SOC 2 Type 2 for Service Organizations: Fairness and Trust

Learn why Top Industry Analysts consistently name Okta and Auth0 as the Identity Leader

Okta

Updated: 04/21/2022 - 12:35

Time to read: 3 minutes

During a SOC 2 compliance audit, your company demonstrates the ability to manage data securely. In other words, you will prove to an auditor that you have the right systems and safeguards in place, and you'll have certification you can show to current and future clients.

SOC 2 compliance is considered critical for SaaS (software as a service) providers. Companies like this handle a great deal of client data, and most can change the information they touch. SOC 2 compliance proves customers can trust you.

What is SOC 2?

The SOC in SOC 2 stands for "system and organization controls." If the term seems confusing, substitute the word "standards" for controls. In a SOC 2 audit, an independent company ensures you're following recognized standards to protect data and information.

When your potential clients shop for SaaS vendor partners, they assess risk. How likely is it that you'll cause a data-based problem? A SOC 2 audit helps you ease those concerns.

Two types of SOC 2 reports exist:

Type 1: You describe how your systems are designed. An auditor either agrees or disagrees with your description. Your auditor looks at just one point in time.
Type 2: You describe how your systems are designed. An auditor determines how well they work over a specified period lasting six months or longer. Your clients get more detailed assurances with this report.

These reports are typically conducted annually. The report framework was developed by the AICPA, which says the report audience includes a broad range of people. In essence, anyone who needs detailed information about your security controls could need your SOC 2 reports.

5 SOC 2 certification factors

Auditors don't look over anything they want to during a SOC 2 audit. Instead, they work off a recognized checklist.

Your auditors will examine these aspects of your business:

Availability: How often are your servers online for your customers? How do you recover from a disaster? How quickly do you detect an incident?
Confidentiality: How do you protect data? What protocols do you use concerning encryption and authentication?
Privacy: How do you ensure the right people can see data? Do you use encryption or two-factor authentication?
Processing: How do you perform quality assurance? How often do you monitor your functions?
Security: What do you do to keep data safe?

Some tools, including firewalls and two-factor authentication, play multiple roles here. Strong solutions could help you check off multiple items from this checklist.

Every company has a unique report, as your controls may differ from those a neighbor uses. But auditors tend to look for the same types of things as they work.

Other SOC reports to know about

A SOC 2, Type 2 report is considered the gold standard for SaaS companies. Move through this process, and you have strong proof that you protect client data. But other SOC reports do exist.

SOC 1 reports detail financial information. If you handle anything involving money, and you can alter that data, an SOC 1 report could be useful.

SOC 3 reports are simplified versions of SOC 2 reports. They have a smaller data burden, and they tend to be shorter and easier to complete. If you work in a less stringent regulatory environment, these could be right for you.

SOC 2: SOC for Service Organizations. Trust Services Criteria. AICPA.