What Is Evaluated in a SOC 2 Type II?
In a SOC 2 Type II compliance audit, policies and controls designed to meet the above service criteria are evaluated for their effectiveness, usually over a period of six months. Are the controls suitable for the criteria? Is your organisation consistent in carrying them out?
What Is a SOC 2 Type II Certification?
The SOC 2 Type II Certification is proof from a third-party auditor that an organisation’s policies passed the audit for SOC 2 Type II compliance.
What Are the Benefits of SOC 2 Type II Compliance?
The benefits of SOC 2 Type II are in improving the overall health of data security and protections within an organisation and across its vendors. For service providers, SOC 2 Type II certification can help improve the odds of earning a partnership or client over the competition. For clients, it’s demonstrable proof your data will be in good hands with proper controls and safeguards.
Who Needs to Have SOC 2 Type II Compliance?
Any vendor who handles customer data or sensitive information that is looking to meet contractual obligations with a customer for SOC 2 Type II compliance can benefit from certification.
SOC 2 vs. Other Compliance Certifications
Differences Between SOC 1 and SOC 2
What is the difference between SOC 1 and SOC 2? SOC 1 is not focused on security criteria but on financial reporting criteria. SOC 1 was designed for service organisations as well, but specifically those to which certain financial functions have been outsourced. Note that SOC 1 audits typically align with fiscal years and include five service criteria, including control environment, risk assessment, control activities, communication and information, and monitoring.
Differences Between SOC 2 and ISO-27001
Both SOC 2 Type II and ISO-27001 are frameworks that focus on management of InfoSec. While SOC 2 Type II assesses the overall effectiveness of security controls, ISO-27001 is a very prescriptive, systematic approach to information security management systems. ISO-27001’s primary focus is on internal systems and controls and is a standard, whereas SOC 2 Type II is a framework for conducting an audit.
SOC 2 Type II vs. PCI DSS, HIPAA, GDPR
There are a number of compliance frameworks—how are they different, and which organisations need them?
SOC 2 Type II and Payment Card Industry Data Security Standard (PCI DSS) are two very different compliance frameworks with little to no overlap. PCI DSS is specifically related to controls for how credit card information and transactions are handled. PCI DSS is also only applicable to financial services providers, whereas SOC 2 Type II covers a more broad range of industries. Finally, PCI DSS is conducted annually, and not by a CPA firm.
SOC 2 Type II and the Health Insurance Portability and Accountability Act (HIPAA) are also different in the focus area of the data being protected. HIPAA applies only to healthcare organisations and service providers handling patient data (and is required by law), while SOC 2 Type II can include healthcare organisations but is not mandatory for them. Also, whereas SOC 2 Type II is not as prescriptive in how the service criteria are met, HIPAA is, with very specific standards that must be met for compliance.
SOC 2 Type II and the General Data Protection Regulation (GDPR) are both frameworks that address data security and privacy. The GDPR framework is only applicable to organisations handling personal data of residents within the European Union and is focused on data privacy and protection rights. This requires controls around transparency of how data is used, the “right to be forgotten” and data minimization, and consent. While SOC 2 Type II is not mandatory, GDPR is and failure to comply can come with legal ramifications and fines.
Preparing for SOC 2 Type II Assessment
Preparing for a SOC 2 Type II audit is a team effort and can require quite a few staff hours to get off the ground. Deciding to implement SOC 2 Type II compliance can also require a fair amount of buy-in and support internally to get things underway and incorporate it into processes for the long term.
Steps to Help Prepare for SOC 2 Type II Assessment
- Know the “why” behind your request for SOC 2 compliance. Whether it’s a customer request or other reason, this will help you understand your deadlines for compliance certification, the scope of work involved, and more. This will also help you identify existing policies you have that may help and also provide the auditor with context and scope.
- Gather the right team of individuals within your organisation to onboard them to SOC 2 Type II. Depending on your timeframe to get SOC 2 Type II underway, you may need more people to pitch in on certain tasks, evidence gathering, and development. This group may include:
- Leadership, such as the CEO, CTO, CISO, and other C-suite executives
- DevOps
- Human resources, as employees may come into scope for audits
- InfoSec
- InfoSecPrepare to provide scope. Be prepared to answer data-specific questions such as where your service is hosted (public cloud, on-prem), capacity forecasting, office locations (is it a zero-trust environment or will servers need to be white-listed?), whether you store sensitive data, etc.
Working with Third-party Auditors for SOC 2 Type II Compliance
The SOC 2 framework was developed by the American Institute of Certified Public Accountants (AICPA) and an audit must be completed by a CPA firm.
When you’re evaluating a firm to audit you for SOC 2 Type II compliance, consider quality and experience along with cost, and if they’re a good fit to work alongside your team day to day for weeks or months—and become a long-term advisor and partner for your organisation.
Questions to ask: Do they have a great track record of successful audits? Does the firm have audit experience specific to your industry? Feel free to ask for peer reviews, required third-party review of documents for auditors, and referrals.
Also, consider engaging an auditor as early in the process as possible, as they can be valuable in helping you to scope the project and align the right resources internally to meet your deadline (if you have one).
- Once you’ve chosen the auditor, you’ll go through:
- A scoping and discovery exercise to set expectations
- A readiness assessment, for a top-down look at gaps, what you’ll need to get started, what policies are already in place, etc.
- Check-ins, leading up to the final test
- The certification exam
During the audit, you’ll be asked to provide the policies, controls, and evidence for each.
How to Maintain SOC 2 Type II Certification
It’s important to note that SOC 2 Type II compliance is not one and done. It requires diligence and ongoing effort. Maintaining SOC 2 Type II certification requires constant monitoring, documentation, incident disclosure and response, employee training, and periodic assessments. This is to show that an organisation has an ongoing commitment to compliance and is making the necessary policy changes and upgrades.
As an ISO 27001-certified organisation, Pure Storage provides a number of products and services designed to give our customers comprehensive monitoring and control over their data. Check out our suite of modern data protection solutions to see how we can help you meet your data security compliance goals.