Many of you, who are in the field providing technology services might have faced this question from a customer: — “Are you SOC2 Compliant?”

I have come across a few instances recently where companies are aware but not sure what to do about it. Let’s understand it.

SOC stands for System and Organization Controls, aka Service Organization Controls, and is defined by the American Institute of Certified Public Accountants (AICPA). A SOC is an audit report of a service organization’s internal controls over information technology systems. The audit happens for five trust service principles: security, availability, confidentiality, processing integrity, and privacy. Although these are just five words, they contain a whole world of access control, authentication and authorization, encryption, network firewalls, monitoring, handling incidents, performance, disaster recovery (DR), and quality assurance.

There are two types of SOC Compliance. TYPE I is about the design of controls and TYPE II is about the operational effectiveness of those controls.

So far, so good. What do I need to do to make my company SOC 2 compliant?

You need to start with a readiness assessment. In that process, you hire an experienced auditor, preferably a SOC 2 certified auditor, who will generate a report explaining where you might fall short of being SOC 2 compliant. Once you are aware of the gap, you need to plan to fill it. I suggest doing another readiness assessment, after filling in the gaps to get a favorable report before going for a final audit to get certified.

The final SOC 2 audit is generally done by a qualified CPA or an agency accredited by the AICPA. This process can cost you a few grand (in USD) for each type, plus the cost of readiness assessments, but would have much bigger returns in client success stories. The SOC 2 report usually does not expire, but given the amount of changes in systems these days, it is best to do it every 12 months.

Given that this is going to be an ongoing effort for the success of your business, I recommend setting up an automated system of compliance where every change is monitored and flagged for Trust Service Principles and an ongoing report is generated for review and action.