Controls—SOC 2 is all about controls. It’s right there in the name: Service Organization Controls, S-O-C. A SOC 2 report is a de facto requirement for any organization that wants to store any customer data in the cloud, which means most SaaS or cloud service providers.

Unlike PCI DSS, which is prescriptive and very technical, the American Institute of Certified Public Accountants (AICPA) has developed Trust Services Criteria which are descriptive and cover organization, communication and processes, as well as technical criteria.

In other words, the SOC 2 criteria describe broadly what must be done but leave it up to individual organizations to develop controls for how. When an auditor performs a SOC 2 audit, they are looking at an organization’s controls to determine whether they are well-designed and operating effectively to achieve the desired outcome.

Scoping the Audit

Defining the environment and systems is critical to audit success. The boundaries of your system and the system description will limit what is in and out of scope, and limiting scope makes for an easier audit. Since SOC 2 is primarily about the cloud environment, properly segmenting the environment and limiting access to only systems and people who need it provides a clear, well-defined boundary for auditors. This boundary will also help you define which controls you need and how they are implemented to best limit your risk. SOC 2 reports include a system description, and this should focus on the cloud service being delivered.

Understanding the Trust Criteria

To receive a clean SOC 2 report (no exceptions found), the first step is to understand the criteria which will be evaluated. The AICPA Trust Services Criteria can be downloaded from the AICPA here (PDF). This is a sizable document, and the language can be a bit difficult to read (Read more...)