Nobody expects the Spanish Inquisition

Newbies’ Guide to Compliance: SOC 2 is a Unicorn

Nobody expects the Spanish Inquisition, but everyone expects SOC 2 (and the rigorous work it takes to get certified).

The first and the most common security audit I had to wrap my head around was SOC 2. System and Organization Controls (SOC) audits probably have the most plentiful bounty of information, guides, definitions, secrets, tools, and tricks of all the major security certifications I’ve seen. The tough part was sifting through it all to find the core content and key concepts (not to mention layperson explanations) I needed to fully outfit myself with the information needed. This would be my unicorn.

So, what did I learn about SOC 2?

A SOC 2 audit is typically found in North America, though it has been spotted in other regions of the world. There are two types with different lifespans: Type 1 and Type 2. Type 1 is a faster and cheaper variety, however, its lifespan is shorter. Type 2 is a slower, more expensive and thorough creature, but has the trait of assuring customers of greater security and has a much longer lifespan.

Table showing the differences between SOC 2 Type 1 and Type 2.

SOC 2 outlines a set of regulations designed to ensure organizations that store sensitive information (especially in the cloud) adhere to a common set of security best practices. Enter: my brain where unicorns are dancing in the skies. Much like unicorns that stand for principles of good in the world, there are five “Trust Services Principles” or “Trust Services Criteria” (TSP or TSC, depending on how fancy you want to get) that SOC stands for: Privacy, Security, Availability, Processing Integrity, and Confidentiality (here’s a mnemonic to help you remember all of that)! As an organization that cares about its customers, you’ll need to demonstrate that you have the right security controls in place for the TSP that apply to your organization.

Keeping up with the unicorn analogy (stay with me here!), here’s how each TSP is broken down as if I were a knight seeking one out and needed the proper tools:

These main principles of SOC 2 are the key to finding your own personal unicorn in the world of security audits. And now that I have indulged my need for fantastical comparisons…I am off to discover more in the world of InfoSec! Tally-ho!

Related Articles

Security Awareness Training: Montage Optional

Security Awareness Training: Montage Optional

Creating a plan for Security Awareness Training is only half the battle. Implementing and ensuring that your employees follow that plan regularly is the key to implementing this control. Also, investing in training and security awareness programs is vital for sustainable business growth and success.

read more
Employee Training Plan: Good Plans Go A Long Way

Employee Training Plan: Good Plans Go A Long Way

How you train your employees will largely determine their effectiveness and adherence to company policies. While many practices can be common sense and their skills catered specifically to the job they were hired to perform, a training plan can go a long way to ensure that elements of your organization stay safe, secure and run as smoothly as possible.

read more


Pin It on Pinterest

Share This