Talk to Me About SOC 2 Like a Child

by Trava, Cyber Risk Management

What is SOC 2? And how does it affect the processes and protections of corporate cybersecurity?

Don't know where to start?

Between the overt lack of understanding over the scope of cybersecurity or the overwhelming worry about the consequences of a breach, it's not surprising that many people find cybersecurity to be intimidating. SOC 2 is the current path forward to counter attempts of cyber crime.

But what is SOC 2? And how does it affect the processes and protections of corporate cybersecurity?

Let's Talk SOC 2

Service Organization Control 2, or SOC 2, is a set of regulations and standards created by a third party, that allow corporations the ability to choose what add-ons they want for their control areas, which are privacy, availability, processing integrity and confidentiality. Of course, most people start with the security factor.

But since security and compliance are different, this standard directs the organization in the best practices in order to not get hit with cyber crime. Granted, that may still seem a bit confusing, so how do we lay it out in a better way? Imagine it's a puzzle, and you're in charge of putting all the pieces together correctly to build some sort of program or process that gives current and potential clients that you're doing something with regards to security. And while you're not doing everything, the level of satisfaction is reassuring to anyone looking at your security posture. 

Learn more about this topic by listening to The Tea on Cybersecurity, a Trava podcast.

Why Have SOC 2 Certification?

The simple answer: Certification creates a sense of security, no pun intended.

The longer answer, of course, is that it can show the ability to mitigate risk. Whether you take on a new company, as a client or an acquisition, you are also absorbing their risks. And their level of security, or lack thereof, will determine the number and size of any open flaws they have. With the SOC 2 certification, you're able to provide reassurance that there's protection in place that will secure the data they will be providing to you. Because when the transfer begins, when their data starts crossing over, there's potential for liability issues and many people could lose money or severely damage their reputation with their customers.

Which can be understandably scary.

Security vs. Compliance

When it comes to the difference between security and compliance...Compliance is a set of standards and regulations--rules--that people have to follow. But the creators of these rules are just a third party. Given how many different compliance frameworks and certifications exist, it's understandable that they will look a little different, use different acronyms. This standard of compliance can accommodate those differences, depending on who you're talking to. In some cases the compliance includes the security factor within those frameworks.

Compliance is not security, but they are interwoven in a way.

SOC 2, for example, deals a lot with security, requiring you to emplace security controls. While it's worth mentioning there are four other important areas, this one starts at operations and mechanisms in different ways. Whether it's the technology or your standard operating procedures, the focus remains on the overall security of the system.

Security Controls

Whether it's your technology or your procedures, there should be mechanisms in place to provide adequate protection against cyber threats. But what are examples of security controls? Two of the easiest are antivirus software (tech) and data backups (procedure).

Antivirus software is not a one-size-fits-all control, and what you choose must be the best fit for your company's mission requirements. This software must be maintained and patched to ensure that it continues to provide the service for which it is intended. Data backups are crucial to not only the security of the data but the integrity.

As a customer, imagine logging into a software program only to find that the company paid to maintain said software lost all the data and progress you had input over the life of the contract. That would be pretty alarming, and that company would stand to lose a lot of money due to their failure to protect the system.

Other Security Frameworks

So aside from SOC 2, you often hear about ISO 27001. Along with the recently released version, ISO 27002, this is another security framework that really focuses on security. One of the other frameworks that is privacy-related is the European privacy framework names GDPR. It ensures that consumer data is kept private and provides different options to expunge your data.

California has one, too, called CCPA. States like Colorado and Virginia, among others, are seeking to standing up their own privacy frameworks as well.

" leaves that big, open question: at what point is it going to be something federally regulated?"

Marie Joseph
Sr. Security Solutions Engineer,

SOC 2 vs ISO

The biggest difference between SOC 2 and ISO is location. SOC 2 is North American-based, while ISO is an international security framework. So if your business focuses on North American clients, then SOC 2 is the perfect place to start. But if your base reaches outside of North America, or you know you will be expanding to Europe and beyond, ISO is pretty common.

SOC 2: Type 1 and Type 2

SOC 2 comes in two flavors: Type 1 and Type 2. Type 1 takes a screenshot of your whole system for auditors to review. This snapshot displays the system as it stands, frozen in place, in a specific point of time. Type 2 goes beyond the screenshot and presses play, to look at the active system in 3-12 month intervals, which ensures that the controls that you've put in place actually work when tested. Auditors can test each month separately and/or take different tests out every month.

Compliance Timeline

If your company hasn't been thinking about it, now is the best time to start. Using a 'certification readiness', you can be constantly ready to be certified, whether it's SOC 2 or another form of compliance. This ensures that any prospect that comes along asking for certification will be impressed that you have readiness for certification. This confirmation that you can get certification quickly or begin the process of certification easily, because you're ready, presents a more professional look than the alternative of 'we haven't really thought about it'.

The sooner you start the implementation, the better, but also, cost-wise, a slow, purposeful implementation of those controls tends to go over well.

It's never too early to engage in compliance. This holds true for all cybersecurity.

"...if you want to be better and more secure, you might as well just start now. Because the little pieces you do will add as you climb up that ladder."

Marie Joseph
Sr. Security Solutions Engineer,

Cap or Continuous?

Continuous monitoring is a real thing. Since the security landscape is always changing, certifications require renewals, typically on a one-to-three-year cycle, which allows auditors ample time to check before you renew. The standards might change, but sometimes those changes are nominal, like names on the controls or a adjustment to the current set up if the third party for the compliance framework decides to change it. But it never really ends. It just evolves.

Final Thoughts

Remember, compliance and security are separate but intertwined entities. Compliance is the set of rules to practice security and frameworks like SOC 2 and ISO 27002 are the systems that put those rules into play. The most important factor, however, is that this should not only be on your radar but in your agenda as soon as possible to create a system that allows you to mitigate risks, both internal and absorbed.

Learn how Trava helped customers through their compliance journeys.


Get cybersecurity tips, articles, and videos sent straight to your inbox