What Is SOC 2 Type II Compliance?

What Is SOC 2 Type II Compliance?

SOC 2 Type II compliance is a framework for service organizations that demonstrates proper controls for data security criteria.

In today’s service-driven landscape, an organization’s data rarely exists only in its own IT environment. That data is often trusted with many vendors and service providers. A big part of choosing which vendor to trust that data with is made with the help of certifications, which can demonstrate adherence to certain standards for security and confidentiality. 

Compliance certifications fall under frameworks and are verified by third-party auditors. They can give customers a stamp of approval that a vendor has all of the necessary controls and protections in place to ensure their data is as safe as possible. One of these frameworks is called the Service Organization Control (SOC) framework.

If you’re a vendor or service provider, you may be asked to provide SOC 2 data compliance reports. If you’re a client, you may request SOC certification to verify that a vendor or provider has the proper controls in place for data compliance. 

Here’s a closer look at this service provider-specific compliance standard, what it includes, and why it matters.

What Is SOC 2 Type II?

Overview of SOC 2 Type II

Data compliance certifications are often required as a prerequisite or contractual obligation for an engagement. SOC 2 Type II compliance is specifically designed for service organizations. SOC 2 Type II includes principles for data security, availability, confidentiality, privacy, and transaction processing integrity. Type II indicates the audit was carried out over an extended period of time, often six months. 

These standards are critical to ensuring top-notch information security (InfoSec) safeguards across vendors’ IT systems and adhering to vendor-customer contracts. 

How Many SOC Criteria Are There?

There are five service criteria, or trust principles, in a SOC 2 compliance report. Security is mandatory, whereas the other criteria may be more industry- or business-specific. Each of these will trigger requirements for different types of controls.

• Security: This is the most important, baseline service category required for SOC 2 compliance.
• Availability: This is important for service providers who have strict SLAs to meet for software-as-a-service (SaaS), platform-as-a-service (PaaS), or infrastructure-as-a-service (IaaS) products. If the IT service is considered mission-critical to customers, data availability is key.
• Processing integrity: This is applicable to services that process transactions for finance or e-commerce customers.
• Confidentiality: When the data you’re processing for customers is sensitive (e.g., intellectual property), this is a key pillar of your SOC 2 Type II compliance.
• Privacy: Not to be confused with confidentiality above, this principle is specific to personally identifiable information (PII) such as health records.

What Is Evaluated in a SOC 2 Type II?

In a SOC 2 Type II compliance audit, policies and controls designed to meet the above service criteria are evaluated for their effectiveness, usually over a period of six months. Are the controls suitable for the criteria? Is your organization consistent in carrying them out?

What Is a SOC 2 Type II Certification?

The SOC 2 Type II Certification is proof from a third-party auditor that an organization’s policies passed the audit for SOC 2 Type II compliance.

What Are the Benefits of SOC 2 Type II Compliance?

The benefits of SOC 2 Type II are in improving the overall health of data security and protections within an organization and across its vendors. For service providers, SOC 2 Type II certification can help improve the odds of earning a partnership or client over the competition. For clients, it’s demonstrable proof your data will be in good hands with proper controls and safeguards.

Who Needs to Have SOC 2 Type II Compliance?

Any vendor who handles customer data or sensitive information that is looking to meet contractual obligations with a customer for SOC 2 Type II compliance can benefit from certification.

SOC 2 vs. Other Compliance Certifications

Differences Between SOC 1 and SOC 2

What is the difference between SOC 1 and SOC 2? SOC 1 is not focused on security criteria but on financial reporting criteria. SOC 1 was designed for service organizations as well, but specifically those to which certain financial functions have been outsourced. Note that SOC 1 audits typically align with fiscal years and include five service criteria, including control environment, risk assessment, control activities, communication and information, and monitoring. 

Differences Between SOC 2 and ISO-27001

Both SOC 2 Type II and ISO-27001 are frameworks that focus on management of InfoSec. While SOC 2 Type II assesses the overall effectiveness of security controls, ISO-27001 is a very prescriptive, systematic approach to information security management systems. ISO-27001’s primary focus is on internal systems and controls and is a standard, whereas SOC 2 Type II is a framework for conducting an audit.

