Understanding SOC 2 and Deciding Which Principles Are Right Your Company

Understanding SOC 2

If you’re a service company such as a cloud or SaaS provider, you need to pass what’s called the System Organization Controls (SOC) 2 audit. Passing the audit shows that you take cybersecurity seriously. But how do you pass? Well, you need to:

  • Choose which of the 5 SOC 2 principles apply
  • Instruct an assessment based on those principles

In other words, there’s no one-size-fits-all approach to SOC 2 audits. So, here’s a rundown of the 5 principles so you can decide which ones fit your company’s requirements.

1. Security

Security, or common criteria, is the only mandatory category. It’s mandatory because it sets out some fairly simple cybersecurity standards for service companies to meet.

Basically, you need to show that you can protect your systems from unauthorized access. Ways to pass this category include using:

  • Firewalls
  • Network intrusion detection
  • Multi-factor authentication

2. Processing Integrity

If you process client data, you need to show that you can process it quickly, accurately and securely. So, you need tools in place to spot processing errors like:

  • Duplicate records
  • Corrupted data
  • Unauthorized amendments

This category is less important if you just store data rather than process or handle it.

3. Confidentiality

If you handle restricted or classified data, you need to pass the confidentiality category. That’s because you must show that you have sufficient security in place to prevent unauthorized access and data leaks.

To pass this category, you need tools like:

  • Encryption to protect files
  • Firewalls and multi-factor authentication (which is also covered in category 1)
  • Software to safely erase data

4. Privacy

This category is less about restricted data and more about personal information, like names, addresses and telephone numbers. You need to prove you:

  • Follow regulatory guidelines e.g. HIPAA, GDPR
  • Monitor and restrict data access
  • Have clear data retention and destruction protocols

5. Availability

If service availability is critical to your contract with the client, you need to prove you’re taking all possible steps to keep your service online. In other words, you probably want to pass the availability category. You can pass by:

  • Measuring usage
  • Forecasting capacity needs
  • Proactively checking for system threats
  • Laying out a clear incident response plan for how you handle downtime

If you’re unsure which SOC 2 principles apply, ask a compliance specialist for advice.

Emory Vandiver

Emory Vandiver is the Vice President of Business Operations and a Partner at Interactive Security, where he is responsible for executing the company's strategy as a premier IT Security and Compliance provider. For over 20 years Emory has worked for leading enterprises across a diverse cross section of the information technology industry. His professional passion lies in understanding client business goals, challenging the status quo and leveraging technology-based solutions to maximize client performance. He strives to bring unique insight and value to his clients' businesses, along with a superior customer experience.