By automating much of the process and providing a transparent and straightforward pricing structure, making it easier for you to manage the overall cost of achieving SOC 2 readiness.
2. An auditor. We’ve developed strong relationships with a number of audit firms. This means they are trained on the platform, know how to evaluate your business, and are able to pass along sizable discounts as a result of a referral from TrustCloud. SOC 2 audit partners in the TrustCloud network charge between $8,000 and $28,000 for SOC 2 audits based on the maturity and complexity of the engagement.

How long is the SOC 2 process going to take?

When using tools such as TrustOps that automate much of the process for you, the timeline for your Type I or Type II certification could look like the following:

Without TrustCloud, you will be looking at a very manual and tedious process that could take up to a year. During this time, you need to understand each requirement and how it applies to your business, conduct the necessary testing, accumulate all the evidence proving your compliance in a single location, and draft the right documentation. This estimate doesn’t include the time an auditor needs to evaluate your business and observe your practices.

Click here to understand how to get started with SOC 2!