SOC 2 - Value Added Proposition

What is the real value of SOC 2 Compliance?

Major companies that outsource aspects of their data information operations can’t risk using vendors who don’t rigorously protect sensitive information. That’s why many organizations now demand that their vendors become SOC 2 compliant, a designation that demonstrates strict adherence to IT security.

SOC 2 is an auditing procedure that ensures third-party vendors are securely managing data to protect the interests of your organization and the privacy of your clients. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider.

Achieving SOC 2 compliance means vendors have established practices with required levels of oversight across their organization to protect data. For example, they are engaging in practices such as monitoring for unusual system activity, for unauthorized system configuration changes, and abuse of user access levels.

A SOC 2 report provides assurance about the effectiveness of controls in place relevant to the security, availability, or processing integrity of the system used to process data, or the confidentiality or privacy of that information. It is a rigorous evaluation led by an independent licensed CPA and Information Security expert who reviews  process documentation and policies, makes detailed onsite observations and conducts tests.

We encourage all our customers to require their third-party vendors to pass a SOC 2 audit. If a SOC 2 audit is not in place, at a minimum SaaS partners should be willing to discuss their documentation and processes designed to protect client data and information.

Third-party vendors that undergo a SOC 2 audit demonstrate their commitment to IT security to a broader group of stakeholders. As threats and attacks against computer resources continue to evolve, senior managers gain assurance that their data is protected. This is important because while a company can outsource a function of IT security, it cannot evade responsibility for it.

A SOC 2 audit evaluates internal controls, policies, and procedures that directly relate to the American Institute of Certified Public Accountant’s so-called “Trust Services Criteria.” They are:

  • Security - addresses systems and data protection against unauthorized physical and logical access. Security is the only required criteria, also called the "common criteria."
  • Availability - addresses how systems and data are accessible as agreed upon in the service organization's service level agreements and objectives.
  • Processing Integrity - addresses how system processing is complete, valid, accurate, timely, and authorized.
  • Confidentiality - addresses how confidential information is protected.
  • Privacy - addresses how personal information is collected, used, retained, disclosed, and destroyed per commitments in the privacy notice.

By benchmarking third-party vendors against published principles from a recognized standards organization such as AICPA, both the vendor’s management and their customers gain visibility into the IT security control environment, as evaluated by an independent party.

We strongly believe the advantages of obtaining a SOC 2 report far outweigh the initial investment.  When a vendor undergoes a SOC 2 audit, it demonstrates that they are invested in providing secure services and ensuring that their clients’ information security assets remain protected. This, in turn, enhances the vendor´s reputation, business continuity, competitive advantage, and branding.

Some reasons to perform a SOC 2 include:

  • Customer demand. Protecting data from unauthorized access and theft is a priority for customers. Without a SOC 2 attestation, you could lose business.
  • Competitive advantage. Having a SOC 2 report in hand gives your business the edge over competitors who cannot show compliance.
  • Marketing differentiator. Organizations that are concerned with security are more likely to become customers if you can provide a SOC 2 report, which shows that you are applying best practices for implementing and reporting on control systems.  Getting a SOC 2 report can differentiate your organization from other companies in the marketplace that have not made as significant an investment of time and capital. You can market your adherence to rigorous standards while others cannot.
  • Regulatory compliance. Because SOC 2’s requirements dovetail with other frameworks including HIPAA and ISO 27001, attaining certification can speed your organization’s overall compliance efforts.
  • Added Value. A SOC 2 report provides valuable insights into your organization’s risk and security posture, vendor management, internal controls governance, regulatory oversight, and more.

SOC 2 compliance isn’t always required, but it is always advantageous.

ERMProtect's Weekly Newsletter

Get a curated briefing of the week's biggest cyber news every Friday.

Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

Intelligence and Insights

Effective Cyber Security Awareness Training for Employees in 2020

Effective Cyber Security Awareness Training for Employees in 2020

Cybersecurity is no longer a technical problem. It’s a people problem. And ensuring that people have the know-how to defend themselves and their organization against threats is a critical component of a robust cybersecurity program …
SOC 2 - Value Added Proposition

What is the real value of SOC 2 Compliance?

Major companies that outsource aspects of their data information operations can’t risk using vendors who don’t rigorously protect sensitive information. That’s why many organizations now demand that their vendors become SOC 2 compliant, a designation …
PCI DSS v4.0 – What you need to know now

PCI DSS v4.0 – What you need to know now

Some clients are already asking what to expect when the next version of the Payment Card Industry Data Security Standard is released next year. That’s no surprise, since decisions that are being made now by …