This article clarifies some of the terminology and processes around getting your SOC 2 Type 1 and Type 2 reports if you are a SaaS company.
What is SOC 2?
SOC stands for “service organization controls.” SOC 2 is a reporting framework developed by AICPA. It is not a security framework; AICPA sets the criteria, but there is flexibility in how you will meet them. It is a reporting framework, and only CPA firms are authorized to issue such reports.
With NIST, ISO27001, and other security frameworks, you have specific controls you need to meet to become certified. SOC 2 gives you the flexibility of which controls to implement for a particular reporting requirement.
What are the market drivers, and what is SOC 2?
There are plenty of market drivers these days to get your SOC 2 report; the one to highlight is the increased risk of cyber-attacks for organizations. Larger organizations recognize that risk and demand that their suppliers comply with at least some basic IT security requirements.
AICPA came up with SOC 2 Type 1 and SOC 2 Type 2, which certify your compliance with these basic security controls.
You can then provide that SOC 2 report to your larger clients who might ask for it.
The main driver for the adoption of SOC 2 is the need to establish trust between a larger company and its suppliers or between two equal companies who want to do business together.
Companies wanting to do business with larger clients are asked to ensure their information security and privacy programs.
SOC 2 allows you to provide that assurance when asked.
How do we scope the SOC 2 reporting project?
There are five different trust categories, where security is the baseline.
The four additional categories are chosen based on client demands or industry expectations.
Those are confidentiality, availability, processing integrity, and privacy.
We recommend that you at least start with security.
Which systems would be in scope for the reporting project?
SOC 2 gives you flexibility in choosing the systems in scope. Depending on your business, you can define what you consider an information system. It could be a computer, a server, a set of virtual servers, a cloud provider, or an entire data center.
What is a typical timeline to get your SOC 2 report in hand?
Most organizations can obtain their SOC 2 Type 1 report within 3 to six months, depending on their internal business process complexity.
Your IT team is essential as their availability impacts the speed with which they can implement the remediations for vulnerabilities found during the initial gap assessment.
Of course, suppose your business partner gives you the mandate to obtain a report in six months. In that case, that usually is enough of a motivation to assign enough business resources to achieve this goal.
Larger companies have gotten tired of sending out and analyzing security questionnaires, and one of the solutions to controlling the third-party risk for them is SOC 2. Of course, there are alternatives to offloading security questions to third-party platforms, forcing compliance with ISO 27001 and NIST or HITRUST. Still, SOC 2 is a very efficient and relatively easy solution to ensure the basics are covered, especially for software development companies.
As the vendor to such large companies, it must have been tedious to fill security questionnaires non-stop – and perhaps you will experience having a SOC 2 report to send as a relief.
The AICPA governs the SOC 2 framework. It is a reporting framework as opposed to a security framework
There are five different trust service categories, with security being the baseline of every SOC 2 report, but there are four additional categories that companies may choose to add
Sometimes that will be based on industry norms, preferences, expectations, or client demands, and those include:
- Processing integrity
Those are optional.
For a data center, availability would be crucial to their customers, so they might want to include that in their SOC 2 report. In the healthcare industry, privacy is paramount, and you expect companies in that industry to adopt privacy.
In FinTech, processing integrity is essential.
We often recommend starting with security for first-year companies to get your foot in the door. This will allow you to build your security program and then consider whether it makes sense to mature that program by adding additional categories over time.
Regarding the systems in scope, SOC 2 gives you flexibility because each company can define its information system, and it’s the information system that is being reported on.
You might define your information system as your entire company, or you might describe it as a business unit within the company, or maybe it’s product specific. There are going to be controls that are going to apply to the entity.
The SOC 2 Readiness Assessment
A readiness assessment is when we help identify gaps in your security controls and provide guidance on what would meet the requirement and how you might go about fixing things.
For example, maybe you must write policies or update a few processes, and then that’s when we get into the nuance of type 1 and type 2.
After they finish the SOC 2 readiness assessment, most organizations are ready to get a report at that time, and what most organizations do for their first years is called a SOC 2 – Type 1, which is a point-in-time report.
