SOC 2

SOC 2 is the most commonly achieved audit report of the three SOC audit types. SOC 2 audits are quite common when working with service providers. It’s common for people to believe that SOC 2 is an upgrade from SOC 1, which is entirely true. An organization that completes a SOC 1 audit simply states what its controls are but no testing is performed to verify the controls are being followed. A SOC 2 audit on the other hand tests the controls for gaps, failures, or weaknesses and reports on those items in the final report. Companies preparing for a SOC 2 must design processes that produce artifacts for their own internal inspection and testing, unlike SOC 1 companies that do not develop such rigorous processes (typically).

Areas of Controls are Found in SOC 2 Audits

SOC 2 deals with the examination of the controls of a service organization covering one or more of the Trust Service Criteria (TSC):

• Privacy
• Confidentiality
• Integrity
• Availability 
• Security

SOC 2 is developed around the definition of a consistent set of processes for IT services that you operate within your company. These processes are performed either by in-house staff or by a third-party service provider for you. If you’re leveraging a 3rd party provider, you may wish to ask for their SOC 2 audit report on their controls relating to privacy, confidentiality, integrity, availability, and security. But be forewarned, most Managed Service Providers do not have the maturity to seek, nor the money to pay for SOC 2 audits.  This is NOT to say they aren’t providing such assurances, but that the industry as a whole has not moved in the direction of MSP’s securing SOC 2 Type II audits. 

Difference between SOC 2 Type I and SOC 2 Type II Audits

SOC 2 Type I audits confirm that appropriate controls exist within an organization. While Type II confirms that not just the controls are in place, but they truly work as well. SOC 2 Type II is a better representation of how well a company or vendor is doing for the protection and management of your data.  If you find a vendor with a SOC 2 Type II audit, make sure to review the controls that were included as the vendor still controls what is tested.

Source: InfoSecurity Magazine

Related Terms: SOC 1, SOC 3

What does this mean for an SMB?

SOC 2 audits are great ways to identify gaps in your security program. The issue with SOC 2 audits is how expensive they have become, starting at approximately $30,000. Similarly to SOC 1 audits, they are certainly beneficial if you can afford it, although there are other strategies that can be used to determine in your security. CyberHoot has helped businesses determine and remediate vulnerabilities in their IT, for a much cheaper rate! Not only does CyberHoot help identify cybersecurity gaps, but it also provides the solutions to fix those gaps.  CyberHoot develops employee to become more aware and more secure through cybersecurity policies, awareness training, and even phish testing. 

To learn about the difference between SOC 1 and SOC 2, watch this short video:

Are you doing enough to protect your business?

Sign up with CyberHoot today and sleep better knowing your

employees are cyber trained and on guard!

Sign Up Today!