Viridis Security

SOC 2 Defined

The American Institute of Certified Public Accountants (AICPA) developed SOC 2 around five Trust Services Criteria. The framework specifies how organizations should protect customer data. Cybersecurity compliance checks for vendors should be a standard part of all security programs. The SOC 2 provides a way for service vendors (SAAS) to certify that they are meeting the requirements for a core set of controls.

AICPA logo SOC 2

What Does SOC 2 Stand for?

SOC 2 stands for Systems and Organization Controls 2 and was created by the AICPA in 2010. SOC 2 is. a guide for auditors so they can evaluate the effectiveness of an organization’s security activities.

What are the SOC 2 Compliance Areas

SOC 2 defines requirements to manage and store customer data based on five Trust Services Criteria (TSC):

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

Security is the only required area for Audits however, at Viridis Security we believe all the control areas are intertwined and crucial to protecting customer data and creating a culture of security. We would generally recommend companies include all five areas.

What is a SOC 2 Audit?

Some security frameworks ( ISO 27001 and PCI DSS ) have rigid requirements, but not so with SOC 2.

Every company uniquely defines how controls work and how they are assessed. Auditors check that the controls are adequate and that the company is following their own rules around compliance. Having vCISO support to evaluate control options in terms of cost, scope, time-to-value and ongoing support is especially helpful during this process.

Auditors provide reports of the end of the assessment regardless of their findings. Overall the audit is deemed:

  • Unqualified: The company passed its audit.
  • Qualified: The company passed, but some areas require attention.
  • Adverse: The company failed its audit.
  • Disclaimer of Opinion: The needs more information to make a fair conclusion.

What’s the Difference? SOC 2 Type I vs Type II

When it comes to controls checking you can choose the type of audit you want:

  • SOC 2 Type I – single point in time review of controls. Has the company appropriately designed their controls.
  • SOC 2 Type II – how do controls function over time, generally 3-12 months. It answers the question: do the security controls a company has in place function as intended?

Viridis Security recommends going straight for the SOC 2 Type II report. You’ll be looking at the same controls if you are gathering evidence for a Type I audit. Why not take a little extra time to review the controls, create/update processes and procedures for the controls? Document the controls and set them up for maintenance over time, and you’ll be ready for your Type II without spending the money for an additional audit.

If you need a SOC 2 report fast, choose a shorter 3-month review period.

Who Needs a SOC 2 Report?

If you’re a service organization (SAAS) that stores, processes, or transmits any kind of customer data, you’ll want to be SOC 2 compliant. Obtaining certification has a number of benefits:

  • Unlock upmarket opportunities
  • Reduce friction during sales cycle
  • Spend less time proving security
  • Increase customer trust

Viridis Services Can Get You There!

At Viridis, we combine our risk and compliance expertise with industry leading automation tools to help you navigate the road to compliance. Check out this example case study and then contact us to see how we can help you obtain the certifications you need.