SOC 2 Compliance Checklist
The SOC 2 compliance process takes several months, and it’s not a process to take lightly. Follow these steps to assess your readiness, prepare for an audit, and earn your SOC 2 certification.
Master the complexities of cloud compliance with expert resources and relevant insights.
Every organization needs to collect information from the people it serves. You need data from your customers, whether it’s their email, mailing address, or financial information. Digitization makes it a snap to collect, store, process, and retrieve this data with the stroke of a keyboard, but it also puts your data at risk of theft.
Mishandled data can lead to breaches, fines, identity theft, and other unpleasant headaches. That’s why it’s so important for organizations to properly lock down customer data. And depending on the data you collect and where you store it, you’re likely required to follow a specific set of controls to protect that data.
If you store any kind of customer data in the cloud, you need to follow the System and Organization Control 2 (SOC 2) standards. If you don’t know exactly what SOC 2 is or how it works, we’re here to help. Learn how SOC 2 works and five essential best practices you should follow to stay compliant. Ready to get started on your SOC 2 compliance journey? Check out our SOC 2 compliance checklist here.
We’ll discuss:
Screenshot via AICPA.org
Created by the American Institute of CPAs (AICPA) in 2014, SOC 2 stands for System and Organization Control 2. It’s a voluntary compliance standard that organizations that use cloud computing should follow. The SOC 2 details five Trust Services Criteria (TSC) that organizations may need to meet to protect their customers.
The goal of SOC 2 is to help you lock down any systems that handle customer data. Put simply, it ensures you follow data security best practices both in your organizational policies and everyday workflows.
But unlike PCI standards, which are black-and-white and easier to follow, SOC 2 is more nuanced and complex. You aren’t required to follow all five Trust Services Criteria; you simply select the criteria that apply to your business and focus your efforts there. Your SOC 2 requirements will differ based on:
The customer data you collect
Data collection and storage methods
Your business model
Your daily business workflows
SOC 2 standards can feel more overwhelming because they aren’t mandatory or prescriptive. It’s up to you to choose your criteria, find ways to meet those criteria, and execute them. Despite its nuances, SOC 2 is a common set of standards that most modern businesses should follow. That’s why it’s important for your organization to understand which SOC 2 criteria apply to your business.
Before 2014, organizations only had to comply with SOC 1 standards. While they share a similar name, SOC 2 is not an update to SOC 1. They’re actually two separate standards.
The purpose of SOC 1 is to help you put internal controls on customers’ financial information. Basically, if you include financial reporting or information in your services to customers, you need to comply with SOC 1.
If you don’t provide a solution that handles financial reporting, but you still store customer data in the cloud, you should follow SOC 2. This means that organizations like banks would need to comply with both SOC 1 and SOC 2.
It’s difficult to understand SOC 2 because it’s so open to interpretation. Although it takes a little work to understand your SOC 2 requirements, it’s beneficial to follow these standards. SOC 2 matters because it:
Shows you care about data security: You need to earn your customers’ trust. Displaying the AICPA badge on your website proves that you know how to handle sensitive data. SOC 2 gives customers the assurance that their information is in good hands.
Gives you a competitive edge: Are your competitors SOC 2 certified? If not, following these data standards can easily give you an edge over your competitors. After all, customers don’t want to work with providers that can’t protect their data. Get SOC 2 certified to show your customers that you have the infrastructure to support them and keep their sensitive data secure.
Prepares you for inevitable cyberattacks: Cyberattacks happen. SOC 2 standards will help you put proactive measures in place to prevent the headaches that come with data breaches. Putting security measures in place not only prevents malicious activity, but it can also improve internal risk management.
SOC 2 is a third-party audit that shows you know how to protect your data. In a world where actions speak louder than words, SOC 2 certification demonstrates that you care about the people you serve.
