SOC 2 Resource Library

Resources to Help You Manage your SOC 2 Program.

Our Partners

Code in Motion

A U.K.-based consultancy offering pragmatic security consulting for small businesses,  ISO 27001 implementations, Microsoft 365 Security, and Security Audits.

Optimize Cyber

Utilizes a background of deep technical knowledge to offer a Rapid Security Audit, Guided Security Optimization, or Penetration Testing services.

Blaze Information Security

Penetration testing services including application security, network security, or cloud security.

Core Business Solutions

ISO consultants specializing in getting and keeping you ready for ISO 9001, ISO 27001, and more. Also assist in preparing for  CMMI, NIST/CMMC, SOC 2, and more.

Paramify

A platform built to Automate Compliance Documentation, specializing in generating POAM and SSP documentation for FedRAMP, StateRAMP, and CMMC.

Kordon.app

The straightforward GRC platform. An Estonian-based SaaS company offering risk management, asset inventory, policy management, and control and audit management modules.

Download me 

Have a Read...

Get email updates on new resources! Enter your email below.

Rest assured, we won’t flood your inbox – we’ll send updates, no more than once a week.

SOC 2 FAQs

Many companies rely on third parties to provide services, and in doing so they expose themselves to risk. For example, if a hospital uses a data center to store PHI, how can it trust that the data center will do its job to protect the PHI?

These companies may request a SOC 2 report from the third party,  which supports their risk assessment of the third party and helps them know if it can be trusted to protect such data or provide such services. So in this example, a hospital would request a SOC 2 report from a data center. 

The SOC 2 timeline depends highly on the complexity and maturity of your control environment, your motivation to get it done, and on who you select as the auditor.

For simpler environments and highly organized/motivated companies, the SOC 2 exam could last as short as 4 weeks. For more complex, or less organized/motivated companies, the process could take 6 months.

It involves the following major milestones:

  • Defining the scope of the system
  • Defining the controls that meet the SOC 2 criteria
  • Drafting the Description of the System (section within the SOC report)
  • Providing Evidence to the Auditor
  • Auditor Drafts and Issues the final report

A Type 1 exam assesses the description and controls as of a point in time. 

A Type 2 exam assesses the description and controls over a period of time.

Most entities that request a SOC 2 report will be looking for a Type 2 report. 

However, many undergoing SOC 2 for the first time choose to start with a Type 1 exam. This allows them to quickly issue a report to their dependent users as soon as they have reached an acceptable level of security and compliance. Then, they might choose to complete a Type 2 exam just 3 months later if the need is more urgent, or wait a full 12 months. 

 

No. While SOC 2 is a highly popular report for companies doing business in the United States, the ISO 27001 is a standard and/or certification used more often by European companies.

Besides the standards for each being published by separate regulating bodies, and separate project timelines, while ISO 27001 is primarily about evaluating that you have a program in place, SOC 2 (Type 2) will evaluate whether the security controls identified actually operated over a time period.

The SOC 1 exam covers controls relevant to Financial Reporting, whereas the SOC 2 exam covers controls relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.

One significant difference between the two reports practically is that SOC 1 controls are required to support Control Objectives, which are defined by you. Whereas the SOC 2 controls must support the standard criteria defined by the AICPA.

No.

As a licensed CPA firm, we are held to strict independence standards in order to perform attestation engagements.

Basically, we can’t audit our own work.

We could provide Gap Assessments, where we essentially do an ‘audit-lite’ and report on the results you might expect. But we can’t assist in implementing SOC 2 controls.

Let's Work Together