You are qualified to get a report when you have all your controls in place. If you just finished doing a readiness assessment and the last piece of evidence shows you meet the minimum criteria, you can get your Type 1 report immediately.
But that typically is not enough. The marketplace expects you to get a SOC 2 Type 2 report, which usually covers a year.
Then usually, in subsequent years, you do a twelve-month rolling period. One thing to note is that Type 2 is not a one-and-done thing where you only must do it one year – it is an annual audit you must refresh every year and go through the entire process every time. Your customers and clients are savvy about what they’re looking for in those reports and usually ask for a refreshed report every year.
Be prepared to establish those processes and maintain them over time.
The readiness phase usually takes the most time and effort on both your side and the side helping you get ready for a SOC 2 report.
Your auditor will sit down with you to understand the business, its drivers, and how security fits into that – and then design controls to meet the AICPA criteria.
The most significant time commitment is in the remediation phase before you are ready for a report assessment.
Regarding readiness, consider what you need to get ready for. A hacking attack? Or an audit?
Both have the potential to disrupt your business. And the difference between success and failure is the level of customization you can get from your SOC 2 readiness assessment vendor.
Around 80% of all CPA firms who audit and provide reports on SOC 2 do so without going to the effort of making sure you have adequate security controls – instead, they only make sure that you do the bare minimum to comply with the official requirements on paper.
One can’t blame these CPA firms – as most of their clients do not want to be secure, they want their report so they can do business faster.
If you try forcing the efforts to become truly secure on someone who does not want these efforts, you might end up losing the client and your time – and that is why most CPA firms don’t hire real security experts on staff; they go through checklists and provide their clients with template documents.
We chose not to go the easy route.
It might mean we lose 80% of all our potential clients, but in the long run, our reputation will be the true differentiator, and the value we bring to our clients will stand out. In the long run, our clients will win more business and remember who helped them do that.
You want to put into place a sustainable security program that you can maintain and manage that closely aligns with what you’re already doing with the business’s direction.
Most organizations that desire a SOC 2 report have been issued a mandate by a partner saying, “you have six months or twelve months to get a report in hand.”
As a planning factor, we recommend you give yourself three to six months to get your type 1 report and dive into the nuances of type 1 and type 2, but that’s a fair planning factor. We have seen companies go faster when motivated and have a client deadline.
If you are one of the companies that know it’s just something on the horizon and take a more protracted approach to implement the controls they need, plan for three to six months until you can get your report in hand.
That timeline comes with a condition – you must work in parallel with your auditor company and with someone to help you implement all controls discovered during each audit meeting.
Typically, it is a three-step process.
The first step involves getting a client ready through a gap analysis. Initially, most companies don’t even know what controls they lack; they don’t know the existence of these controls, let alone how to implement them.
That is why it is vital to go through a readiness assessment first.
A generic timeline for a SOC 2 project is displayed below:
The “readiness assessment” phase takes about six months. And it’s not the assessment part that takes that long – the assessment takes around two weeks.
Once you perform your assessment and we create an Information Security Program Plan for you, the real labor-intensive and resource-intensive process begins to change the way you have done things for decades.
New policies and procedures will need to be implemented, then they need to be put into place, and people need to start following them.
You will face resistance.
You may even face sabotage by your oldest, most trusted employees, who, if they leave, might cripple your business. We have seen that happen more than once and want to assure you – this is quite normal, and if you expect it, you can prepare countermeasures that would dissipate the pressure and redirect all that energy in the right direction.
After the initial SOC 2 readiness assessment, the client will remediate all our findings. Then we’ll do the SOC 2 Type 1 audit, and once you’re done remediating the second batch of results, you get yourself to Type 1 report.
Then you begin going through the SOC 2 Type 2 audit period.
It’s called the audit period because you get small ‘assessments’ throughout the year, kind of spot checks, so that we can determine if you adhere to the requirements outlined in SOC 2, as per AICPA.
With such long audit periods, we typically do plan upfront.
All our meetings are scheduled in advance throughout the first six months, then we do a mid-point audit and generate remediation suggestions, followed by a few follow-up meetings and spot checks. At the end of the year, we do one smaller audit and issue your SOC 2 Type 2 report for the year, which you can use one more year.
