When reading about SaaS technology, you’ll often see mentions of SOC2 compliance. You’ll hear that it’s a key measure of trust and that no software vendor should be without it. So, what exactly is SOC2 certification, how do you get it, and how does it relate to trust?
Below, you’ll find the answers to these and other questions.
What is SOC2?
Simply put, SOC2, short for System and Organization Controls, is a certification awarded by the American Institute of Certified Public Accountants (AICPA) to software providers. It certifies a system’s ability to secure and protect its clients’ data according to a set of parameters or principles.
These principles, known as the Trust Service Categories (TSC), consist of five mutually-dependent dimensions of the security and good functioning of a platform. They are:
- Processing integrity
In the next section, we’ll break down the meaning of each category.
How do you get a SOC2 compliance certificate?
For your software service to become SOC 2-certified, you’ll need to undergo an audit by a certified public accountant (CPA). This process is called an attestation engagement. An unbiased third-party auditor will provide a series of reports covering risk assessment and the service control environment.
To that, the auditor will test the system alongside the dimensions of the five TSC.
Security relates to the protection of all information processed within a system. It also refers to the ease of access to the system itself.
Because none of the other four dimensions can really function without first being secure, the several criteria that go into this category are known as the ‘common criteria’. That is, they are common to all categories.
To report on the system’s security, the auditor will test:
- Access controls: are both the system and the data protected against unauthorized access? This includes aspects such as firewalls, multiple-factor authentication, and file encryption.
- Breach warning: if an attack to the system comes through, will the intrusion be immediately detected and proper personnel alerted? This is a key criteria, since the response time to a data breach will often determine the seriousness of an attack.
Ideally, a system should provide detailed reports on breaches, including the precise duration and origin of an attack, files impacted, etc.
This category deals with system maintenance and recovery. For a system to be considered available, it is not enough to prove its ability to function well over a period of time. It should also be able to respond to anomalous events with speed and efficiency.
With that in mind, availability includes reports on incident management and disaster recovery capabilities, as well as performance monitoring.
3. Processing integrity
In this dimension, the auditor aims to answer the question, “How well does the system work toward its goal?”
Essentially, processing integrity describes whether a system’s processes deliver their services in a “complete, valid, accurate, timely, and authorized” manner.
The confidentiality category determines how well the system protects information deemed as confidential.
As defined by the AICPA, information is confidential if its holder is required (by law or by agreement stipulations) to limit its access to certain specific parties — and that could include an in-system limitation where not all users have the authorization to access it.
Although sometimes confused with confidentiality, privacy is a different category insofar as it applies to personal information (as opposed to sensitive information).
Privacy consists of eight criteria, including aspects such as:
- Notice of objectives: users are informed about a company’s aims regarding their data’s privacy.
- Choice and consent: the user must consent to, and is given alternatives to limit or refuse, the treatment of his data as specified by the system.
- Access: the system provides users with access to their personal data, as well as the ability to have their data reviewed and corrected.
What are the different types of SOC certifications?
There is often a degree of confusion regarding the different SOC attestations. People often ask things like: “Is SOC2 better than SOC1? How about SOC3?”
The answer to this is simple: no one certification is better — they are just different. Each of these certifications serves a given purpose:
- SOC1 targets services that host exclusively financial data reports
- SOC2 provides a detailed report on service controls over information systems
- SOC3 deals with the same security aspects as SOC2 but is more of a summary. It provides brief reports that can be posted publicly and therefore tend to be connected to a company marketing effort
How about Types 1 and 2?
Right, so this is a key distinction. You can obtain either a Type 1 or Type 2 SOC2 attestation, and in this case, Type 2 is indeed the more complete option.
That’s because Type 1 simply certifies that your service has what it takes to perform its objectives according to the five TSC. On the other hand, a Type 2 certification means the audit was conducted over a prolonged period and certifies to the operating effectiveness of the controls. Simply put, that means the auditor confirms that the controls do deliver as promised.
Why is SOC2 compliance so important for virtual boardroom providers?
Strictly speaking, SOC2 compliance is not a legal requirement for board software vendors. But, in actual fact, no boardroom provider worth its salt would dream of going without it.
Can you put a price on data safety?
Operating through a board portal, companies share their most sensitive data across the internet.
Contracts and agreements are typically not something you want the world to pore over. Then what about confidential employee information, company projects, and internal reports? The need for the confidential handling of company data spans the whole corporate spectrum.
The are many threats
More and more, companies want to be sure the security they are paying for is legitimate. Given the current scenario — and what the future likely holds in store — it’s no wonder that there’s increased demand for security.
This is, after all, 2021. Cyber-attacks have been on the rise, fueled to no small degree by the increase in remote work, with all the vulnerabilities it brings. In 2020, the average cost of a data breach increased 10% to $4.2 million. Experts estimate that the overall cost of cybercrime will reach a whopping $10.5 trillion by 2025.
However, it’s not all about data breaches: ransomware, or the holding of information hostage, has also grown exponentially. The threats are many.
A seal of trust
With boardroom providers competing in a crowded market where security is paramount, it is no longer enough to offer a secure system — you have to prove its ability to everyone’s satisfaction.
This is where the SOC2 certification comes in — you are essentially telling your clients loud and clear: “We are reliable. We have what it takes to keep your data safe and secure.”
Why should you care about SOC2? Because, in a world where trustworthy information is hard to come by, SOC2 is more than just a certification of quality — it’s a crucial seal of trust.
And that is not something you can bargain for.
2. Morgan, Steven. “Cybercrime To Cost The World $10.5 Trillion Annually By 2025?” Cybercrime Magazine.
3. PurpleSec.us. “Cybercrime Up 600% Due To COVID-19 Pandemic.” PurpleSec LLC.
4. Kovacs, Eduard. “IBM: Average Cost of Data Breach Exceeds $4.2 Million.” Security Week.
5. Group-IB.com. “Ransomware Uncovered 2020/2021.” Group-IB.