FAQ Category: FAQs • SOC 2

The availability criteria addresses how you go about ensuring the in-scope data and systems stay online and recoverability should go awry.

There are a lot of factors that go into responding to this question. There are audit, consulting, software, internal resources, and other factors to consider which can easily grow from $30,000 to $200,000 depending on how the effort is accounted for.

The five SOC 2 criteria are Security, Availability, Processing Integrity, Confidentiality, and Privacy.

SOC 2 is not a certification, it’s a third party attestation of the controls in place at your organization. Typically when a company is asking this question though the answer is you start by understanding your scope (the system, SOC 2 categories, etc.), performing a readiness assessment, and then undergoing either a Type 1 and/or Type 2 assessment by a CPA firm. You’ll end up with a detailed report stating the effectiveness of your controls, which, ultimately is what someone would refer to as being SOC 2 certified.

SOC 2 Type II audits should be performed annually, however, there are times you may choose to perform them twice a year. Additionally, if recently completing a SOC 2 Type I, performing a SOC 2 Type II a few months later is also very common. 

As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become a key component of monitoring for potential security and compliance risks when outsourcing functions that use a third party’s data.

Depending on the size of your Company, you could look to another small business owner in a similar situation or trusted advisor to sit on each others board’s and create the necessary segregation. As always, consult with your auditor before taking any structural changes.

Assuming your Company is subject to GDPR, the level of effort depends a lot on the maturity of Organizational and Privacy controls. The Organizational will be mostly met by implementation of the related latest SOC 2 updates, which is good. However, if you are not currently including Privacy in your SOC 2, and do not have a strong privacy program in place, there will be a moderate level of short term effort required. It should take approximately 2 to 3 months in collaboration with your Auditor to perform a readiness assessment of the specific GDPR requirements and implement said updates for most Company’s. The upside of being required to implement GDPR is that there would be minimal effort to include Privacy and references to any unique GDPR requirements within future SOC 2 reports.

The Service and Organization Controls 2 Report, formally known as a Service Organization Controls Report as of the most recent update to the SSAE 18 audit standard. A SOC 2 report can cover the design (type 1 report) or operating effectiveness (type 2 report) of controls around a Company’s system over any number of categories, including, Security, Availability, Confidentiality, Processing Integrity, and/or Privacy. See our more detailed SOC 2 Report page for more information.