Nobody expects the Spanish Inquisition

Newbies’ Guide to Compliance: SOC 2 is a Unicorn

Nobody expects the Spanish Inquisition, but everyone expects SOC 2 (and the rigorous work it takes to get certified).

The first and the most common security audit I had to wrap my head around was SOC 2. System and Organization Controls (SOC) audits probably have the most plentiful bounty of information, guides, definitions, secrets, tools, and tricks of all the major security certifications I’ve seen. The tough part was sifting through it all to find the core content and key concepts (not to mention layperson explanations) I needed to fully outfit myself with the information needed. This would be my unicorn.

So, what did I learn about SOC 2?

A SOC 2 audit is typically found in North America, though it has been spotted in other regions of the world. There are two types with different lifespans: Type 1 and Type 2. Type 1 is a faster and cheaper variety, however, its lifespan is shorter. Type 2 is a slower, more expensive and thorough creature, but has the trait of assuring customers of greater security and has a much longer lifespan.

Table showing the differences between SOC 2 Type 1 and Type 2.

SOC 2 outlines a set of regulations designed to ensure organizations that store sensitive information (especially in the cloud) adhere to a common set of security best practices. Enter: my brain where unicorns are dancing in the skies. Much like unicorns that stand for principles of good in the world, there are five “Trust Services Principles” or “Trust Services Criteria” (TSP or TSC, depending on how fancy you want to get) that SOC stands for: Privacy, Security, Availability, Processing Integrity, and Confidentiality (here’s a mnemonic to help you remember all of that)! As an organization that cares about its customers, you’ll need to demonstrate that you have the right security controls in place for the TSP that apply to your organization.

Keeping up with the unicorn analogy (stay with me here!), here’s how each TSP is broken down as if I were a knight seeking one out and needed the proper tools:

These main principles of SOC 2 are the key to finding your own personal unicorn in the world of security audits. And now that I have indulged my need for fantastical comparisons…I am off to discover more in the world of InfoSec! Tally-ho!

Related Articles

How Long Does SOC 2 Compliance Take?

How Long Does SOC 2 Compliance Take?

SOC 2 isn’t just about implementing controls. That’s the easy part. It’s also about providing documentation and evidence, and that’s the hard part. Like your high school math teacher, auditors want you to show your work, which means you need to have everything organized and easy to access. And that takes time. 

So let’s break down how long SOC 2 compliance takes and show you how much time Tugboat Logic can save you.

read more


Pin It on Pinterest

Share This