Screenshot via AICPA.org
The SOC 2 is comprised of five TSCs:
Security
Availability
Processing Integrity
Confidentiality
Privacy
The Trust Services Criteria are aligned with the principles in the COSO Framework and consist of common criteria, which are shared by all five trust services categories, and control activity criteria specific to certain categories. AICPA explains, “For the categories of availability, processing integrity, confidentiality, and privacy, a complete set of criteria consists of (a) the common criteria and (b) the control activity criteria applicable to the specific trust services category or categories addressed by the engagement. The criteria for each trust services category addressed by the engagement are considered complete only if all the criteria associated with that category are addressed by the engagement.”
While each TSC has its own requirements, remember that not every TSC will apply to your business. At a minimum, your organization must comply with the Security TSC, but the other four criteria might be applicable. Run through SOC 2’s five Trust Services Criteria to see which criteria apply to your business.
The Security TSC says that organizations are required to protect their systems from outside access. The purpose of this TSC is to minimize the risk of data theft, misuse, or disclosure. That means you need some measures in place that restrict access to customer data in the cloud. Firewalls, two-factor authentication, and threat alerts are just a few ways to comply with this TSC.
Can your customers quickly and easily access their data? Are you giving them digital service in a timely, reasonable way?
This TSC applies to businesses that offer some type of system or online service to customers in the cloud. It requires your organization to provide a minimum level of performance at all times, no matter what. Organizations typically check for network availability and create failover systems to accommodate this TSC.
Does your system do what it’s supposed to do? Does it securely send data at the right time, to the right place? Is all data processing timely, accurate, and authorized? This TSC requires you to protect the data in your systems. Your organization can invest in encryption and quality assurance to meet this TSC.
The fourth TSC says organizations are responsible for restricting data access so that only relevant, authorized parties can use sensitive customer data. Complying with this TSC requires businesses to create policies and procedures for keeping this data confidential during transfer, storage, and access. Encryption, firewalls, and access controls are simple ways to fulfill this SOC 2 requirement.
Does your data include personally identifiable information (PII)? You need to comply with privacy rules any time you use, collect, disclose, or delete a customer’s data. Follow the AICPA’s Privacy Management Framework to help you fulfill this requirement.
SOC 2 is actually a type of technical audit. If you want to display the AICPA’s badge on your website, you’ll need to successfully complete an SOC 2 audit.
SOC 2 audits can take 6 - 12 months, but they’re an excellent way to prove that your business is protecting customer data in the cloud. A third-party auditor will analyze your processes and workflows to see how well you comply with the TSCs that apply to your organization.
Businesses seeking SOC 2 certification must hire a licensed, third-party CPA to conduct an official SOC 2 audit and prepare a report. Ideally, you should tap a CPA firm that specializes in information security or IT audits since they’ll need to analyze your cloud environment.
The independent CPA will follow AICPA standards to see how well you meet the criteria in your chosen Trust Services Criteria. Once the CPA finishes their audit, the AICPA does an independent peer review to make sure the audit is correct. If you pass the audit, you’ll receive a SOC 2 attestation report that describes how (and to what extent) your organization’s security controls meet SOC 2’s standards and Trust Services Criteria. Once you’ve received initial certification, annual audits are required to maintain it. These annual audits ensure that your security controls continue to meet the Trust Services Criteria that apply to your business.
The CPA can conduct either a Type I or a Type II report on your SOC 2 compliance. You need to know which type of report is better for your organization.
Type I
Is this your first SOC 2 report? If so, chances are you’ll run a Type I report first. A Type I SOC 2 report checks your systems at a specific date or point in time. If you’re concerned about your compliance as of a certain date, a Type I report will quickly detail your level of compliance.
Type II
SOC 2 Type II reports, on the other hand, assess how your systems complied over a period of time. This ranges anywhere from 2 - 12 months, depending on your business, but 6 months is the most common. It’s easier to run a Type II report if you’ve successfully run a Type I report previously.
