What Is SOC 2 Compliance & Certification?

Robert MacDonald

SOC 2 compliance should be at the top of the list for all technology services, software-as-a-service organizations, and service providers managing or storing customer data in the cloud.

What is SOC 2? SOC 2 is a compliance standard that outlines how organizations must handle customer data. The outline is based on the five trust services criteria developed by the American Institute of CPAs.

What Is SOC 2 and How Does It Apply to Enterprises?

Service organization control reports are specialized, non mandatory audits that organizations undergo to demonstrate basic capabilities in areas like finance and cybersecurity.

Conceived of and maintained by the American Institute of Certified Professional Accountants , SOC standards provide private businesses with a framework to assess their operational capabilities, demonstrate security and privacy controls around sensitive data, and provide clients with assurance that the organization has critical procedures and policies for that data. SOC 2 audits are provided by CPAs authorized by the AICPA to conduct such audits, and the report will contain several elements, most notably an overall opinion letter from the auditor. 

There are three different types of SOC reports:

  • SOC 1: These reports describe the results of audits of an organization’s financial reporting controls. Financial data is often subject to different requirements concerning transparency, security, and accountability, and SOC 1 describes the company’s ability to meet those requirements.
  • SOC 2: These reports, by far the most common, cover the security and processing capabilities of an organization’s operations. This compliance framework helps a company show that protecting data is a top priority. 
  • SOC 3: SOC 3 reports are truncated versions of their SOC 2 counterparts. SOC 2 reports contain several in-depth sections covering the results of an audit and the controls implemented by the organization and often remain private except for contractual reasons. SOC 3, however, can provide a public-facing report to help these organizations advertise their compliance. 

Types and Benefits of SOC 2

SOC 2 is a solid and recognizable way to signal to potential clients and partners that your organization takes privacy, security and stability seriously–at least enough to undergo rigorous annual audits to ensure that you address those concerns. 

SOC 2 reports are additionally broken down into two different types:

  • SOC 2 Type I: A Type I report provides an audit of the organization’s capabilities at a specific point and time. 
  • SOC 2 Type II: A Type II report provides the same audit, only extended to ascertain the organization’s continued adherence to SOC 2 standards over time—usually six months.

An additional and relatively newer SOC audit called SOC for Cybersecurity covers an organization’s cybersecurity risk management capabilities and controls. 

What Are the Five Trust Services Criteria of SOC 2?

The foundation of SOC 2 audits are the five trust services criteria. These criteria represent five different categories by which organizations are audited. When a CPA audits a business, they do so by following the criteria of the services categories listed here. 

Accordingly, no business is required to undergo the entire slate of criteria; they only need to select ones based on their needs and the data they handle. The exception to this rule is that all organizations committing to a SOC 2 audit must include security as one of their criteria, making the SOC 2 security audit the most widespread. 

The five trust services criteria are as follows:

  1. Security: The common criteria, security covers how the organization protects information. This criterion includes controls like firewalls, secure authentication and authorization controls, and anti-malware tools.
  2. Availability: This criterion covers how readily an organization can access and use data. While not quite intuitive for an audit, it’s critical for a business to maintain a suitable network and IT infrastructure to ensure that the data they collect and use is, in fact, usable.

This criterion can include ascertaining if data is siloed in different systems or if internal network connections underperform. Finally, functions like disaster recovery and performance monitoring fall under this category. 

  1. Processing Integrity: This category focuses on the ability of policies, procedures, and systems to ensure that data is processed correctly, predictably, and error free. The general idea is that a system should be able to take information and provide reliable results as expected by design and do so without corrupting or deleting that data during the process. 
  2. Confidentiality: Confidentiality refers to protecting data marked as “confidential” as part of a business or financial agreement. This includes specific access and authorization controls around confidential data. Identity and access management and encryption are standard controls in this category. 
  3. Privacy: Privacy is much like confidentiality but refers explicitly to protecting personally identifiable information. This criterion can also include encryption and IAM, in addition to nontechnical items like privacy policies and consent management tools.

Some controls may span over multiple categories. For example, data encryption is a security control that also refers to the processing and transmission of confidential information and PII. The critical thing to remember 

What Are the Common Controls for SOC 2?

To help organizations prepare for and manage SOC 2 compliance, the Committee of Sponsoring Organizations of the Treadway Commission provides a common framework. COSO is a consortium of private sector organizations that provide leadership and frameworks for security and privacy controls in the financial and corporate sectors. 

The framework includes a few categories of common internal controls:

  • Control Environment: The control environment addresses the delimited control system around security and compliance infrastructure. Any processes, positions, delineation of duties, and management roles all play a part in this controlled environment. 
  • Risk Assessment: Many compliance frameworks and regulations turn to risk as a guideline for more extensive cybersecurity decision-making. Implementing risk management strategies will help you take a broad view of your organization. 
  • Control Activities: Internal policies and procedures, risk minimization protocols, security management plans, project life cycle documents, or data governance approaches all fall under control activities that should be assessed prior to an audit. 
  • Information and Communication: This refers to the clear, reliable, and regular communication of data, policies, expectations, and organizational goals. Clear and regular communication is the cornerstone of successful compliance. 
  • Monitoring: No system stays compliant forever—that’s why most SOC 2 audits cover six months and occur annually. Continuous monitoring can help you understand the state of controls and procedures, evaluate threats and challenges, and make changes or optimizations. 

Secure and Protect Data for SOC 2 with 1Kosmos

Regardless of what type of audit you undertake, SOC 2 will require some minimum controls, namely two-factor or multi-factor authentication. However, the more sensitive your data and the more reliant you are on security to protect that data, you’ll most likely want to go above and beyond simple MFA implementations. 

Enter 1Kosmos BlockID. With BlockID, you get the right combination of advanced authentication and biometrics (including IAL-compliant identity proofing and liveness testing), decentralized identity storage, and passwordless access. 

1Kosmos features include the following:

  • Identity Proofing:  BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Identity-Based Authentication:  We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out of the box integrations or via API/SDK. 
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user. 

To learn more about 1Kosmos as an identity and authentication solution that can support your SOC 2 efforts, sign up for a free 1Kosmos trial. Also, make sure to sign up for our newsletter to stay ahead of news about products and services. 

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More
Meet the Author

Robert MacDonald

Vice President of Product Marketing

Robert is the Vice President of Product Marketing at 1Kosmos. He is a highly influential senior global marketer with more than 15 years of marketing experience in B2B and B2C software in the biometric authentication space. Prior to 1Kosmos, Rob managed product strategy and vision for the Identity and Access Management portfolio at Micro Focus, leading a team of product marketers to drive sales and support the channel. Earlier in his career he set the foundation for content planning, sales enablement and GTM activities for ForgeRock. He has also held senior marketing positions at Entrust, Dell, Quest and Corel Corporation.