SOC 2 compliance can be a complicated subject, so we included answers to some common questions that come up once you get into SOC compliance. We cover the basics of SOC 2 reports, the difference between SOC 1 and SOC 2 reports, WebTrust versus SysTrust, and more.
SOC 2 Basics
Q: What is an SOC 2 report?
A: A Service Organization Control (SOC) 2 report is an attestation report prepared by a qualified independent registered public accounting firm, in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16. The purpose of an SOC 2 report is to provide evidence to the service organization’s customers that the service organization maintains effective information technology security controls.
In general, these controls should be evaluated and monitored to ensure they are operating effectively in protecting the confidentiality, integrity, and availability of data processed or stored on information systems that support business operations.
Q: What does an SOC 2 examination entail?
A: The examination procedure:
- provides advance notice of the intent to conduct an examination;
- interviews management and users about controls over operations, process design, and implementation;
- reviews system documentation; and
- observes testing results.
Q: Can an individual report be used to meet the SOC 2 requirements related to contracts, acquisitions, or other business arrangements?
A: No, the SOC 2 report can be used to establish evidence for security policies and controls in-house, but it cannot be used directly to meet contractual or regulatory requirements for external parties. The SOC 2 report must be integrated with an engagement letter from a qualified independent (outsourced) auditor that has agreed to fulfill the associated contractual or regulatory requirements. This may be referred to as "Audit Report—Compliance."
Q: What are the components of the assessment, and what are they used for?
A: The main components of SOC 2 are the WebTrust Principles, published by the CA/Browser Forum and ISO/IEC guidelines, followed by a third component from creating a Statement of Attestation.
Q: What does it mean to be recognized by an independent third party?
A: The independent third party verifies that you comply with the requirements of the WebTrust Principles.
Q: If you follow WebTrust Principles, is that the same as compliance with SOC 2?
A:The WebTrust Principles are an informational set of principles that guide WebTrust programs. An SOC 2 compliance audit is a WebTrust program and a specific implementation of WebTrust principles.
Q: How does the AICPA define systems and organization controls?
A: Systems and Organization Controls are defined as an ongoing framework that does the following:
- supports an entity's board, management, employees, and others in performing their respective roles within the entity's environment;
- provides reasonable assurance regarding effectiveness and efficiency in meeting its objectives;
- mitigates risks throughout their life cycles;
- manages information flows through policies and procedures;
- develops effective operational processes;
- implements effective monitoring controls;
- establishes responsibility for adherence to appropriate policies/procedures/standards;
- establishes consequences for non-adherence;
- establishes a governance framework for compliance with policies/procedures/standards, including monitoring processes such as training/education programs or remediation activities where necessary;
- develops corrective action plans or procedures that highlight the issues requiring resolution through additional review, or testing related to system weaknesses or other internal control deficiencies discovered during testing.
Q: Is SOC 2 an international standard?
A: It isn’t strictly an international standard, but they are very similar. SOC 2 is based on the American Institute of Certified Public Accountants’ (AICPA: Statement on Standards for Attestation Engagements (SSAE) 231. The International Organization for Standardization (ISO) took this framework and developed ISO/IEC 17021:2011 for service organizations. Currently, ISO/IEC 17021:2011 is very similar to SSAE 231 and is considered similar by most companies.
Q: Is a data center/data storage provider considered a service organization?
A: A data center/data storage provider, who never has access to our customers’ account application database, can be considered a service organization if their employees have access to database backups used by customers for development purposes.
Q: What do you mean by “effective IT security controls?”
A: Effective IT security controls are defined as:
- appropriate administrative procedures;
- appropriate technical safeguards;
- adequate physical safeguards for protection against unauthorized access, modification, or destruction of assets.
Q: Whose information is considered sensitive?
A: The Rule specifies any information related to an individual's health care, income, or assets is considered sensitive. In addition, any information held by financial institutions (such as credit reports and statements), investment companies (such as stock broker statements), insurance companies (such as health benefit statements), pension plans (such as benefit statements), and reputation management firms (such as material that may be included in a publicly searchable directory) are also sensitive information.
Q: What is WebTrust?
A: It is the general name for all of the WebTrust programs. A WebTrust program is a technical audit or accounting review conducted on an organization's Internet systems and website. The goal is to help protect and assure you that the organization's infrastructure is secure and reliable, and meets the high technical standards set by the CA/Browser Forum.
Q: Can a lawyer be a processor?
A: No. If you have hired an attorney or accountant to assist you with legal or financial matters, they do not qualify as your processor for this purpose. They are considered service providers who maintain sensitive personally identifiable information, but they may not process it on your behalf.
Certifications, Audits and Contracts
Q: Can an individual report be used to meet the SOC 2 requirements related to contracts, acquisitions, or other business arrangements?
A: No. The SOC 2 report can be used to establish evidence for security policies and controls in-house, but it cannot be used directly to meet contractual or regulatory requirements for external parties. The SOC 2 report must be integrated with an engagement letter from a qualified independent (outsourced) auditor that has agreed to fulfill the associated contractual or regulatory requirements. This may be referred to as "Audit Report—Compliance."
Q: What is an audit report?
A: An audit report is created after an audit has been conducted. It provides evidence that your controls and procedures have been reviewed by an auditor, and were found to be effective. It also provides assurance regarding certain controls and procedures with which the auditor was able to test compliance.
Q: How can I electronically submit my report?
