SOC 2 compliance similar to many industry lead certifications is 100% voluntary. Similar to PCI in the credit card processing space, vendors and providers of cloud services chose to invest in SOC 2 compliance to demonstrate to their clients and partners their commitment to data integrity, security, and privacy. SOC 2 is about putting in place well-defined policies, procedures, and practices not just ticking all the compliance checkboxes with point solutions. Doing so effectively builds trust with customers and end users about the secure nature and operation of your cloud infrastructure.
SOC 2 compliance audits follow SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. The standard is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy.
Who can Perform a SOC Audit?
SOC audits can only be performed by independent CPAs (Certified Public Accountants) or accounting firms. AICPA has established professional standards meant to regulate the work of SOC auditors. In addition, certain guidelines related to the planning, execution and oversight of the audit must be followed.
All AICPA audits must undergo a peer review.
CPA organizations may hire non-CPA professionals with relevant information technology (IT) and security skills to prepare for SOC audits, but final reports must be provided and disclosed by the CPA.
If the SOC audit conducted by the CPA is successful, the service organization can add the AICPA logo to their website.
Maintaining SOC 2 compliance are required on-going business operations to include company personnel, board of director support, and security operations funding.
Preparing for a SOC 2 Audit
In preparation for a SOC 2 compliance event, organizations are recommended to review the following domain areas:
- Define the scope of SOC 2 audit (internally)
- Which trusted services criteria is most relevant to the organization
- Review SOC 2 compliance Requirements
- Review current security posture
- Review current policy around privacy
- Ensure the confidentiality policy is updated
- Review production systems processing capability
- Monitor available of all SOC 2 systems
- Establish a project plan and project manager
- Ensure all SOC 2 policies and procedures are current
- SOC 2 compliance documentation from previous audits
- Review latest SOC 2 compliance readiness tests
Trust Services Criteria
Within the SOC 2 compliance framework, auditors will investigate several areas within the cloud infrastructures including several areas that make up the trust service criteria. The AICPA audits will spend a considerable amount of around the following domains:
- Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.
- Availability: Refers to the accessibility of information used by the entity’s systems as well as the products or services provided to its customers.
- Process integrity: Refers to the completeness, validity, accuracy, timeliness, and authorization of system processing. Processing integrity addresses whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or inadvertent manipulation.
- Confidentiality: Addresses the entity’s ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity’s control in accordance with management’s objectives.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
Trust Services Criteria to the COSO Framework
The trust services criteria for SOC 2 compliances extracts a portion of the domains within the 17 within the COSO framework. COSO, better known as the committee of sponsored organizations developed the 17 elements for the internal controls. AICPA audits refer to this document often during a SOC 2 compliance review. Several elements with the COSO could be added into an individual audit depending on the provider’s services, environment, or level of risk of exposure. 4 additional domains that auditors will investigate could include the following:
- Logical or physical access control
- System operations
- Change Management
- Risk Mitigation
Reference to the Common Criteria domains also is another resource areas auditors will also reference during an audit. These additional areas of review could include:
- The control environment (CC1 series)
- Communication and information (CC2 series)
- Risk assessment (CC3 series)
- Monitoring of controls (CC4 series)
- Control activities related to the design and implementation of controls (CC5 series)
The AICPA commonly uses both the COSO and Common Criteria frameworks to amend the initial review and discovery based on the trusted services criteria. The SOC 2 compliance changes every year to stay aligned with growing need to better understand next-generation cloud based systems and interconnecting architectures between providers.
Conclusion
The SOC 2 audit, very much, is a technical audit. Yet, SOC 2 audits also include several components specific to security policy, security control enablement, and security incidents response capabilities. COSO and Common Criteria domains also give additional auditing frameworks for AICPA practitioners to leverage.
Organizations depend on SOC 2 cloud providers to host their data, systems, and applications securely. Cloud providers leverage SOC 2 compliance to demonstrate to their client base their commitment to security, availability, and confidentiality of their data.
Maintaining a positive compliance status continued to drive more companies to move to the cloud. Without standards like SOC 2 compliance, clients would opt to continue to keep their systems within their own data centers.
