SOC 2 compliance: an essential guide

We’re proud to say that we’re SOC 2 Type 2 certified – with a little help from our own vulnerability scanner. Our CTO, Patrick Craston, who was tasked with ensuring we achieve it, takes you through everything you need to know to get started with SOC 2 compliance.

Cyber security is critical for all organizations, including those that outsource key business operations to third parties like SaaS companies and cloud providers.

Rightfully so, since mishandled data – especially by application and service providers – can leave organizations vulnerable to attack, such as data theft, extortion and malware.  

But how secure are the third parties you've entrusted with your data? SOC 2 is a cybersecurity compliance framework that ensures service organizations protect customer data.

For the security-conscious business – and security should be a priority for every business today – SOC 2 compliance is now an essential requirement when working with any SaaS provider.  

What is SOC 2 compliance?  

SOC 2 is a compliance standard for managing client data, developed by the American Institute of CPAs (AICPA). It is based on specific criteria or “five trust services criteria” (TSC) – security, availability, processing integrity, privacy and confidentiality.

It's both a technical audit and a requirement that comprehensive information security policies and procedures are documented and followed.

As with most other compliance certifications and accreditation, it's not just about joining the dots; it involves a complex set of requirements that must be documented, reviewed, addressed, and monitored.

There are two SOC 2 compliance certifications or stages: Type 1 and Type 2.  

2 types of SOC 2 compliance  

Type 1 evaluates cyber security controls at a single point in time. The goal is to determine whether the internal controls put in place to protect customer data are sufficient and designed correctly. Do they fulfil the required criteria?  

Type 2 goes a step further, where the auditor checks how effective those security controls are over time (usually 3-12 months). Are they ongoing and continuous? What is their operating effectiveness? Do they work as intended?  

Both are intended to meet the needs of a broad range of users that need detailed information and assurance about the security at a service organization relevant to “security, availability, and processing integrity of the systems the service organization uses to process user data, and the confidentiality and privacy of the information processed by these systems”.

Who needs a SOC 2 compliance report?

SOC 2 compliance isn't mandatory. No industry requires a SOC 2 report, nor is compliance required by law. That said, prospective and current customers and clients increasingly expect SOC 2 compliance from their suppliers and service organizations, and having SOC 2 certification shows that you take your data security seriously.

Many healthcare providers like hospitals or insurers often require SOC 2 to add another level of scrutiny of their data security systems above and beyond HIPAA. The same could be said for financial services organizations or accountancies that handle payments and financial information. While they may meet financial industry requirements such as PCI DSS, they often choose SOC 2 for extra credibility or if clients ask for it.

SOC 2 compliance is quicker and cheaper to achieve than other security frameworks, while still demonstrating a concrete commitment to cyber security.

Ultimately, every SaaS business today handles or stores sensitive data, such as personally identifiable information (PII), so SOC 2 compliance is a must.  

7 reasons to comply with SOC 2

1. Do the right thing: Optimize your own security posture and implement controls so you're resilient against security incidents like data breaches, and compliant before you even consider your customers
2. Customer demand: Protecting customer data from unauthorized access and theft is a priority for clients, so you could lose business without SOC 2 compliance
3. Cost-effectiveness: Think audits are expensive? In 2021, a single data breach cost $4.35 million on average
4. Competitive advantage: Having SOC 2 certification gives you an edge over competitors that don't comply
5. Peace of mind: SOC 2 certification shows customers and suppliers that you take security and sensitive data management seriously
6. Regulatory compliance: SOC 2 dovetails with other frameworks, including HIPAA and ISO 27001, so certification can speed up your overall compliance efforts
7. Value: SOC 2 reports provide invaluable insights into your risk and security posture, vendor management, internal controls governance, regulatory oversight, and more

How do you become SOC 2 certified?

A SOC 2 audit requires you to meet 'trust services criteria' for handling customer data.

1. Security

Protecting against unauthorized access, disclosure of information, and use

2. Availability

Providing access to data users who have a right or privilege to access

3. Processing integrity

Ensuring all processes function according to their design

4. Confidentiality

Safeguarding unique, sensitive information per defined limits

5. Privacy

Restricting collection, use, and retention of personal information

Which trust services criteria do you need to meet?

You don't need to meet all of the trust services criteria – focus on the most relevant trust principles for your business. For example, companies such as Intruder, Google and Cloudflare focus on security, availability and confidentiality.

You can find full details on the AICPA website. While it can be difficult to be sure that you've checked all the boxes and meet all these criteria, it's important to remember that there is no singular formula for SOC 2 compliance; each report is tailored to your specific organization. But there are various tools and platforms that can help automate, streamline and speed up the auditing process.

How can vulnerability scanning help with SOC 2 compliance?

As it's widely recognized that you can't stay secure if vulnerabilities are left for hackers to find and exploit, three SOC 2 criteria – confidentiality, privacy and security – require monitoring for weaknesses.

While not a strict requirement, AICPA recommends that you consider using both vulnerability scanning and penetration testing for effective monitoring of vulnerabilities and potential risks.  

Like pentesting, vulnerability scanning offers deep insights into internal and external vulnerabilities. However, the significant difference is that it automatically monitors your systems rather than being a simulated attack that gives a point-in-time assessment. A vulnerability scan will continuously search for gaps and cracks in your systems and user behavior that could lead to an attack.

Both are as essential as basic measures like firewalls and antivirus for every robust cyber security program. Vulnerability scanning and penetration testing will help you assess the effectiveness of your security controls and identify areas where your security needs improvement.

How Intruder can help achieve compliance for SOC 2

Intruder is easy to buy and simple to use for SOC 2 compliance and other compliance audits. Just sign up and pay by credit card. Job done. You can tick the SOC 2 vulnerability management box in under 10 minutes.

We know – because we used it ourselves to get our SOC 2 certification, in conjunction with Drata's automated platform that removes the pain of manual reporting.

SOC 2 Type 2 is essentially continuous too. You get a Type 2 report for 12 months, after which you need a new report. As soon as you get your report, a new monitoring period starts and you need to get certified again 12 months later. Given the monitoring period is 3-12 months, by staying compliant with continuous monitoring, you make your SOC 2 audit pain free so you can stay as secure as possible.

Get started in 3 steps

1. Provide an IP address, URL, or add your cloud accounts.
2. Schedule recurring scans, which check for 140,000+ infrastructure weaknesses and 75+ application vulnerabilities. Emerging threat scans proactively check for newly released vulnerabilities.
3. Integrate with Drata or Vanta to automatically send evidence of your scans and prove compliance.

‍

Of course, Intruder is also a great tool to use day-to-day. Not only to ensure your perimeter is secure, but for other scenarios that may require SOC 2 such as due diligence.

For example, if your business is trying to secure new investment, going through a merger, or being acquired by another business, due diligence will often include your security posture, how you handle customer data, and your exposure to risk and threats. Intruder makes it easy to prove you take your information security seriously.  

If your organization is considering penetration testing or vulnerability scanning as part of your SOC 2 compliance process, contact us to discuss your needs.
‍