A: Companies may submit a copy of their SOC 2 report directly to the AICPA using an Internet-based file transfer protocol (FTP) site. This site, which is hosted by the Institute, uses server software developed by Red Castle to secure and authenticate users and transfers files securely. Once authorized by the host software, reports that have been submitted reside in a secure portion of the website that is accessible only to authorized personnel of the company or its auditors and their staff. For uploaded files, only the portions needed to manage the file are hosted. They are also deleted after two years.
Q: Is there a time frame for initial certification or recertification?
A: For initial certification, there is no time frame set by CA/Browser Forum; however, all CAs must undergo a recertification every three years.
Q: Should reporting entities take non-control technical safeguards into account when assessing general controls?
A: Non-control technical safeguards are not considered in assessing general controls because they are implemented outside of common business processes. Therefore, they are not likely to provide effective support for achieving control objectives.
Q: How does an SOC 2 Type II report differ from an SOC 1 report?
A: The SOC 2 Type II report is designed for organizations that handle personally identifiable information (ex. medical records) or financial information (ex. credit card numbers). It does not cover all aspects of an organization's systems and procedures for business continuity and disaster recovery because it is not applicable to every organization.
In contrast, the SOC 1 report is designed to be more broadly applicable. Because there are differences in the scope of both reports, it's important to determine which report best suits your needs before deciding on which one is required for compliance with your industry regulations.
Q: What is the difference between an SOC 2 report and an SOC 2 inspection?
A: SOC 2 reports are used for documenting internal security policies or activities within an organization. In contrast, SOC 2 Inspections evaluate an organization’s security controls in order to provide a third-party assessment of its security. Customers can also use reports to conduct their own assessments of their internal controls.
Q: What is the difference between SOC and SOX?
A: The distinction is subtle but important.
SOX is the act. SOC is the auditing standard (checklists) that auditors must use to audit a particular company or government entity. ISA, SSAE 16, and SSAE 18 are commonly used certifications currently.
SOC is a process, not a certification. This distinction is important because the SOC for your company may change frequently, if your industry changes a lot or if your business mission changes significantly. Always consult with your CPA when applying SOC requirements.
Both SOC and SOX audits ensure data compliance and internal control reporting. However, a SOX is government-issued while an SOC is not. Having an SOC audit performed can help to ensure your organization is SOX compliant
Q: What is the difference between WebTrust and SysTrust?
A: WebTrust is an audit conducted according to the American Institute of Certified Public Accountants’ Statement on Standards for Attestation Engagements No. 16 (SSAE 16). This standard is commonly referred to as “SOC 1.” SysTrust is an audit conducted according to the International Standards Organization’s ISO/IEC 27001:2005 standard, which is equivalent to SSAE 16 in terms of the reporting level. This standard is commonly referred to as “SOC 2 Type II.”
Q: What is the requirement difference between WebTrust and SysTrust?
A: WebTrust is a Trustmark that helps users determine the quality of standards-based security practices being employed on Internet-accessible web sites. The WebTrust Seal does not require the use of a specific security product. It is possible, and often desirable, to meet the requirements of a WebTrust audit without implementing formal security solutions.
Organizations that are undergoing a WebTrust audit must provide documentation of specific technical controls, policies, and procedures for information systems, and attest to meeting the auditing organization's requirements for secure web practices. SysTrust is a detailed security checklist produced by the Electronic Frontier Foundation that provides specific guidance on securing an information system. When evaluated against SysTrust, a product has passed or failed according to predetermined provisions listed in the checklist.
Q: What’s the difference between SOC 2 and an ISO 27001 Certification?
A: SOC 2 Certification is an information technology audit standard that ensures that your IT controls are in place and accurately functioning. If there is a problem with how your company manages the risk of cyber security, it can easily be identified and corrected with SOC 2 Certification. Once a company becomes SOC 2 compliant with SSAE 231, they can be certain that the same security controls will be in place if they become ISO/IEC 17021:2011 compliant.
However, this process may not be completely identical because the standard has not been formalized or adopted into an international consensus standard (yet!). If you are concerned about getting hacked but don’t want to expend the resources for SOC 2, or if you are a small startup that cannot bear the expense, then ISO 27001 may be the right fit for you. It is also known as an Information Security Management System (ISMS).
Q: What’s the difference between an SOC 2 report and a HIPAA report?
A: There are three main differences between SOC 2 vs HIPAA.
- An SOC 2 report evaluates the overall IT Security controls adopted within an organization whereas a HIPAA report focuses on a specific data breach. This means that an SOC 2 report can also provide information on an organization’s data security, but only by verifying that the overall IT security controls (including policies, procedures, and multi-layered risk management) within the organization are adequate.
- An SOC 2 is usually written very broadly and does not contain specific details of who was affected by each security flaw. HIPAA reports, on the other hand, are tailored to suit each case and contain highly confidential information, such as names of individuals or organizations involved in the data breach, the types of personal information leaked or stolen, and whether or not any PHI was used in further harmful activities.
- SOC 2 audits an IT system whereas a HIPAA audit incorporates all aspects of an organization’s data protection strategy, including physical safeguards such as fences.
Q: When would I have to file a HIPAA vs SOC 2 report?
A: SOC 2 reports are usually voluntary and conducted at any given time for security purposes. If a third party were to perform a voluntary SOC 2 report on your organization every year for you, then you would not need to conduct one yourself since the findings of the results would be delivered directly to you. Sometimes referred to as “breach notifications,” HIPAA reports focus specifically on data breaches involving personal health information and are usually published by affected businesses once they have filed formal breach notifications with health information privacy regulators. The offending entity must file notice within 60 days of discovery or notification of the breach, and must file with both media outlets and consumers whose names were exposed during the breach.