At work (and in our private lives), we use a bunch of SaaS products. Think Google Workspace, LinkedIn, Zoom, Slack, Salesforce, HubSpot, Netflix, Zendesk, Adobe Creative Cloud, Cisco, GitHub (to name just the biggest ones).
While interacting with those apps, we entrust SaaS companies with our personal data, including sensitive information. When doing so, we trust that our information will be used in good faith, handled carefully and that it will not be shared or sold.
To guard themselves against data breaches (and massive fines that go along with breaches) and reputation damage, SaaS companies need to implement a set of measures to show that they have established information security controls, procedures and policies. That’s where SOC2 compliance certification comes in.
What is SOC 2 compliance?
SOC 2 compliance was developed by AICPA (American Institute of Certified Public Accountants) and it controls how companies store customer information in the cloud.
Therefore, the SOC 2 compliance applies to SaaS providers, as well as all businesses that use the cloud to store customer data.
The SOC 2 compliance framework centers around 5 requirements, known as Trust Service Criteria (TSCs):
- Security – The systems and information are protected against any damage, unauthorized access and unauthorized sharing/disclosure of information.
- Availability – The systems and data are available for use.
- Integrity – The data is processed completely and in an accurate way.
- Privacy – Any personal information is collected, utilized, kept, disclosed and removed accordingly.
- Confidentiality – All information classified as confidential is protected accordingly.
To get SOC 2-certified, companies need to design a compliant security program and pass an audit by an AICPA-certified certified public accountant. The auditor’s job is to provide an estimate of how much a company’s cybersecurity policies and procedures are in line with the SOC 2 standard and then provide a report with findings.
To obtain the SOC 2 attestation, a company should meet all the requirements. However, only the Security criterion is mandatory. The same goes for the company’s subsidiaries, segments, third-party vendors, or software partners (e.g. software resellers, hosted data centers) that manage, process or store customer data.
Despite being voluntary, the SOC 2 attestation can be used to gain advantage in the sales process, especially when working with enterprise-level companies, which often refuse to do business with cloud companies that do not possess the SOC 2 certificate.
Types of SOC 2 compliance
There are two distinct types of SOC 2 reports:
- SOC 2 Type 1
- – Evaluates a company’s cybersecurity program at a certain point in time
- – Looks at and assesses how the program is designed
- – Does not require evidence
- SOC 2 Type 2
- – Evaluates a company’s cybersecurity program over a period of time (6-12 months)
- – Looks at and assesses how the program is executed
- – Requires evidence
With Type 1, a company can demonstrate adherence to best practices at a point in time and then stop upholding the controls. That’s why Type 2 is generally considered to be more comprehensive and relevant.
What are the benefits of getting the SOC 2 certification?
Here are some of the top advantages to companies that obtain a SOC 2 compliance certification:
1. Better information security practices – Once established, the SOC 2 requirements help companies streamline their information security standards, improve cyber attack readiness and prevent data breaches.
2. Competitive advantage – As we mentioned before, customers nowadays prefer to partner with cloud/SaaS providers that have rock-solid information security controls and who can prove that the sensitive, protected or personally identifiable information is handled responsibly.
3. Data breach cost – Both the service provider and the customer company will reduce costs that go with data breaches, including disaster recovery, technical and legal investigations, damage to reputation or even loss of business for smaller companies.
4. Better monitoring – A vendor with SOC 2 compliance certification proves that they have excellent oversight across the organization and systems. This also means that the app itself is continuously monitored for unusual activity, configuration changes, user access etc.
5. Improve compliance with other industry standards and laws – Both the organization and the product will need to meet various other compliance standards that are country, state and industry-specific. Some examples are HIPAA compliance (relevant to healthcare organizations and third party service providers in health care and pharmaceutical industry), FINRA/SEC (financial services industry), the GDPR, ISO 27001 or PCI DSS). While having the SOC 2 compliance certification won’t automatically mean that you meet all the requirements of other laws, it’s a great first steps that demonstrates that you take information privacy and security seriously.
6. Trust – Finally, when you can demonstrate that you have all the tools, programs and controls to anticipate threats, and prevent data from being compromised or shared without proper authorization, you’ll win the trust of your customers, get better reviews and expand your operations more easily.
7. Learn from the past and act for the future – Once you pass a SOC 2 audit and obtain the certification, you’ll have a much better idea of where you stand risk and compliance-wise. Your compliance, legal and IT teams will get actionable information about potential risks, the needed governance policies to mitigate them and be able to act proactively in the future.
What is the difference between SOC 2 and ISO 27001?
While SOC 2 and ISO 27001 are very similar frameworks and both reputable certifications, there are a few notable differences between them.
For ISO 27001, you’ll need to develop and maintain an information security management system (IMSM) to manage your data protection efforts. This is accomplished through risk assessment, the implementation of security controls and their continual review and optimization. The audit is conducted by an ISO-27001 accredited body.
For SOC 2, you’ll need to establish security controls to get certified, while implementing internal controls for the remaining four principles (availability, integrity of processing, confidentiality and privacy) is optional. The audit is conducted by a licensed certified public accountant (CPA).
If you’re working with organizations in the United States, they will most probably accept both SOC 2 and ISO 27001, although there’s a slight preference for SOC 2. Outside of North America, you’ll come across ISO 27001 a lot more often.
Both certifications are horizontal, meaning that they will be accepted by most industries, apart from healthcare (where HIPAA is mandatory) and federal government (where there’s a federal counterpart authorization called FedRAMP).
What does the SOC 2 compliance certification focus on?
SOC 2 auditors will be looking to see if you have established controls like:
- Access controls (e.g. who can access which data)
- Multi-factor authentication or 2FA (to confirm identity of the person trying to access the data)
- Encryption (e.g. if the data encrypted is while at rest or/and when in motion)
- Intrusion detection (if the data can be lost if a piece of hardware is physically destroyed)
- Disaster recovery strategy
- Monitoring and alerting systems (for performance and data processing)
- Quality assurance controls
- Firewall protection (network and app firewalls)
- Established processes for handling incidents (including alerting procedures)
Jatheon is a data archiving company whose flagship product is a cloud-based platform, so we take information security extremely seriously.
Jatheon Cloud was built to adhere to the most stringent data protection and security standards – it comes with fully customizable user access controls (with 60+ different permissions), privileged access for compliance officers and administrators, complete audit trail, AES 256-bit encryption, geofencing and two-factor authentication.