{"id":293,"date":"2022-11-18T17:25:00","date_gmt":"2022-11-18T17:25:00","guid":{"rendered":"https:\/\/wordpress-851255-3513096.cloudwaysapps.com\/?p=293"},"modified":"2024-12-10T20:19:55","modified_gmt":"2024-12-10T20:19:55","slug":"what-is-soc-2","status":"publish","type":"post","link":"https:\/\/wordpress.staging.certn.co\/anz\/blog\/what-is-soc-2\/","title":{"rendered":"What Is SOC 2"},"content":{"rendered":"\n

Developed by the Association of International Certified Professional Accountants<\/a> (AICPA), Service Organization Control (SOC) 2 is an auditing procedure that verifies companies have internal controls in place to protect sensitive data, and that the controls are operating continuously.<\/p>\n\n\n\n

Released in 2010, it quickly became a standard for software as a service (SaaS) companies and managed service providers. SOC 2 is voluntary, so not all companies need to be compliant to operate, but if you deal with data and store data in the cloud, earning a clean audit can improve your ability to sign new clients and get ahead of the competition.<\/strong><\/p>\n\n\n\n

Below we break down the different designations and the benefits of becoming compliant if you aren\u2019t already. Of course, we also cover how background checks help achieve SOC 2 compliance<\/a>.<\/p>\n\n\n\n

SOC 1 vs SOC 2<\/h3>\n\n\n\n

SOC 2 implies the existence of others, of which there are several. In total, there are actually three: SOC 1, SOC 2, and SOC 3 \u2014 all simultaneously released in 2010 by the AICPA.<\/p>\n\n\n\n

It\u2019s worth noting that they were all developed and released at the same time because it can be easy to assume that SOC 2 is an evolution of #1, or that SOC 3 is an upgraded and more comprehensive version of the second one. But that\u2019s not the case. Rather, each type covers something a little different.<\/p>\n\n\n\n

This means that you don\u2019t need to get #1 before getting #2, or that #3 provides more benefits than #2.<\/p>\n\n\n\n

Different Types of SOC<\/h3>\n\n\n\n

The table below outlines the different types:<\/p>\n\n\n

\n
\"Infographic<\/figure>\n<\/div>\n\n\n

SOC Compliance Types<\/h3>\n\n\n\n

Within SOC 2 (and SOC 1), there are two subtypes: Type 1 and Type 2.<\/p>\n\n\n\n

SOC 2 Type 1<\/h3>\n\n\n\n

This type examines whether your company met the requirements for SOC 2 compliance on a specific date, it\u2019s a snapshot in time.<\/p>\n\n\n\n

Due its short time span and smaller scope, Type 1 can be useful when working under a tight deadline. However, because it\u2019s less comprehensive, clients may not be as interested in seeing it. They\u2019ll likely be looking for a report that demonstrates continuous compliance over a longer period of time.<\/p>\n\n\n\n

SOC 2 Type 2<\/h3>\n\n\n\n

This type determines whether a company has maintained continuous SOC 2 compliance over a long period of time, rather than at a specific point in time.<\/p>\n\n\n\n

Typically, Type 2 reports cover several months to a year. The time frame they cover can\u2019t exceed a year, though, which means that for a company to remain compliant, it must regularly undergo audits. When people talk about SOC 2 compliance, this is typically the subtype they\u2019re referring to or are looking for.<\/strong><\/p>\n\n\n\n

SOC 2 Compliance Checklist<\/h3>\n\n\n\n

Is there a checklist? No, not exactly.<\/p>\n\n\n\n

Because the needs of a company depend on a number of factors, including its size, customer base, industry, and processes, achieving a clean audit isn\u2019t about meeting a standard checklist. Rather, it\u2019s about demonstrating that you\u2019ve implemented custom processes necessary to maintain your specific company\u2019s security standards, and having their effectiveness and rigor validated by an outside auditor.<\/p>\n\n\n\n

To achieve this level of compliance, your custom policies must be rooted in the five Trust Service Criteria<\/a>:<\/p>\n\n\n\n