SOC 2 is challenging because it doesn’t list specific actions you need to take to achieve compliance. It simply provides the criteria and gives you the freedom to implement security controls however you see fit, provided that those controls adequately satisfy the relevant Trust Services Criteria. This can feel a little overwhelming because the AICPA doesn’t give you specific guidance on how to comply.
To confuse matters more, the AICPA doesn’t provide an official checklist for compliance. That’s because every organization is different: the Trust Services Criteria you follow may not apply to another business. At the end of the day, the criteria you follow and the measures you execute are up to you and your auditor.
Although the SOC 2 standards are open to interpretation, there are a few best practices your organization can follow to minimize your risk. Follow these 5 best practices to start your SOC 2 compliance on the right foot.
It’s a good idea to limit which employees have access to sensitive data. Organizations use access control to limit physical and digital access to this information. This means practices such as:
Giving each employee a unique ID and login
Physically locking your office space
Requiring employees to lock their computers when they leave their desks
Restricting access to certain data in applications based on user roles and permissions
Change management is also essential. When an employee leaves your company, you’ll need to quickly deactivate their accounts to ensure that they can no longer access sensitive information. This way, you know that only authorized employees have access to customer data on a need-to-know basis.
You need to monitor your IT infrastructure for any potential security problems. Organizations need to both create policies for monitoring their infrastructure and build monitoring into their daily routines. There are IT solutions that can help you monitor your network on a 24/7 basis. Over time, you’ll get an idea of your typical activity as a baseline.
Don’t let a security breach catch you off guard. Implement security alerts so you can take action the moment a potential security issue is detected.
Implement a security system that compares behavior on your network with your normal baseline. If the system notices any unusual or atypical behavior, it will send you an alert so you can investigate the problem immediately. Your security system should alert you to abnormal:
File transfers
Login attempts
Data exposures
Data modification
This might not prevent breaches, but it can certainly limit the damage malicious actors and unauthorized users can do to your systems.
It’s only a matter of time until your organization experiences some kind of data breach. The best way to learn from these breaches is to use audit logs. These logs provide in-depth threat intelligence so you can analyze what went wrong. The logs will show you:
Where an attack originated
The data the attacker accessed
What the attack will likely target next
Audit logs give you more context behind a threat so you can formulate a smarter response. Use this technology so you can design a more secure infrastructure that’s prepared for anything.
Another SOC 2 best practice is to conduct readiness assessments before your official audit. Instead of crossing your fingers and hoping that you’re compliant in time for an audit, conducting a readiness assessment helps you prepare for your audit.
Think of an assessment as pre-audit practice. Ask an AICPA auditor to analyze your business and identify any gaps that could affect your compliance. This is a valuable way to prepare for your first SOC 2 audit. Ideally, the readiness assessment will identify areas for improvement that you can address before the more time-consuming official audit.
Compliance isn’t a one-time task. It’s an ongoing effort that requires you to follow specific workflows that protect your customers. Threats are everywhere—especially in the cloud—and it’s your responsibility to be a trusted steward of your customers’ data.
SOC 2 compliance will help your organization add layers of security that improve customer trust, prevent breaches, and strengthen your brand’s overall security posture. However, because SOC 2 is so flexible, it can be tough to understand how its standards apply to your organization. But compliance shouldn’t be a headache, and it doesn’t have to be. Watch our platform demo to learn how Datica can help you streamline SOC 2 compliance and visit our SOC 2 compliance checklist to prepare for an audit.
The SOC 2 compliance process takes several months, and it’s not a process to take lightly. Follow these steps to assess your readiness, prepare for an audit, and earn your SOC 2 certification.
The cost of a HIPAA audit depends on audit type – HIPAA gap assessment, full HIPAA audit, or validated HITRUST assessment – and indirect costs like time.
This lightweight self-assessment worksheet illuminates the cloud compliance requirements of HIPAA that you need to plan for in your own digital health product.