SOC 2 Certification

Empower Your Sales with the SOC 2 Certification

What is SOC 2? 

SOC 2 (System and Organization Controls 2) is a type of audit report that attests to the trustworthiness of services provided by a service organization. It is commonly used to assess the risks associated with outsourced software solutions that store customer data online.

SOC 2 reports are the result of an official SOC 2 audit. These reports attest that a service organization’s solution (such as the service from a SaaS company) has been audited by a Certified Public Accountant (CPA), using standards laid down by the AICPA, with regard to one or more specific attributes: Security, Availability, Processing Integrity, Confidentiality and/or Privacy.

truvantis-soc-service-organization-logo

Why Soc 2? It’s the Report Your Customers Want to See

SOC 2 is a valuable tool for selling your SaaS solution to enterprise customers. 

Providing a SOC 2 report streamlines your sales process. Without a SOC 2 report, each one of your customers (or potential customers) may have to commission their own audit of your service before they can buy it, and then repeat that audit annually. That’s not only a big commitment to make before a purchase, it's also a huge burden for the service provider to support audit after audit, indefinitely.

With a SOC 2 report in hand, you’re removing that security compliance hurdle for anyone considering your service.  

Understanding the SOC 2 Certification Process

The Five Trust Services Principles of SOC 2

A SOC 2 audit can only be performed by a CPA. At their core, these audits gauge how the service delivery of a system fulfills the selected trust principles of SOC 2. 

Availability

The process, product, or service must remain available per the agreement between user and provider. Both parties either explicitly or implicitly agree on the appropriate level of availability of the service. A system need not be evaluated for efficiency or accessibility to meet the trust principle of availability. To audit availability, an auditor must consider the reliability and quality of the network, response to security incidents and site failover.

Confidentiality

If access to the data is limited to certain individuals or organizations, it must be treated as confidential. Data protected by the principle of confidentiality could include anything the user submits for the eyes of company employees only, including but not limited to business plans, internal price lists, intellectual property and other forms of financial information. An auditor will take into account data encryption, network firewalls, software firewalls and access controls.

Integrity of Storage

This principle is concerned with the delivery of the right data at the right time and at the right price— in other words, whether or not the platform performs as expected. Data processing must be complete, licensed, reliable and timely. 

IMPORTANT: Integrity of storage does not imply the integrity of the information. Information may contain errors before it is entered into the system, which the storage entity is not responsible to identify. An auditor must look at data processing management and quality assurance practices to ensure the reliability of the data.

Privacy

The principle of privacy applies to the collection, disclosure, disposal, storage and use of personal information with regard to the generally accepted principles of privacy (GAPP) as established by the AICPA. It applies to Personal Identifiable Information (PII), information that can be used to differentiate persons, including but not limited to names, addresses, phone numbers and social security numbers. Other data, including race, gender, medical profiles, and religion are also covered by GAPP. An auditor must verify controls in place to prevent the dissemination of PII.

Security

System resources must be defended against outside access to comply with the principle of security. Access controls must adequately resist attempts at intrusion, device manipulation, unauthorized deletion, data misuse, or improper modification and release. An auditor looks at IT security tools like WAF (web application firewalls), encryption and intrusion detection in addition to administrative controls such as background checks and authorizations.

The Process of Getting SOC 2 Certified

1
Decide which trust principles you are going to have audited. The security principle is the baseline, but the audit can additionally include the principles of availability, processing integrity, confidentiality and privacy.
truvantis-soc-2-process-decision
truvantis-soc-2-process-definition
2

Define the controls that will embody the selected trust principles in your environment. You may do this with help from a third party like Truvantis, or internally. You should also have them agreed to in principle by your intended auditor.

3
Self-assess your security processes and controls against your chosen trust principles, or obtain the assistance of cybersecurity professionals who can help you to be sure you’re ready for a formal audit.

 

truvantis-soc-2-process-self-assess
truvantis-soc-2-process-formal-audit
4

Undergo a formal SOC 2 audit from a certified CPA which can typically last several weeks. The process can include employee interviews, paperwork, screenshots, logs, providing additional documentation and a significant commitment of time. A third party partner, like Truvantis, can manage the process on your behalf and help to ensure it’s as quick and painless as possible.

5

Receive a SOC 2 attestation report explaining how well your security controls fulfilled the security standards and trust principles of SOC 2.

truvantis-soc-2-process-attestation

Which SOC 2 Report Type is Right for You?

There are two main types of SOC 2 reports that companies use regularly. While they both cover the same principles and points, they vary greatly in depth and breadth. 

  • SOC 2 Type I: A snapshot assessment of the vendor's controls at a specific point in time and an evaluation of how suitabile they are to meet the SOC 2 trust principles going forward. As this quicker, less in-depth report doesn’t monitor the long term success of a system, it’s not as trusted or relied upon as Type II. 
  • SOC 2 Type II: A more comprehensive and in-depth analysis of your security systems and rules evaluated over a period of time (typically a year). This is the preferred report and certification of prospects. In many cases, it may be the type specifically required. 

How Truvantis Can Help

Focus on what you do best, let us focus on what we do best.

The Truvantis team can help you to prepare for a SOC 2 audit, build the necessary controls, advise on the right report type for your goals and work with your auditor to complete the audit process. Our experts have built and operated many SOC2 security programs, guiding those companies through their first and repeat audits. 

We’re here to help you understand the process and build what you need, in addition to negotiating with your SOC 2 auditor and keeping them on track. That way, your internal team can keep doing what they’re good at, while your SOC 2 certification is in the reliable hands of cybersecurity experts. 

When you’re ready to build trust in your solution, we’re here to help.

Talk to Truvantis about an SOC 2 Audit Today.