Cyber security is critical for all organizations, including those that outsource key business operations to third parties like SaaS vendors and cloud providers. Rightfully so, since mishandled data – especially by application and service providers – can leave organizations vulnerable to attack, such as data theft, extortion and malware.  

But how secure are the third parties you’ve entrusted with your data? SOC 2 is a framework that ensures service providers securely manage data to protect customers. For the security-conscious business – and security should be a priority for every business today – SOC 2 compliance is now an essential requirement when working with any SaaS provider.  

What is SOC 2?  

Developed by the American Institute of CPAs (AICPA), SOC 2 is a certification of compliance for managing customer data based on specific criteria or “trust service principles” – security, availability, process integrity, privacy and confidentiality.

It’s both a technical audit and a requirement that comprehensive information security policies and procedures are documented and followed. As with most other compliance certifications and accreditation, it’s not just about joining the dots; it involves a complex set of requirements that must be documented, reviewed, addressed, and monitored. There are two certifications or stages: Type 1 and Type 2.  

SOC Type 1 vs Type 2?  

Type 1 evaluates cybersecurity controls at a single point in time. The goal is to determine whether the internal controls put in place to safeguard customer data are sufficient and designed correctly. Do they fulfil the required criteria?  

Type 2 goes a step further, where the auditor checks how effective those controls are over time (usually 3-12 months). Are they ongoing and continuous? What is their operating effectiveness? Do they work as intended?  

Both are intended to meet the needs of a broad range of users that need detailed information and assurance about the security at a service organization relevant to “security, availability, and processing integrity of the systems the service organization uses to process user data, and the confidentiality and privacy of the information processed by these systems”.

Who needs SOC 2?

Compliance with SOC 2 isn’t mandatory. No industry requires a SOC 2 report, nor is compliance required by law. That said, prospective and current customers and clients increasingly expect SOC 2 compliance from their suppliers and service providers, and having SOC 2 certification shows that you take your cyber security seriously.

Many healthcare providers like hospitals or insurers often require SOC 2 to add another level of scrutiny of their security systems above and beyond HIPAA. The same could be said for financial services organisations or accountancies that handle payments and financial information. While they may meet financial industry requirements such as PCI DSS, they often choose SOC 2 for extra credibility or if clients ask for it. Ultimately, every SaaS business today handles or stores sensitive customer data so SOC 2 compliance is a must.  

7 reasons to comply with SOC 2

1. Do the right thing: Optimise your own security processes and posture so you’re protected and compliant before you even consider your customers
2. Customer demand: Protecting customer data from unauthorized access and theft is a priority for clients, so you could lose business without SOC 2 compliance
3. Cost-effectiveness: Think audits are expensive? In 2021, a single data breach cost $4.35 million on average
4. Competitive advantage: Having SOC 2 certification gives you an edge over competitors that don’t comply
5. Peace of mind: SOC 2 certification shows customers and suppliers that you take security and data management seriously
6. Regulatory compliance: SOC 2 dovetails with other frameworks, including HIPAA and ISO 27001, so certification can speed up your overall compliance efforts
7. Value: SOC 2 reports provide invaluable insights into your risk and security posture, vendor management, internal controls governance, regulatory oversight, and more

How do you become SOC 2 certified?

A SOC 2 audit requires you to meet specific criteria or ‘trust principles’ for handling customer data.

• Security – protecting against unauthorized access, disclosure of information, and use
• Availability – providing access to data users who have a right or privilege to access
• Processing integrity – ensuring all processes function according to their design
• Confidentiality – safeguarding unique, sensitive information per defined limits
• Privacy – restricting collection, use, and retention of personal information

You don’t have meet all of them – focus on those most relevant to your business. For example, companies such as Intruder, Google and Cloudflare focus on security, availability and confidentiality.

You can find full details on the AICPA website. While it can be difficult to be sure that you’ve checked all the boxes and meet all these criteria, it’s important to remember that there is no singular formula for SOC 2 compliance; each report is tailored to your specific organization. But there are various tools and platforms that can help automate, streamline and speed up the auditing process.

How can vulnerability scanning help with SOC 2 compliance?

As it’s widely recognized that you can’t stay secure if vulnerabilities are left for hackers to find and exploit, three SOC 2 criteria – confidentiality, privacy and security – require monitoring for weaknesses. While not a strict requirement, AICPA recommends that you consider using both vulnerability scanning and penetration testing for effective monitoring of vulnerabilities and potential risks.  

Like pentesting, vulnerability scanning offers deep insights into internal and external vulnerabilities. However, the significant difference is that it automatically monitors your systems rather than being a simulated attack that gives a point-in-time assessment. A vulnerability scan will continuously search for gaps and cracks in your systems and user behaviour that could lead to an attack.

Both are as essential as basic measures like firewalls and antivirus for every robust cyber security program. Vulnerability scanning and penetration testing will help you assess the effectiveness of your security controls and identify areas where your security needs improvement.

How Intruder can help with SOC 2 compliance

Intruder is easy to buy and simple to use for SOC 2 and other compliance audits. Just sign up and pay by credit card. Job done. You can tick the SOC 2 vulnerability management box in under 10 minutes. We know – because we used it ourselves to get our SOC 2 certification, in conjunction with Drata’s automated platform that removes the pain of manual reporting.

SOC 2 Type 2 is essentially continuous too. You get a Type 2 report for 12 months, after which you need a new report. As soon as you get your report, a new monitoring period starts and you need to get certified again 12 months later. Given the monitoring period is 3-12 months, by staying compliant with continuous monitoring, you make your SOC 2 audit pain free so you can stay as secure as possible.  

Of course, Intruder is also a great tool to use day-to-day. Not only for its continuous monitoring to ensure your perimeters are secure, but for other scenarios that may require SOC 2 such as due diligence. For example, if your business is trying to secure new investment, going through a merger, or being acquired by another business, due diligence will often include your security posture, how you handle data, and your exposure to risk and threats. Intruder makes it easy to prove you take your information security seriously.  

If your organization is considering penetration testing or vulnerability scanning as part of your SOC 2 compliance process, contact us to discuss your needs.

‍