What B2B Companies Need to Know About SOC 2 Compliance

Posted on September 22, 2020 - by Shannon McFarland - in Building Your InfoSec Program

What B2B Companies Need to Know About SOC 2 Compliance

For B2B tech companies looking to grow and close deals with enterprise customers, getting SOC 2 compliant can open up many opportunities. 

Passing a SOC 2 audit can be a big deal if you’re a SaaS company selling to enterprise companies that are looking to weed out risky vendors with a weak information security posture. The certified badge of a SOC 2 report shows a qualified third-party reviewed and validated your security controls. Overall, it helps companies feel like you’re a vendor they can trust with their data. 

If you’re just starting to get questions about SOC 2 compliance, or even customers demanding a SOC 2 audit report — you likely have some questions yourself. If you’re trying to get up to speed about what SOC 2 is and why it matters, I spent some time breaking down the top question with our security officer and senior director of product at Securicy, Justin Gratto. Read on to get all the essentials you need to know about SOC 2 and audits. 

Quick Answers to Common Questions About SOC 2 Compliance and Audits

1. What is SOC 2?

Service Organization Control 2 audits were designed by the AICPA (American Institute of CPAs) as an auditing process to check the existence and effectiveness of data security, availability, processing integrity, confidentiality, and privacy controls at vendor organizations. The reports from a SOC 2 audit are commonly used to assess, provide information, and verify a third-party vendor’s data management processes. 

2. What is SOC 2 Type 2 certification?

SOC 2 Type 2 certification is the result of an auditor’s report that verifies your company has the controls to securely manage and protect client data during their operations. This third-party attestation includes the auditor’s opinion about the effectiveness of the controls. This provides assurance that a service provider can meet the Trust Services Criteria for data security.

3. What is the difference between SOC 1 vs. SOC 2 reports? And what about SOC 3?

SOC 1 (Types 1 and 2) reports are focused on the processing of financial information. SOC 2 reports are specific to the security controls for processing data, using the Trust Service Criteria. 

Less common, but also available, are SOC 3 reports. SOC 3 audits and reports use the same criteria as a SOC 2 report but contain less detail on internal operations so they can be used to provide public assurance about data security.

4. What is the difference between SOC 2 Type 1 and Type 2?

A SOC 2 Type 1 is a point-in-time report that evaluates and tests the design of your information security controls. A SOC 2 Type 2 report is completed over an extended period of time (the timeframe depends on the scope of your audit, usually between 6 to 12 months) to test the implementation and effectiveness of your information security program.

5. What are the criteria for SOC 2 compliance?

SOC 2 requirements are based on the 2017 Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. These control criteria are included in the Securicy platform, integrated and mapped to your policies, procedures, implementation plan, and internal reporting. 

SOC 2 audits always include the Security criteria, which is referred to as the Common Criteria. Depending on the scope you define for your audit, you may choose to include one or more additional control categories from the Trust Services Criteria: Availability, Processing Integrity, Confidentiality, or Privacy. 

Historically, companies used spreadsheets with the numbered SOC 2 controls, like this downloadable template you can get for free listing the Common Criteria. However, with the full content for the Trust Services Criteria in the Securicy platform, it’s easier than ever to automate and simplify SOC 2 compliance and audit prep. 

6. Who can perform a SOC 2 audit?

An independent, certified CPA firm must conduct a SOC 2 audit. Securicy provides a customized information security program with policies, an implementation plan/checklist, and expert guidance to ensure your company is successfully prepared for your SOC 2 audit, then connects you with a trusted auditing partner.

7. Who needs a SOC 2 audit? Does SOC 2 apply to your business?

SOC 2 reports may be used by service organizations to provide security assurance to clients during the sales process, meet compliance with regulatory requirements, or manage governance and risk management. SOC 2 has become a standard for B2B vendors and SaaS companies.

8. How much does a SOC 2 audit cost?

The cost of a SOC 2 audit will vary based on the audit’s scope and the certified auditor you hire. Typically, you’ll find auditor fees in the $20,000 to $45,000 range. 

However, you’ll also want to budget for the cost of audit preparation — you’ll need to plan for whatever time, resources, outside expertise, and additional tools you need to bring your security program into compliance with the SOC 2 Common Criteria and any additional controls in the scope of your audit. With Securicy’s SOC 2 Audit Readiness solution, our goal is to simplify audit prep to save your team time and headaches.

9. How long does it take to get SOC 2 compliant?

Your timeline to achieve SOC 2 compliance (that is, preparing for the audit) depends on the status of your existing security program and the resources you have. 

The amount of time needed for the actual SOC 2 audit will depend on the scope of the audit. A SOC 2 Type 1 audit will take less time as it is a point-in-time audit, while Type 2 typically take between six to 12 months.  

10. How do you become SOC 2 compliant?

To become SOC 2 compliant, your business would need to implement security policies and procedures that follow, at minimum, the common criteria for SOC 2 security controls. With Securicy’s SOC 2 Audit Readiness solution, you can get the tools to simplify the journey to SOC 2 compliance, setting you up with documentation, policies, and audit-ready data in a centralized hub ready to share with your auditor. 

However, it’s important to distinguish if your business needs compliance or a certified audit. To become certified as SOC 2 compliant, you would need to schedule an audit with a CPA firm approved to perform SOC 2 audits. Some customers may be satisfied by a vendor that can demonstrate SOC 2 compliance during the sales cycle using internal reports and other proof, allowing you to avoid the months and cost of an official audit. Or to close the deal ahead of receiving the auditor’s report. Most of the time, clients will expect you to show a certified SOC 2 report from an independent auditor. 

SOC 2 with Securicy 

Historically, companies used unwieldy spreadsheet templates with the numbered SOC 2 controls, various documents, and manually tracked data. A spreadsheet can still be a useful starting point. However, there are much more efficient tools, which provide ongoing support for achieving and maintaining SOC 2 compliance. With the full content for the Trust Services Criteria in the Securicy platform, plus the tools to manage and report on security compliance, it’s easier than ever to automate and simplify your SOC 2 audit prep.  


Register for our webinar on Oct 20!

About the author

Shannon McFarland is the Director of Content Marketing at Securicy, where she leads marketing strategy and campaigns. Previously she was a journalist, Techstars hackstar, and a marketing consultant. She’s a passionate outdoorist, gardener, an advocate for mental health, a total bookworm, and dog mom. She works remotely from her home in the Boston area.