What is SOC2? How to do it wrong?

Hi everyone who lands on this page! This is my first write-up in the series “I am confused about cybersecurity.” Today, we will talk about SOC2. If you are in this field, you must have heard this term often. Even if you haven’t, let me introduce you to it. SOC2 is considered a part of cybersecurity and compliance.

I was as terrified as you when I first heard this term — Audit, Controls, Principles, Trust Service Criteria, what and what not.

If you are already familiar with what SOC2 is, then you can skip reading the first part.

What is SOC2?

SOC means Service Organization (a fancy term used to refer to a “company,” “business,” or “startup”) Control. Here, Control refers to anything we have in place as a measure to work properly to achieve our business goals. SOC2 is a compliance framework developed by AICPA (American Institute of Certified Public Accountants). When an organization says they are SOC2 compliant, it means they have appropriate controls in place to show that they work according to this framework. A business needs to get audited by an external auditor who is certified by AICPA to get a SOC2 report (a report, not a certificate). This report contains the auditor’s opinion on whether the organization complies or not. Simple enough till now?

Okay then, let’s start with some fancy words: Trust Service Criteria (TSC). These are criteria based on which other parties (customers, partners, vendors) can trust your business. Depending on what kind of trust they need from your services or products, a business can choose that these third parties can trust them for Security, Confidentiality, Privacy, Availability, and Processing Integrity. You don’t have to claim all five TSCs; you can choose based on your needs. However, you must choose Security (it’s not optional).

Then there are criteria under each TSC for which you need to have controls. For example, under Security, there are Common Criteria referred to as CC1.n (n refers to number 1, 2, 3, etc.). Inside the framework, they are further mapped into COSO Principles (don’t worry, maybe you’re hearing this for the first time). There are points of focus (statements sometimes called controls, like “organization should have a defined charter for the board of directors”) under these CCs, which we need to show controls for. As an organization, you need to show that you comply with this point of focus because you have this (evidence — for the example above: a document where the charter is written).

If you’re still reading, WOW!!! Congratulations, you got through the complex terms. There are two types of SOC2 — Type 1 and Type 2. Type 1 means we have all the controls in place against all the points of focus under the criteria we have chosen. You tell the auditor all your controls. Easy one, eh? Are you thinking you can lie? Maybe you can, but that’s unethical, and the auditor might catch you. Probably the Devil will start liking you and increase your chances of getting into his team.

Type 2 is where you are judged over a period of time to see if the controls you specify are actually in place and working to satisfy the criteria. This one needs proof, and liars will be caught here.

How to do it wrong?

Well, now that we know what SOC2 is, let’s learn how to do it wrong.

Are you under pressure from some customer who’s saying — no SOC2, no business? Great!

Be in a panic mode, and search on Google, “how to get SOC2 fast.”

Look at some top search results — compliance automation tools — magic tools claiming to do it fast, super fast. Get that tool quick. You really don’t need to know what SOC2 is. You really don’t need to get a copy of the framework and read it. And please, please don’t even think of understanding the whole concept — it will take a lot of time.

Awesome! Spend some dollars on that expensive tool, get some document templates from them — never read them, we’re too lazy for that, and it will take a lot of time. Trust those people; their templates are great and will fit us perfectly (don’t think too much about your business size, inner workings, blah blah… who cares). Great! Now these automation platforms will have auditors listed. Get one, pay a hefty amount of money, get a template report. Great!!! We successfully got our SOC2.

*Disclaimer: I don’t mean to target these automation platforms. They can be incredibly useful when used correctly. This is just a humorous take on how NOT to approach SOC2 compliance!*

Hope you enjoyed reading this and learned something new! Happy learning!