• Stefan Bauer

SOC 2 Type II - What does it all mean?

Updated: Jan 26

SOC 2 Type II – Should You Care?

There is no day that goes by that you cannot pull from the headlines the next data breach, ransomware attack, or mis-used data. In today’s world, for many companies, “data as an asset” is far less of a slogan than the reality. Companies are built on the back of data, analytics, insights and strategy all fueled by data. A SOC 2 Type II audit can provide is assurance that despite all of the attacks that are out there, a company has taken the right steps to encrypt, backup, and protect your data in the very best ways possible. You can be assured that there is monitoring in place, employees are trained, access is controlled, and industry best practices are used for everything from change management to asset disposal. Building a data centric security first culture in a business can be challenging but having all of the policies/procedures in place that make for a successful SOC audit brings the importance and value of data management to everyone in the organization. By putting the security first, privacy and security lens on all we do; gives me the confidence that we are serving partners, students, families in the very best way that we can.

What is SOC 2 Compliance

SOC 2 is a compliance framework developed by the American Institute of CPA’s AICPA that specifically addresses the needs of organizations that store data. This means that virtually all SaaS providers and companies that handle any kind of customer data would benefit from the rigors of this type of approach.

SOC 2, while considered a technical audit, goes well beyond defining network diagrams, data flows and encryption techniques. The SOC 2 requires companies establish and follow information security policies that encompass everything from change management to process integrity and confidentiality of customer data. As companies rely more and more on data as an asset, environments are becoming increasing complex, and data is accessed from multiple locations; SOC 2 compliance is quickly moving from a recommended practice to a necessity.

As this audit, as will be performed by a CPA firm finding the right partner is important. This relationship is much more than a “vendor” this firm will need to truly understand your business, the goals, how information in handled throughout the organization and have a deep technical understanding of your environment. Additionally, once you invest that level of time with someone, the following SOC 2 Type II audits become part of the business routine, that if done well, with the spirit of partnership will truly enhance your security posture.

Type I vs Type II

The distinction is relatively simple SOC 2 audits come in two varieties SOC 2 Type I is a point in time audit, SOC 2 Type II is the same audit looking at performance over a period of time. A SOC 2 audit can be quite the daunting task if you are starting from ground zero – Type I ensures that you have all the policies, procedures, and processes in place that are needed. The point in time nature of the Type I allows for a tight iterative cycle to develop the documentation necessary to support the business practices in place. Once the Type I audit has been obtained, a quick follow-on with a Type II audit will show that those documented business processes, monitoring, anomaly detection and threat management are being put into practice on an ongoing basis.


The list of criteria involved in a SOC 2 audit is extensive. The AICPA document that outlines the trust service criteria that are used in the evaluation process, but also how these trust criteria extend to your third party relationships. The good news about applying a common set of criteria is that you know the chain of trust that can be extended and if a particular vendor can be included in that chain of trust or needs to be separately evaluated for security/process compliance. There are many areas of focus within this process all of which tie back to risk management and process controls. I would beak all of this down into a few categories.

Logical and Physical Access Controls

Much of what can be gained in security is simply limiting access to only the things that are needed for a function. That could be at the network level – separate the functions/servers/access to those networks that are needed. User access is limited to only the data that is needed for a given role.

System Operations

This category covers a lot of ground from system configuration and hardening to scanning for vulnerabilities and monitoring. This includes everything from server hardware, database configurations to end-user mobile device management.

Confidentiality and Privacy

Confidentiality addresses the companies’ ability to protect information designated as confidential from its collection or creation. Although confidentiality applies to various types of sensitive information, privacy applies only to personal information. For our purposes that has meant a strict segregation of PII data from analytical data with security controls, monitoring and alerting is in place at every level.