Ethical hacking experts say that companies in any field are increasingly outsourcing services such as data storage and access to applications to cloud service providers. In response to this fact, the American Institute of Certified Public Accountants (AICPA) established the Service Organization Controls (SOC) framework, a standard for controls that safeguard the privacy and confidentiality of information that is stored and processed in the Cloud.
Organizations must meet the constant and changing demands of the environment in which their customers are established. If clients or prospects of one of these organizations request a SOC 2 report (an audit that measures the effectiveness of a Security Operations Center's system, based on the AICPA Trust Service Principles and Criteria's trust services principles and criteria), the process for its preparation generally involves three steps:
Step 1: Readiness Assessment
A readiness assessment will help your organization prepare for a SOC 2 audit. Used as an internal assessment, this step provides your organization with a roadmap to prepare for a SOC 2 audit by identifying your current controls based on SOC 2 requirements, Identifying the gaps in control, and making recommendations to close the gaps based on your specific business.
Step 2: SOC 2 Type 1 Report
After a readiness assessment, most organizations look for a SOC 2 Type 1 report. With this report, an organization's controls are assessed at a specific time. The advantage of the SOC 2 Type 1 report is that your organization can obtain a SOC 2 report at a specific time rather than during an audit period (as with a SOC 2 Type 2 report). A Type 1 report acts as a screenshot of an organization's environment to determine and demonstrate if controls are designed and in place.
The SOC 2 Type 1 audit is also an opportunity to validate that the gaps identified during the readiness assessment were remedied and meet SOC 2 audit standards. For example, if during the readiness assessment it is discovered that changes in the readiness assessment system were not documented, during SOC 2 Type 1 a recent system change will be selected to determine if it followed the defined and documented change management process.
If it is a first-year activity report, ethical hacking specialists from the International Institute of Cyber Security recommend that organizations begin their compliance period with a Type 1 report, and then move to a Type 2 report the next time.
Step 3: SOC 2 Type 2 Report
For a SOC 2 Type 2 report, your organization's controls are evaluated over some time, typically a twelve-month review period. A SOC 2 Type 2 Report acts as a historical review of an organization's systems to determine and demonstrate whether controls are designed and in place, and whether they function effectively over time.
Since, according to ethical hacking experts, a Type 2 report is more comprehensive than a Type 1 report, it often provides customers with a higher level of security and has become the standard expectation of customers and prospects. Thereafter, a SOC 2 Type 2 report is obtained annually.