What is SOC 2 (System and Organization Controls 2)?
SOC 2 (System and Organization Controls 2), pronounced "sock two," is a voluntary compliance standard for ensuring that service providers properly manage and protect the sensitive data in their care. SOC 2 offers a structure for auditing and reporting on the internal controls that an organization has put into place to ensure the security, availability, processing integrity, confidentiality and privacy of the data.
The SOC 2 standard was developed by the American Institute of Certified Public Accountants (AICPA). The standard defines a set of principles -- the Trust Services Principles -- that provide a foundation for evaluating an organization's internal controls. Each principle is associated with a set of criteria that specify what it takes for an organization to be in compliance with the standard, based on the organization's own stated objectives.
To achieve SOC 2 compliance, an organization must be audited by a third-party CPA firm that verifies whether the organization's controls meet the SOC 2 criteria. After completing the evaluation, the firm produces a comprehensive report about the audit's findings. Auditors can create two types of reports:
- SOC 2 Type 1. Evaluates how well an organization has designed and implemented its internal controls at a specific point in time. This is the simpler and quicker of the two report types.
- SOC 2 Type 2. Evaluates how well an organization has designed and implemented its internal controls and applied them over a period of time. This type of report is more complex and takes longer to produce but provides more assurance of the controls' effectiveness.
The auditor's report also indicates whether the organization has passed or failed the audit. If the organization passed, the auditor certifies that the organization has achieved SOC 2 compliance, specifying either Type 1 or Type 2. This compliance helps to assure clients, customers, partners and other interested parties that the organization can be trusted with their data, at least to the extent covered by the SOC 2 assurances.
What are the Trust Services Criteria?
At the heart of the SOC 2 standard is the Trust Services Criteria (TSC), an extensive set of criteria that expands on each Trust Services Principle. According to the AICPA: "The TSC are control criteria for use in attestation or consulting engagements to evaluate and report on controls over information and systems (a) across an entire entity; (b) at a subsidiary, division or operating unit level; (c) within a function relevant to the entity's operational, reporting or compliance objectives; or (d) for a particular type of information used by the entity."
AICPA classifies the TSC into five broad categories, which provide a structure for understanding the general nature of the underlying criteria:
- Security. Systems are protected against unauthorized access or disclosure of sensitive information, as well as against system damages that could compromise data availability, integrity, confidentiality or privacy.
- Availability. The protected systems and information meet the availability and use requirements defined by the organization's objectives.
- Processing integrity. Processing operations are complete, accurate, timely and secure, as required by the organization's objectives.
- Confidentiality. Systems and operations meet the confidentiality requirements defined by the organization's objectives.
- Privacy. All personally identifiable information meets the collection, usage, retention, disclosure and disposal requirements defined by the organization's objectives.
The five categories provide a way for organizations to understand the scope of SOC 2 auditing and reporting and to get a sense of how auditors approach their evaluations. However, the actual organization of the TSC in the SOC 2 standard is far more complex.
The bulk of the standard is made up of the TSC, which are organized into 13 trust categories: five core categories, four supplemental categories and four specialty categories. Each category includes multiple Trust Services Principles, and each principle includes a set of related criteria.
For example, the first trust category is Control Environment (Trust ID CC1). The Common Criteria 1 (CC1) trust category contains five principles. The first principle, CC1.1, states that the "entity demonstrates a commitment to integrity and ethical values."
The CC1.1 principle includes five criteria, which are referred to as the points of focus. The first criterion is concerned with the overall tone: "The board of directors and management, at all levels, demonstrate through their directives, actions and behavior the importance of integrity and ethical values to support the functioning of the system of internal control."
The core and supplemental trust categories are numbered consecutively -- CC1 through CC9 -- and often grouped together:
- Control Environment (CC1). The criteria focus on the organization's commitment and efforts to carry out its objectives and support the functioning of internal controls.
- Communication and Information (CC2). The criteria are concerned with the organization's ability to gather, disseminate and communicate information relevant to meeting its objectives.
- Risk Assessment (CC3). The criteria address the organization's ability to identity, assess and manage the risks associated with meeting its objectives.
- Monitoring Activities (CC4). The criteria are concerned with the organization's ability to select, implement and manage internal controls and respond to control deficiencies in a timely manner.
- Control Activities (CC5). The criteria focus on how the organization selects, develops and deploys control activities and on its ability to put policies into action.
- Logical and Physical Access Controls (CC6). The criteria address the organization's ability to implement software and infrastructure controls over protected assets and to manage user access to protected data.
- System Operations (CC7). The criteria focus on the organization's ability to monitor and detect vulnerabilities, configuration changes and anomalous behavior and to respond to security incidents.
- Change Management (CC8). The criteria are concerned with the organization's ability to design, document and implement changes in data, software, infrastructure and procedures.
- Risk Mitigation (CC9). The criteria address the organization's ability to identify, select and develop risk mitigation activities.
The core trust categories include the first five in the list, and the supplemental categories include the last four. In addition to these categories, the SOC 2 standard defines four supplemental trust categories that focus specifically on availability, processing integrity, confidentiality and privacy.