What is SOC 2 compliance?
A SOC 2 is a compliance framework designed by the American Institute of CPAs (AICPA) to evaluate the data security posture of an organization. Companies hire a third-party auditor to provide assurance to prospects, customers, and investors that customer data is safe. A SOC 2 is widely accepted in North America (an increasingly abroad) to prove data security to stakeholders.
​
Why is a SOC 2 important?
The most notable benefit of a SOC 2 is the increased ability to sign on with high-value clients. Many organizations will limit their business to vendors that don't have a SOC 2.
Is a SOC 2 legally required?
Table of Contents
What is SOC 2 Compliance?
Why is a SOC 2 important?
Is a SOC 2 legally required?
What are the requirements?
What do I need to do?
What is the audit process?
A SOC 2 is not legally required. It is a private report that is usually driven by prospects, customers, and investors asking for proof of data security.
What are the requirements?
A SOC 2 consists of detailed information about your organizations adherence to five categories. A third-party auditor will give their opinion on whether an organization is complying each of the categories including:
​
Security (Required): The ability of an organization to protect data and systems against unauthorized access and disclosure.
Availability (Optional): Information and systems are available for operations and use.
Confidentiality (Optional): Confidential information is protected.
Processing Integrity (Optional): System processing should be accurate, timely, and authorized.
Privacy (Optional): Personal information is collected, used, retained, disclosed, and disposed of in accordance with policies.
What do I need to do?
While there is no set processes for all organizations, there are certain activities that help achieve compliance (i.e. a third-party auditors successful opinion). Some examples include:
​
-
Maintaining information security policies
-
Ensuring employees complete security awareness training
-
Employee onboarding procedures such as evaluation of competence, signing confidentiality agreements, and undergoing background checks
-
Performing a risk assessment
-
Performing vulnerability scans and penetration tests on production systems
-
Ensuring systems have secure authentication and administration processes
-
Implementing an incident response plan
-
Reviewing vendors security and impact to your system security
-
A process to authorize and test code changes prior to deployment
What is the audit process?
-
An organization will engage a third-party auditor to perform and audit of their systems and processes.
-
The auditor will interview stakeholders to understand their systems and processes of who can speak to topics including:
-
Human Resources
-
Risk assessment process
-
System access and authentication procedures
-
Systems monitoring for security events
-
Incident response process
-
Change management process
-
Vendor management process
-
-
The auditor will request for documentation to verify the processes during the interviews are in place. Documentation usually comes in the form of the organization taking screenshots and ​exporting listings from their systems.
-
The auditor will work with the organization to write and issue a detailed SOC 2 report describing the organizations processes and states the auditors opinion on whether the organization has sufficient processes to meet the criteria defined by the AICPA. This report can be shared with prospects, customers, and investors at the organizations discretion.
-
The audits are usually on an annual cadence where the auditor will come back next year to do the same thing.
How much does a SOC 2 cost?
The cost can range between $12K to $80K annually. The average cost of a SOC 2 audit varies depending on the size of the company and its goals.
JSR
audit
JSR audit is an advisor that makes IT audit easy.
Services
Audit Representation
Questionnaires
Risk Management
Vendor Management
Report Writing
Frameworks
SOC 2
ISO 27001
HIPAA
GDPR
more
Resources
Help Center
Blog
Events
Learning
Company
About
Careers
Press
Security
© 2023 JSRaudit. All rights reserved
Terms of Use
Privacy