Brief Overview
Standards and Organization Controls (SOC) is an information security framework designed to help companies stress test their information security controls and catch any deficiencies in a company’s security posture PRIOR to a government inspection or external third party audit.
A SOC audit is an internal company audit primarily designed to provide the company management and potential external investors with assurances that the company is following industry best practices, internal polices and procedures, and is meeting obligatory government regulations. The audits are typically conducted annually .
There are two different SOC audits. SOC1 verifies information security controls are in place relating to possible financial impacts (i.e. external investors). SOC2 is to verify the security and privacy of the data itself (i.e. the customer data).
In total, there are 4 versions of a SOC audit.
- SOC1, Type 1 – verifies controls actually exist and reviews an organization processes and controls.
- SOC1, Type 2 – verifies if controls actually work and looks at if processes and procedures are actually being followed.
- SOC2, Type 1 – verifies controls actually exist and reviews an organization processes and controls.
- SOC2, Type 2 – verifies if controls actually work and looks at if processes and procedures are actually being followed.
The primary audit of interest to most users is a SOC 2. It defines requirements to manage and store customer data based these five Trust Services Criteria (TSC):
- Security – Protect information from unauthorized access.
- Availability – Ensure employees and customers can rely on the systems to work.
- Processing integrity – Verify the company systems operate as intended.
- Confidentiality – Protect confidential information by limiting its access, storage, and use.
- Privacy – Safeguard PII against unauthorized users.
In order to pass a SOC2 audit, you must meet all five Trust Services Criteria. The criteria are defined specifically in the nine (9) categories listed below.
General Criteria
- CC1 – Organization – It establishes how your organization has been incorporated and addresses how your Board of Directors was formed. It also includes HR topics such as recruitment and training practice. Does the organization value integrity and security?
- CC2 – Communication – Establish your obligation to collect information and describe how it will be disseminated internally and externally. Are policies and procedures in place to ensure security?
- CC3 – Risk – Financial risks, but many modern technology companies pivot implementation of these controls towards technical risk. Does the organization analyze risk and monitor changes?
- CC4 – Monitoring – How you intend to monitor your adherence to the controls themselves. They establish the cadence for your audit and how you intend to communicate the results to internal and external stakeholders. Does the organization monitor, evaluate, and communicate the effectiveness of its controls?
- CC5 – Control Activities – Take place within the technology environment you’ve deployed, as well as within the policies and procedures you’ve adopted. The most important element of the CC5 controls is the establishment of the policies themselves and how these are distributed to personnel. Are the proper controls, processes, and technologies in place to reduce risk?
Specific Criteria
- CC6 – Logical & Physical Access – The biggest section of controls. Everything you have to say about access, data handling and disposal, and threat prevention is included somewhere in the CC6 series. Does the organization encrypt data? Does it control who can access data and restrict physical access to servers?
- CC7 – Operations – The pillars of your security architecture. Specifies certain tool choices such as those regarding vulnerability detection and anomaly detection. Are systems monitored to ensure they function properly? Are incident response and disaster recovery plans in place?
- CC8 – Changes – It seeks to establish an approval hierarchy around significant elements of the control environment such as policies, procedures, or technologies. As long as your environment does not permit unilateral changes to these elements of the control environment, you should be in good shape. Are material changes to systems properly tested and approved beforehand?
- CC9 – Mitigations – To prescribe the activities and steps that should be taken to mitigate those risks. For example, if database failure were identified as a risk, a mitigation action would be taking backups of that database. Does the organization mitigate risk through proper business processes and vendor management?
Additional Criteria
Two additional criteria have been developed that may or may not be included in an audit. It depends on the type of data a company handles.
- P Series – Privacy – Focused on businesses that have substantial privacy obligations and are already equipped with solid policy. So what’s needed is to map the existing controls to the P series controls.
- PI Series – Processing Integrity – Situations where your organization is performing transactions on behalf of another organization. Just as with the privacy controls, it’s likely that your customer contract already contains many of the guarantees the PI controls seek to address. Your task will be to map your existing contracts, commitments, and policies back to the PI series controls.