How audit results demonstrate compliance to clients.
SOC 2 compliance reports have become the industry standard for cybersecurity in cloud computing. These reports, compiled by certified public accountants, are the result of a rigorous audit of a company’s tools and provide potential clients with immediate insight into the company’s commitment to security, service availability, data integrity, confidentiality, and privacy. A positive report can unlock new opportunities for your business, but earning satisfactory results can be arduous. Here’s what you need to know about receiving a SOC 2 compliance report for your company.
What Is a SOC 2 Compliance Report?
The SOC (Systems and Organization Controls) standard was developed in 2010 by the American Institute of Public Accountants (AICPA) to protect customer data in cloud computing and software-as-a-service contexts. An audit following this standard evaluates a business according to five Trust Service Criteria (TSC):
Security: The protection of system resources against unauthorized access.
Availability: The accessibility of the system as stipulated by a contract or service level agreement.
Processing Integrity: The system’s ability to deliver the right data at the right time, as intended.
Confidentiality: The restriction of data access or disclosure to a specified set of personnel or organizations.
Privacy: The collection, use, retention, disclosure, and disposal of personal information according to the AICPA’s Generally Accepted Principles and Practices (GAPP).
All businesses must meet strict security standards, but the rest of the TSC are evaluated according to the systems being audited. Exactly which TSC are within the scope of your SOC 2 compliance report will depend upon your systems, and can be determined through self-assessment or with the help of a consultant or auditor.
There are two types of audits performed under this standard: Type 1 and Type 2. Type 1 examines the controls and protocols at use in a business to determine whether their design meets SOC 2 standards. Type 2 goes one step further by actually testing those systems, examining their operating effectiveness, and interviewing relevant personnel across a set period of time. A SOC 2 Type 2 audit takes longer to perform — typically 3-6 months in total — but a SOC Type 2 compliance report is generally what clients hope to see when reviewing a business’s security systems. Type 2 reports must be conducted every 6-12 months to demonstrate continued compliance.
To learn how DuploCloud can help you achieve SOC 2 compliance in less time, read our whitepaper.
SOC 2 Compliance Report Structure
A SOC 2 compliance report typically includes five discrete sections:
Section 1 is the auditor’s summary of the audit process. It consists of a brief description of the systems being audited, the auditor’s responsibilities, the responsibilities of the company being audited, the limitations of the audit, and, most crucially, the auditor’s opinion. This is often the most-read section for prospective clients, as it contains the audit result.
In Section 2, the company being audited summarizes its own systems to confirm it and the auditor are on the same page regarding what has been examined.
Section 3 contains a detailed description of all relevant systems, including personnel, roles, and responsibilities. Each system component is grouped within its relevant TSC.
In Section 4, the auditor describes the tests they ran on each system and gives their opinion on the individual results.
Section 5 is a catchall for other information, such as the company’s responses to individual tests in Section 4.
When Do I Need a SOC 2 Compliance Report?
SOC 2 compliance reports exist to provide customers of cloud and SaaS businesses with an exhaustive review of their commitment to security, assuring them that their data won’t be misused or accessed by bad actors and that your systems will work as intended whenever called upon. They indicate to customers that your business takes security seriously and is protected against data breaches that, in 2021, cost companies an average of $4.24 million per breach. Some enterprise-level clients will only work with businesses that have received SOC 2 compliance reports.
Although you could wait for a client to require you to undergo a SOC 2 Type 2 audit, doing so would put you months away from actually winning that business. Targeting SOC 2 compliance early makes it easier to change your tools and processes to meet SOC 2 standards. Plus, the earlier your business receives a satisfactory SOC 2 compliance report, and the longer it maintains that compliance, the more you’ll demonstrate how seriously you take your system integrity. That can be a significant draw for clients.
How Does SOC 2 Compliance Work with Infrastructure Vendors?
If your business partners with a cloud infrastructure vendor such as Amazon Web Services or Google Cloud Platform, you’ll have a slightly different experience working toward SOC 2 compliance. Each vendor provides different levels of assistance for documenting and demonstrating compliance according to the relevant TSC.
Amazon Web Services
Provides framework prebuilt according to SOC 2 standards, including controls and the descriptions and testing procedures for each.
Amazon’s Audit Manager can assess the AWS tools you’re using and collect relevant SOC 2 audit materials.
You’ll need to create your own documentation for tools outside the AWS framework.
AWS undergoes SOC 2 Type 2 audits twice yearly. The AWS SOC 2 compliance report can also be found in the Audit Manager.
AWS receiving a successful SOC 2 compliance report does not provide SOC 2 compliance or guarantee a successful SOC 2 for your business.
Google Cloud Platform
GCP provides documentation for its tools, but does not offer assistance in acquiring SOC 2 compliance beyond the scope of those tools.
GCP undergoes SOC 2 Type 2 audits twice a year, releasing reports in April and October.
Businesses can access these reports through Google’s Compliance Reports Manager site, and can show them to clients, but downloading reports requires signing in with a Google Cloud or Google Workspace account.
Google issues bridge letters in December, March, and June to cover the months between report releases, but obtaining a bridge letter requires contacting Google’s sales team.
Azure provides documentation for its tools, but does not offer assistance in acquiring SOC 2 compliance beyond the scope of those tools.
Microsoft releases Azure SOC 2 compliance reports semi-annually — around six weeks after March 31 and Sept. 31.
Dynamics 365, Microsoft 365, and Power Platform are also within the scope of those reports.
Microsoft issues bridge letters during the first week of each quarter.
A subscription or free trial is required to access these documents.
Reports are stored on Microsoft’s website and in the Azure portal.
How Can DuploCloud Help With SOC 2 Compliance?
With DuploCloud, you can benefit from low- and no-code cloud deployment and infrastructure. That means automated provisioning and orchestration across network, compute, storage, containers, cloud-native services, and CI/CD. Our platform reflects design with SOC 2 compliance in mind, and it targets the five TSC with features such as data encryption, role-based access controls, antivirus and anti-malware protections, performance monitoring, and more. With all these tools pre-built and documented to SOC 2 standards, you'll save time and money meeting those requirements and for a successful SOC 2 compliance report.
To learn more about how working with DuploCloud can give you a head start on SOC 2 certification, read our whitepaper.