SOC 2 is the most commonly achieved audit report of the three SOC audit types. SOC 2 audits are quite common when working with service providers. It’s common for people to believe that SOC 2 is an upgrade from SOC 1, which is entirely true. An organization that completes a SOC 1 audit simply states what its controls are but no testing is performed to verify the controls are being followed. A SOC 2 audit on the other hand tests the controls for gaps, failures, or weaknesses and reports on those items in the final report. Companies preparing for a SOC 2 must design processes that produce artifacts for their own internal inspection and testing, unlike SOC 1 companies that do not develop such rigorous processes (typically).
Areas of Controls are Found in SOC 2 Audits
SOC 2 deals with the examination of the controls of a service organization covering one or more of the Trust Service Criteria (TSC):
SOC 2 is developed around the definition of a consistent set of processes for IT services that you operate within your company. These processes are performed either by in-house staff or by a third-party service provider for you. If you’re leveraging a 3rd party provider, you may wish to ask for their SOC 2 audit report on their controls relating to privacy, confidentiality, integrity, availability, and security. But be forewarned, most Managed Service Providers do not have the maturity to seek, nor the money to pay for SOC 2 audits. This is NOT to say they aren’t providing such assurances, but that the industry as a whole has not moved in the direction of MSP’s securing SOC 2 Type II audits.
Difference between SOC 2 Type I and SOC 2 Type II Audits
SOC 2 Type I audits confirm that appropriate controls exist within an organization. While Type II confirms that not just the controls are in place, but they truly work as well. SOC 2 Type II is a better representation of how well a company or vendor is doing for the protection and management of your data. If you find a vendor with a SOC 2 Type II audit, make sure to review the controls that were included as the vendor still controls what is tested.
Source: InfoSecurity Magazine