Compliance
What is SOC 2, and Do You Actually Need It?
If you work for a startup, and you want to sell your product to a Fortune 500 company, you’re likely to hear the following during your sales cycle:
“In order to do business with us, you need to be SOC 2 Type II certified.”
That can be a stumbling block for many smaller businesses. SOC 2 audits can be costly and time-consuming, and you may not actually need them.
What is SOC 2?
System and Organization Controls 2 , or SOC 2, is an information security framework created by the American Institute of Certified Public Accountants (AICPA) in 2010. There are three SOC frameworks—SOC 1, 2 and 3—but SOC 2, which governs internal cybersecurity controls, is probably the best known.
SOC 2 was developed around five “trust Services” criteria:
Security
Availability
Processing
Integrity
Confidentiality
Privacy
There are two types of SOC 2 reports, SOC 2 Type I and SOC 2 Type II.
SOC 2 Type I evaluates a company’s information security controls at a single point in time.
SOC 2 Type II evaluates a company’s information security controls over several months.
Because SOC 2 Type II looks at the way controls function over time, it’s the most sought-after SOC certification by enterprises that want to protect their clients’ data.
How is SOC 2 Type II evaluated?
There are no rigid guidelines or checklists for SOC 2. Instead, an independent auditor is brought in to conduct an evaluation and write a report about the organization's compliance with the five trust services criteria. The auditor must be a licensed CPA firm or agency accredited by the AICPA. It’s also recommended that the audit be performed annually.
All of this can be a lot for a small company or a startup to handle. The good news is that you may not have to be SOC 2 compliant — even if a decision-maker has said so during a meeting.
Do you really need to be SOC 2 certified?
SOC 2 Type 2 compliance is often used as shorthand for “strong information security controls,” particularly by non-technical people at a company. To date, however, I have not seen any Fortune 500 companies that actually require their vendors to be SOC 2 certified.
If you’ve been told you need to be SOC 2 compliant during your sales cycle, ask to be put in touch with IT for more information. Often, IT will say you don’t need to be certified, but you are required to have certain controls which align with SOC 2, in place. IT can provide you with a list of the information security controls you absolutely need in order to work with them.
To verify those controls, you will most likely need to fill out a security questionnaire; some of the most common questionnaires are from SecurityScorecard, OneTrust, and Ariba. It’s important to note that whether your company is SOC 2 certified or not, you will need to fill out a questionnaire regardless.
Should you be SOC 2 certified?
I do recommend SOC 2 certification for those who can afford it. SOC 2 is helpful during the IT vetting process, and will likely help you close a big sale. In fact, we are currently moving towards SOC 2 Type II compliance ourselves. However, if you don’t have the certification, don’t panic. It’s often not necessary.
SOC 2 certification is like a college degree; it certifies that you’ve completed the steps of securing your business’s technology. But you don’t always need a college degree to land a job.
Find out how you can do a NIST 800 or SOC 2 compliance self-audit. Contact an expert today.
About the Author