And the process repeats itself.
You can see it as an ongoing cost to do business with the clients who require SOC 2 Type 2 reports from their suppliers. Usually, working with such clients delivers great projects to you, and it is more than worth the investment!
The last yearly check-ins usually consist of a few days just looking at policies, gathering a little bit of evidence, and checking in to ensure the client is doing well on all security requirements.
Then we finalize the documentation, and then we’ll issue that SOC 2 type 2 report.
The issue of transparency
If someone is forcing you to have a SOC 2 report and you are just not ready for it, if your IT infrastructure is very far from well protected, we suggest you be transparent about it with your client.
If they expect you to get the report in three months, but you can’t implement 300 changes in all your processes within less than six months, be transparent about it with your client.
They will appreciate your honesty, especially if you immediately start working on your security and show them proof of this work.
Just an open conversation and dialogue with all the impacted parties is usually the best way to figure out a way for everyone to achieve their objectives.
Many of our clients want to know in advance what kind of burden the work will place on their team – not just the IT team but administrative personnel, too. The COO, CEO, and CFO must provide some, if not a lot, of input to some of the audit questions.
And those questions often lead to administrative and procedural changes not just in IT but also in other departments of the company.
It typically takes five to six walkthrough meetings for us to understand your business well and start providing input on what needs to change to correspond with the real-life security risks and the AICPA SOC 2 requirements for you to obtain your report.
Then, the bulk of the effort will come in with remediation. Initially, it is almost impossible to know how much remediation will be needed. If we do a standard estimation, some companies with more than a hundred employees and an extensive IT infrastructure need a year to comply with receiving their Type 1 report fully.
Even if you start with the good intention to remediate all findings in three months, your team and the individuals with SOC 2 tasks assigned will have constant interruptions to deal with everyday business. These interruptions delay the project significantly. The only way to stick to the plan is to dedicate a set of hours each day to SOC 2 efforts and know that your other business areas will be put on the backburner for a while.
Finally, we get to the mother of all questions:
How much does it cost to go through a SOC 2 Readiness assessment, and how much does it cost to obtain your SOC 2 type 1 or type 2 report?
The short answer is always: it depends.
You expected that, didn’t you?
There are a few factors. The scope is a driver: the number of locations, number of systems, or products that you are getting the SOC report for they all influence the time needed to audit and remediate and, as a result, influence the price.
If you go with one of the Big Four accounting firms, you’re often paying for brand versus necessarily for the nature of the work.
And sometimes, this is what a company needs – to get to the kind of clients who would expect nothing less than a Big Four accounting firm working with you to trust you.
But the important thing to consider is: do you need a SOC 2 report just because you need the report, or are you trying to implement an effective information security program?
If we forget about the prices of the Big Four, then with most other CPA firms, your budget for a SOC 2 Type 1 report should be between $30 000 and $50 000 per year (or up to five times more with a large firm to do your audit and reporting).
If that sounds high, consider the cost of around $200 000 to hire a good CISO for a year.
Hire a security company such as Kloudwerk to help you with your SOC 2 Readiness assessment and create an Information Security program. You will get help with all remediations and save almost $100 000 compared to hiring a full-time CISO for the same amount of time.
Then, you would pay a CPA firm to do the audit and write a report for you, and you can start approaching clients who would not even talk with you without a SOC 2 report.
Landing even one of these clients might pay several times over your SOC 2 expenses and what you paid to get your entire company secure.
And we are not even mentioning that you will become secure from hacking attacks and eliminate the worries of losing your clients’ data in a security breach.
Remember that CPA firms rarely hire brilliant cybersecurity experts on their team, as these experts prefer to work at security companies or large technology companies.
Accountants are great at reporting, so AICPA tasked only CPA firms with creating SOC 2 reports.
But remediation before your report is where the bulk of your resources and time will be spent. And you need the help of cybersecurity experts to ensure every remediation measure is effective against brilliant and persistent hackers, who have decades of experience breaching well-architected and well-executed defenses globally.