SOC 2 Type 2 Certification: Understanding the Process
The SOC 2 type 2 certification is an important step in securing your organization and demonstrating your controls to partners and customers.
What is SOC 2 Type 2 Certification, and Why Is It Important?
Whether your company is a service provider that handles customer data, or you’re looking to engage a third-party company to manage data in some form for your organization, you’ve probably heard about SOC. This stands for System and Organizational Controls — a series of standards that determine how well a company manages and protects its information. There are two levels of certification: SOC 2 type 1 and SOC 2 type 2. Here, we’ll provide an overview of the two types, why they’re important, and what the process looks like for companies that might be considering becoming SOC-certified.
The type of testing for SOC certifications has been around for some time, with previous versions including SAS 70 (Statement on Auditing Standards No. 70). This standard was retired in 2011 in favor of a newer framework. However, at the same time that SAS 70 was retired and its replacement was introduced, the American Institute of Certified Public Accountants (AICPA) launched the SOC framework to give companies options depending on what they were looking to achieve and what their needs were.
For example, many companies that are seeking funding from investors must provide a SOC 2 type 2 certification, which demonstrates their organizational maturity, ability to handle risk, and what their financial and technology controls are. Other highly common reasons to obtain a SOC 2 type 2 certification are companies looking to do business with larger clients (and must demonstrate how well they’ll manage that business’ data) as well as leaders looking for greater control, oversight, and efficiency within their technology environments.
A particularly timely example of why it’s important to get a SOC certification is for compliance. As you likely well know, governments and other regulatory bodies are scrutinizing how companies handle data from companies on a state and national level. Regulations such as General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and New York Privacy Act (NYPA) are great examples, and with a SOC 2 type 2 certification, companies subject to those regulations can better prepare and demonstrate their compliance and controls.
How the SOC 2 Type 2 Certification Process Works
SOC 2 Type 1: The Preparedness Test
Before we can dig into how the process works for SOC 2 type 2 certification, it’s important to understand SOC 2 type 1. For the first level of this certification, the company should first work with a professional cybersecurity services provider like Inversion6 to develop and implement any security-related policies, documentation, and procedures. Once these systems, controls, or processes are developed, the information would be sent to an auditor — typically from a CPA firm — for review. Note that the company that prepares the controls should not be the one that performs the audit, even if such services are provided.
The auditor will review the company’s existing policies, risk assessment documentation, governance and risk control information, data encryption practices, controls the company has in place for various privileges, and a great deal more. If the company passes, the auditor will provide an attestation letter stating completion of SOC type 1. Note that it’s rare to obtain this level of certification and not pursue SOC 2 type 2. Type 1 is a confirmation that a company has the controls in place, but it’s not proof that those controls are actually proven to work over time. That’s where SOC 2 type 2 certification comes in.
SOC 2 Type 2: The Endurance Test
Once the company has completed the SOC 2 type 1 audit, the auditing firm will leave and allow the company to operate using its controls for six months (or more). During this time, the company must gather hard evidence of its systems working as intended and that its policies are being followed precisely. When the review period is complete, the auditor will return and conduct another review of the program. The auditor will evaluate the evidence gathered during the review period, and if the company has proven its controls and processes effective, then it will be awarded a SOC 2 type 2 certification.
It’s important to understand that not every SOC certification process will follow what we’ve described here to the letter. Often, it can take a fair amount of time to gather the documentation needed for the type 1 certification. The list is quite extensive, but your cybersecurity partner will work closely with you throughout the first phase to build out anything that is needed for the following phase. Companies considering a SOC certification should plan for a minimum of eight months, with a year allowance being more preferable to ensure the company has ample time to prepare and prove its controls.
SOC Certification Is Not the End
SOC Reporting is an Ongoing Effort — and Responsibility
While it can be exhausting to obtain a SOC certification the first time, the reality is that companies will likely have to undergo this process on an annual basis to demonstrate the effectiveness of their controls from year to year. SOC reports (both type 1 and type 2) do not technically expire. However, they establish “coverages” for different types of controls. SOC certifications typically cover a period of 12 months, but if a company’s controls and systems have been in place for a shorter amount of time, a shorter coverage period may be issued. This reflects the fact that the controls are young and should be recertified again later.
It’s also important to note that if you’re using a SOC report that’s more than a year old, it might not carry the same weight for the company that’s requesting it. For example, if you’re looking to obtain funding, and you provide the investor with a SOC certification from a year or more prior, that investor might not accept it. Conducting annual SOC reporting and evaluation ensures that your controls are sound and have been reviewed recently by an authorized party.
Additionally, obtaining this certification sets the stage for other compliance and certification needs, such as maintaining compliance with the Health Insurance Portability and Accountability Act (HIPAA) for medical organizations and companies working with them or ISO/IEC 27001, an information security standard.
Get Expert Support for Your Security Goals
Inversion6 has been assisting companies with their information security challenges and goals since 1985. Our chief information security officers (CISOs) are experts in working with your organization at all levels to not only plan for important certifications such as SOC, but also in managing risk, identifying vulnerabilities, creating cybersecurity strategy, and communicating it throughout the company. And with 24/7/365 managed security services, we can ensure your technology environment remains secure at all times.