You’ve probably heard it said that today ”every company is a technology company.” One practical side effect of that phenomenon is that every company finds itself the protector of sensitive data.

As such, companies are more and more finding themselves facing requirements from customers to prove that sensitive data is handled securely.

One common method to obtain this assurance is through a Security Questionnaire, but there are other methods, including a third party audit such as the SOC 2 exam.

This article weighs the Security Questionnaire against the SOC 2, considering their characteristics and pros/cons.

Security Questionnaire

Characteristics

– Vendor sends you a questionnaire about security controls.

– The organization fills out the questionnaire.

– Vendor may respond with a few follow-up questions.

Pros:

• Cost-effective (only cost is time).
• Initial setup is relatively straightforward.

Cons:

• Low assurance.
• Can be time-consuming and burdensome to fill out questionnaires for multiple customers. Questions/answers can cause more confusion, especially if interpretations vary between parties.

SOC 2

Characteristics

– Begins with a framework of security controls.

– An independent auditor verifies the adequacy of these controls based on the organization’s specific risks.

– Auditor conducts in-depth inspections, including interviews and evidence examination. The auditor will engage directly with individuals responsible for each control, seeking understanding of how they are implemented and maintained.

 Inspection of evidence and observations are performed for each control. For instance, if the organization claims to have implemented security monitoring, the auditor will request evidence demonstrating coverage of relevant assets, specifics of monitoring systems in place, procedures for handling alerts, and responsible personnel.

– Auditor issues a report which may be issued to multiple different parties.

Pros:

• High degree of assurance.
• Allows to provide report to each customer who asks to reduce time on individual questionnaires.

Cons:

• More expensive compared to Security Questionnaires (auditor fees).
• Requires preparation, documentation, and resources for the audit process.

It should be noted that each customer will evaluate third party security assessments differently – some may be entirely satisfied with the SOC 2 report, others may decrease the questions they ask given they received the SOC 2, while others may disregard the report entirely.

However it is a tool that can enable companies to drastically decrease the time spent in building customer trust and get back to their day job of building cool stuff and serving customers.