What is SOC 2 Type II? Why It Matters for Your Security

By Adrienne Fouts | June 8, 2021
What's the difference between SOC 2 Type I and Type II?

It feels like every other day, we read a news headline about another data breach or cyber attack. Large and small businesses alike, from any industry, are vulnerable. You know that protecting your company’s data is critical, especially when it comes to sharing that data with others, but navigating ever-changing security guidelines can be confusing. How can you ensure that your suppliers, vendors, and partners are committed to keeping your data secure?

One way to check whether a company’s systems are designed to protect your data is to ask for their SOC 2 Type II report. SOC, or System and Organization Controls, is a set of security standards created by the American Institute of Certified Public Accountants (AICPA). There isn’t a checklist of specific SOC requirements to meet. Instead, it’s up to each company to design their own systems and policies for protecting their users’ data.

During a SOC audit, an independent CPA firm reviews the organization’s internal controls and determines whether they meet the SOC standards. Then the organization can share the final audit report with current or potential customers, partners, etc. to build trust in their systems and handling of data.

What are the Types of SOC Reports?

There are different types and levels of SOC reports, each covering a different scope or set of standards. We’ll focus on SOC 2 Type II in this article, but here’s a quick overview of each type.

Types of SOC Reports

  • SOC 1: Reports on an organization’s controls related to users’ financial statements or reporting.
  • SOC 2: Reports on an organization’s controls related to security and other principles named in the SOC 2 framework (the Trust Service Principles, which we’ll describe later).
  • SOC 3: Reports on the same controls as SOC 2, but is a simplified, high-level overview that can be shared with anyone.

There are also a couple of newer types of SOC reports introduced in the past few years: SOC for Cybersecurity and SOC for Supply Chain. These are more specific to cybersecurity and supply chain risk management policies, and include overlap with SOC 2 criteria.

Levels of SOC Reports

  • Type I: Tests that the controls are designed properly as of a specific point in time.
  • Type II: Tests the controls’ design and operating effectiveness over a period of time.

How Does SOC 2 Type II Work?

A SOC 2 Type II report attests that an organization’s internal controls have been audited over time to prove that they are designed and operating effectively to keep user data secure.

SOC 2 is designed for service organizations from any industry that store customer data in the cloud: data hosting or processing, cloud storage, Software as a Service (SaaS) companies, etc.

SOC 2 Type II is the most comprehensive of the SOC reports because it tests the functionality of an organization’s security systems and other controls over a longer period of time, often several months. Type I reports only review the design of the controls at one point in time, so they can’t actually demonstrate that the controls are working as intended over time.

Questions to ask about your software's security: What type of SOC report should I ask for?

SOC 2 Type II Requirements

To allow companies to develop systems that fit their unique processes and risks, SOC 2 doesn’t include a list of specific requirements to meet. Instead, SOC 2 includes general criteria for protecting customer data called the Trust Services Principles, which are used as guidelines for evaluating and reporting on the organization’s controls:

  1. Security: Has the organization taken measures to protect the data it has access to?
  2. Availability: Are the organization’s systems available for use by customers, partners, etc as agreed upon?
  3. Processing Integrity: Is data processed completely and accurately, and are checks in place to identify and correct errors?
  4. Confidentiality: Is confidential data used, stored, transferred, and deleted properly?
  5. Privacy: Is personal information protected as agreed between the user and the organization?

Organizations undergoing SOC 2 audits are required to cover the Security principle in their report, which shows that they have implemented thorough data protection policies such as intrusion detection, network or application firewalls, multi-factor authentication, etc. From there, the organization chooses which of the other Trust Services Principles to include in its SOC 2 audit, depending on which ones are relevant to their business. Throughout the exam period, the auditor reviews and tests the organization’s systems to make sure they are designed and working properly to meet the chosen SOC 2 principles.

SOC 2 Type II Audit Process

This is the typical process for organizations going through a SOC 2 audit:

  1. Choose an independent auditor (CPA firm) with experience in information security audits.
  2. Plan the details of the SOC exam with the auditor: type and level of report, scope, exam time period, etc.
  3. Conduct a readiness assessment to review the controls already in place and where there are gaps to address before the exam.
  4. The auditor conducts the SOC 2 Type II exam over the agreed upon period of time and creates the final report with their opinion.

What's Included in a SOC 2 Type II Report?

The outcome of a SOC 2 Type II exam is the auditor’s report. The report includes descriptions of the organization’s systems, processes, and controls for addressing security and the other Trust Services Principles. It also includes the auditor’s opinion about the controls’ design and functionality.

Ideally, the auditor’s opinion will state that the organization’s controls are suitably designed and operating effectively over the period of time they were examined (this is sometimes called an “unqualified” or “unmodified” opinion). A less ideal scenario would be if the auditor finds a few things out of place (such as missing or misleading information, or a process not working as intended), or worse, that there are pervasive issues with the controls.

If all goes well, the organization can share their clean SOC 2 report with current or potential customers, partners, etc, to answer questions about their security measures and how user data is handled.

Why Should You Care About SOC 2 Type II?

With the increasing number of hacks and data breaches we’re seeing today, it’s more important than ever to ensure your company’s data is protected. Checking whether the vendors, suppliers, and other companies you share your data with have gone through a SOC 2 Type II audit can help mitigate these risks. While a clean SOC 2 Type II report isn’t a guarantee that your data will never be compromised, it’s an assurance that the organization has comprehensive security measures in place to keep your data protected.

If you work with defense-related items or data, you may need to follow ITAR security requirements. Learn more about ITAR and get a free compliance checklist.

Get my ITAR checklist