Skip to content

Ops 401 Class 01

Jump to bottom
Bill Kachersky edited this page Oct 5, 2021 · 2 revisions

A SOC 2 Overview

SOC 2 isn’t a set of hard and fast rules. Rather, it is a framework that sends a strong signal that an organization prioritizes key attributes: security, availability, processing integrity, confidentiality, and privacy.

Completing a SOC 2 certification on its own is generally not enough to prove that you are 100% secure as an organization, but it’s a very good start and will go a long way toward instilling trust in your customers.


SOC 2 Trust Principles

SOC audits are organized around five “Trust Principles.” When you are audited, you will choose which principles you want the auditor to attest to. This is a business decision based on what is most important to your customers.

The Trust Principles are:

  • Security - The foundational security principle, common to all audits.

  • Confidentiality - Protection from unauthorized disclosure of sensitive data.

  • Availability - Protection that systems or data will be available as agreed or required.

  • Integrity - Protection that systems or data are not changed in an unauthorized manner.

  • Privacy - The use, collection, retention, disclosure, and disposal of personal information is protected.


All SOC 2 audits include “Common Criteria”. This is the biggest section of the audit and touches on every aspect of information security controls. Companies can start with a Common Criteria audit if they’re looking to keep the scope small. Common Criteria includes aspects of all principles noted below.

In addition to Common Criteria, mature SaaS companies tend to add on Confidentiality and Availability. The Integrity principle is typically chosen by companies processing a lot of transactions, as well as financial institutions. Privacy is seldom included as part of a SOC 2 audit. While it has value, most organizations tend to focus their privacy efforts around compliance with HIPAA or EU regulations (like GDPR). This is because European companies generally want audits against their own standards, rather than SOC 2, and they tend to have more stringent requirements. If you need to uphold GDPR, for example, then you’ll be focusing on privacy when you go through that process.


SOC 2 Common Criteria

SOC 2 Common Criteria


The SOC 2 Audit Process

The SOC 2 reporting standard is defined by the AICPA. All SOC 2 audits are signed by licensed CPAs . To achieve SOC 2 compliance, most companies spend anywhere from six months to a year on focused preparation. This includes identifying which systems are in scope for the audit, developing policies and procedures, and implementing new security controls to reduce risks.


SOC 2 Type I vs Type II Explained

SOC 2 Type I

An audit conducted against the Trust Services Criteria standard at a single point in time. This audit answers: Are all the security controls that are in place today designed properly?

SOC 2 Type II

An audit conducted against the Trust Service Criteria standard over a period of time. This period typically covers six months the first time, and then a year thereafter. In other words, this audit answers: Did the security controls that were in place from January 1 through July 31st operate effectively? This means you’ll need a system of record.

Type I reports are, as you might imagine, quicker to prepare for and conduct because you don’t have to wait for historical data over six months. However, while Type II reports take more time, they are also that much more valuable in the hands of customers, prospects, board members, partners, insurance companies, and so on. They report on what you’re actually doing, rather than what you aspire to do. Because of this added value, my general recommendation is to get started early and work directly toward the Type II report. This approach emphasizes immediate action taken toward improving your security, and because Type II also covers Type I, there are financial savings in the long term if you start with Type II from day one.


Four Good Reasons to Pursue SOC 2 Compliance

  1. It Improves Security

  2. It Bolsters Company Culture

  3. It Provides Documentation

  4. It Helps with Risk Management


When to Consider SOC 2 Compliance

It’s a good idea to consider becoming SOC 2 compliant early in your company’s journey if you know you are going to be selling technological services to enterprises and will be storing and/or accessing sensitive customer data of any sort.

All content shared above is directly cited from blissfully.

This article is relevant to our course content in this class because it points directly to cybersecurity engineering processes, their structure, their format, considerations, and implementation. I personally find this content to be extremely valuable in developing my Results Competency awareness.

Clone this wiki locally