Get the SOC 2 eBook PDF
SOC 2 and ISO 27001 both provide companies with strategic frameworks and standards to measure their security controls and systems against. But what’s the difference between SOC 2 vs. ISO 27001? In this article, we’ll provide an ISO 27001 and SOC 2 comparison, including what they are, what they have in common, which one is right for you, and how you can use these certifications to improve your overall cybersecurity posture.
StrongDM manages and audits access to infrastructure.
- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
The first time I went through SOC 2 I wasted way too many hours on Google trying to figure out best practices. It drove me nuts how much was written without actually telling me anything actionable. Why wasn't there a simple summary to understand:
- How long will a SOC 2 Type 1 audit take?
- How much will SOC 2 Type 1 cost?
- What are the best practices for each policy?
Two years later, we decided to write our own. This is the first in a series of blog posts that answer each of those questions in detail.
🎉 Have you heard? StrongDM offers a free and completely self-paced online SOC 2 Course.
SOC 2 Type 1 vs. Type 2
If you are new to compliance, it’s easy to confuse SOC 2 Type 1 and SOC 2 Type 2. SOC 2 Type 1 is different from Type 2 in that a Type 1 assesses the design of security processes at a specific point in time, while a Type 2 report (also commonly written as “Type ii”) assesses how effective those controls are over time by observing operations for six months.
If that weren't confusing enough, SOC 2 is different than SOC 1, which focuses on an organization's financial statements and financial reporting. It's also different than SOC 3, which reports on the same information as SOC 2, but in a format intended for a more general audience.
Is SOC 2 a Requirement?
It is important to note that pursuing SOC 2 is voluntary and not necessarily motivated by compliance or other regulations, such as HIPAA or PCI-DSS. Many SaaS and cloud computing organizations, such as IT-managed service providers, want to demonstrate that they are properly protecting data within their data centers and information systems. It is also common for customers (known as user entities in SOC terminology) to reach out to partners and request results from an auditor's tests.
3 Steps Towards a SOC 2 Type 1 Certification
Step 1: Form Your Team
The first step in SOC 2 Type 1 is team formation.
Start with an executive sponsor who will lead the project and help navigate the office political landscape. Expect that at many points during the process you will step on someone's toes and insist their team changes its habits. When that time comes, you'll need a powerful advocate to overcome objections.
You will then need team leads from each department, including HR, Technology, Sales, etc…A lot of the burden will be shouldered by technology teams so, you will need a representative who understands how to enforce access controls to your most sensitive data, for example.
Because there is so much writing, you will need an author able to collaborate with each team lead and translate their business needs into policies.
If you have the budget, you may find it helpful to also include a compliance consultant. While it's not a requirement, that person's expertise can help avoid wasted time and effort. Just be sure they're appropriate for your team's size and stage. Too many times consultants propose overly complex policies more suited for teams with dedicated compliance teams and a lot more funding.
Step 2: Limit Scope
Once your team is formed, you will want to define scope.
SOC 2 reports are based on the Trust Services Criteria (renamed from Trust Service Principles in 2018) defined by the AICPA and report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy. You will use these principles to guide and limit the scope of your audit. If your organization specializes in one particular service, perhaps only a small number of the Trust Services Principles will apply, and therefore your scope will be small. If your organization offers a variety of services, it makes sense to narrow the scope as much as possible. Work with your team to identify areas where the principles don't seem applicable. It is common for service organizations to have separate SOC reports for the various services they offer.
Once the scope is fully defined, you will write and refine policies. This is a large effort and needs to be led by someone senior on your team. The policies are intended to complement each other and create a system of checks and balances. You can avoid a lot of unnecessary technical work by rewording policies upfront.
We've created an open-source repo of SOC 2 templates for every single SOC 2 policy. You can download each and customize them to suit your specific business needs. They're 100% free.
Step 3: Implementation
At this point, you are ready for the implementation phase, which will identify any gaps you need to address with tools and procedures. Your goal during implementation shouldn't be perfection. Don't spend a lot of time arguing over policy details, but limit scope where you can and continue moving forward even if you have existing gaps. This phase shouldn't take more than two months. You will also select a firm to conduct the audit, and when you have a good idea of when the implementation phase will be complete, you can get your audit on the auditing firm's calendar. In the meantime, test the new procedures you've created and validate that tickets are being created and resolved appropriately. Additionally, ensure your new HR onboarding and offboarding procedures are being followed and documented.
When the specified date of the audit arrives, the audit team will commence testing, which typically includes interviews with staff, walkthroughs of your physical space, and a thorough review of your documentation before the audit report is created. Then, the results of the testing will be compiled, and the auditor will work with you to clarify any necessary exceptions. Finally, the SOC 2 Type 1 report will be generated.
In conclusion, SOC 2 Type 1 is a snapshot of an organization's controls and is a good starting point when working towards a SOC 2 Type 2, in which an auditor will assess the operating effectiveness of those controls over time. Learn how StrongDM makes SOC 2 compliance easier for high-growth startups or schedule a no BS demo today
About the Author
💙 this post?
Then get all that StrongDM goodness, right in your inbox.
You May Also Like
We recently completed our own SOC 2 audit, so we thought we’d review how we dogfooded our own product. We’ll share tips and tricks to make the audit process a little easier, whether you’re wrapping up your own or about to dive into the coming year’s audit. Here are the questions auditors asked us during our own SOC 2 audit and the commands and strongDM tooling we used to gather the evidence they requested.
As your organization pursues your SOC 2 certification, organization is critical. You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
Whether you’re looking to achieve SOC 2 compliance, or just want to learn more about it, your Googling is bound to lead you to a wealth of articles chock full of buzzwords and acronym soup. In this post, we will provide a guide with definitions, links and resources to gain a solid understanding of everything you need to know about SOC 2 audits.
