SOC 2 Overview
For B2B organizations, SOC 2 reports are a trusted way to show customers and prospects that your security practices protect their data.
Where Do I Start?
- Start with The Trust Principles
- Do a gap assessment
- Remediate and Document
- Let your technology speak for you
- Work with an auditor
Time and Costs Estimation
- SOC 2 Audits can take anywhere from 2 months to a year depending on the type and scope of the audit. We work with clients to be audit ready in weeks, with an immediate turn around for Type 1 and to start the clock on a Type 2.
You should budget anywhere between $20,000 and $100,000/year to meet and maintain SOC 2.
Costs can be broken down across:
- Effort to assess remediate, and document
- Evidence collection and additional tools/technology
- Auditor fees
Who needs a SOC 2 Report?
If you are a service provider or a service organization which stores, processes or transmits any kind of information you may need to have one if you want to be competitive in the market today. In fact, many technology and SaaS companies now have these reports and will provide it to their customers upon request.
A SOC 2 report usually has internal information which is warrants caution when sharing with anyone outside the company. However, most of the time customers ask for verification of the report, the detailed report, pen tests and/or detailed security questionnaires. If you are unable to build trust, they may consider another provider.
SOC 2 allows more flexibility for the company on how to meet or address the individual controls. Contrast that to other security frameworks, such as PCI-DSS and HIPAA which are very well-defined standards with explicit requirements. One example is password creation. PCI-DSS accepts the passwords that are at least 7 characters and are a combination of numbers and letters while SOC 2 ignores the details of this technical security control, requiring some sort of authentication.
Type 1 or Type 2?
Type 1 reports cover the description of systems and suitability of design of controls (Known as criteria in SOC terminology). Type 2 reports have everything in Type 1 reports as well as describing the effectiveness of the controls over a period of time. Type 2 SOC 2 reports are considered more useful since the auditor verifies that the controls work in an appropriate manner over a period of time. Companies with an urgent need for SOC 2 will initially get a Type 1 report to demonstrate progress and follow up with the Type 2 which, due to the nature of the report, often requires 3 to 6 months for the audit.
How Can DuploCloud Help?
With DuploCloud, SOC 2 security and control implementation is auto generated and seamlessly integrates into DevOps workflows from the start. Other security products provide controls after resources are provisioned, limiting coverage to only 30% of the required security controls set. DuploCloud is the only automation platform spanning both provisioning and security that ensures adherence to 90% of the required security controls set.
Built on Standards
DuploCloud was built for regulatory bodies like SOC 2, PCI-DSS, HIPAA and GDPR. Start with a compliance gap assessment.
Remediation of Cloud
SOC 2 controls are implemented and remediated by orchestrating native cloud services, open source tools and 3rd party software, improving your security posture.
Document your Security
We’ll give you sample auditor and customer ready InfoSec and Infrastructure Security documentation that you can tailor your policies and procedures.
Audit Ready Reporting
Save hundreds of hours with built-in proof of security controls, operational reports, and screen shots.
AICPA Trust Services Criteria (TSC)
The Trust Service Criteria are modeled around the following areas:
- Security (Core in all TSC information and system controls): Control Environment (CC1.x), Communication and Information (CC2.x), Risk Assessment (CC3.x), Monitoring Activities(CC4.x), Control Activities (CC5.x), Logical and Physical Access Controls (CC6.x), System Operations (CC7.x), Change Management (CC8.x), Risk Mitigation (CC9.x)
- Additional criteria for Availability (A1.x)
- Additional criteria for Confidentiality (C1.x)
- Additional criteria for Processing Integrity (PI1.x)
- Additional criteria for Privacy (P1.x)