SOC 2 Type II vs. PCI DSS, HIPAA, GDPR 

There are a number of compliance frameworks—how are they different, and which organizations need them?

SOC 2 Type II and Payment Card Industry Data Security Standard (PCI DSS) are two very different compliance frameworks with little to no overlap. PCI DSS is specifically related to controls for how credit card information and transactions are handled. PCI DSS is also only applicable to financial services providers, whereas SOC 2 Type II covers a more broad range of industries. Finally, PCI DSS is conducted annually, and not by a CPA firm.

SOC 2 Type II and the Health Insurance Portability and Accountability Act (HIPAA) are also different in the focus area of the data being protected. HIPAA applies only to healthcare organizations and service providers handling patient data (and is required by law), while SOC 2 Type II can include healthcare organizations but is not mandatory for them. Also, whereas SOC 2 Type II is not as prescriptive in how the service criteria are met, HIPAA is, with very specific standards that must be met for compliance.

SOC 2 Type II and the General Data Protection Regulation (GDPR) are both frameworks that address data security and privacy. The GDPR framework is only applicable to organizations handling personal data of residents within the European Union and is focused on data privacy and protection rights. This requires controls around transparency of how data is used, the “right to be forgotten” and data minimization, and consent. While SOC 2 Type II is not mandatory, GDPR is and failure to comply can come with legal ramifications and fines.

Preparing for SOC 2 Type II Assessment

Preparing for a SOC 2 Type II audit is a team effort and can require quite a few staff hours to get off the ground. Deciding to implement SOC 2 Type II compliance can also require a fair amount of buy-in and support internally to get things underway and incorporate it into processes for the long term. 

Steps to Help Prepare for SOC 2 Type II Assessment

1. Know the “why” behind your request for SOC 2 compliance. Whether it’s a customer request or other reason, this will help you understand your deadlines for compliance certification, the scope of work involved, and more. This will also help you identify existing policies you have that may help and also provide the auditor with context and scope.
2. Gather the right team of individuals within your organization to onboard them to SOC 2 Type II. Depending on your timeframe to get SOC 2 Type II underway, you may need more people to pitch in on certain tasks, evidence gathering, and development. This group may include:
   
   • Leadership, such as the CEO, CTO, CISO, and other C-suite executives
   • DevOps
   • Human resources, as employees may come into scope for audits
   • InfoSec
3. InfoSecPrepare to provide scope. Be prepared to answer data-specific questions such as where your service is hosted (public cloud, on-prem), capacity forecasting, office locations (is it a zero-trust environment or will servers need to be white-listed?), whether you store sensitive data, etc.

Working with Third-party Auditors for SOC 2 Type II Compliance

The SOC 2 framework was developed by the American Institute of Certified Public Accountants (AICPA) and an audit must be completed by a CPA firm.

When you’re evaluating a firm to audit you for SOC 2 Type II compliance, consider quality and experience along with cost, and if they’re a good fit to work alongside your team day to day for weeks or months—and become a long-term advisor and partner for your organization.

Questions to ask: Do they have a great track record of successful audits? Does the firm have audit experience specific to your industry? Feel free to ask for peer reviews, required third-party review of documents for auditors, and referrals.

Also, consider engaging an auditor as early in the process as possible, as they can be valuable in helping you to scope the project and align the right resources internally to meet your deadline (if you have one).

• Once you’ve chosen the auditor, you’ll go through: 
• A scoping and discovery exercise to set expectations
• A readiness assessment, for a top-down look at gaps, what you’ll need to get started, what policies are already in place, etc.
• Check-ins, leading up to the final test
• The certification exam

During the audit, you’ll be asked to provide the policies, controls, and evidence for each. 

How to Maintain SOC 2 Type II Certification

It’s important to note that SOC 2 Type II compliance is not one and done. It requires diligence and ongoing effort. Maintaining SOC 2 Type II certification requires constant monitoring, documentation, incident disclosure and response, employee training, and periodic assessments. This is to show that an organization has an ongoing commitment to compliance and is making the necessary policy changes and upgrades.

As an ISO 27001-certified organization, Pure Storage provides a number of products and services designed to give our customers comprehensive monitoring and control over their data. Check out our suite of modern data protection solutions to see how we can help you meet your data security compliance goals.