Compliance isn’t a popular topic for most organizations. The many different frameworks and regulations in place can be difficult to understand, and it’s easy for businesses to become frustrated with what they view as unnecessary boxes to check and hurdles to clear.
Thankfully, this mindset has somewhat abated in recent years. The frequency — and severity — of ransomware attacks, third-party breaches and other cyber incidents has helped drive home the importance of independent, verifiable security benchmarks.
Now more than ever, businesses need a way to demonstrate to one another that they have taken the necessary steps to protect themselves against today’s biggest threats — and compliance frameworks are an important way to do that.
That doesn’t mean compliance is easy — but it doesn’t have to be hard, either. Even as cloud adoption has skyrocketed and frameworks like SOC 2 have become increasingly important, lingering misconceptions have created a false impression of what compliance looks like.
Those misconceptions have made life unnecessarily difficult for businesses just looking to establish trust with potential partners and customers. Leaving SOC 2 misconceptions behind can help those businesses streamline the process and approach compliance more effectively —and successfully.
Myth #1: SOC 2 is a certification
This is the most persistent myth of all, and it underpins a fundamental misunderstanding of what SOC 2 is and does. A company cannot become “SOC 2 certified.” That would imply that there is a “pass/fail” system where a company is either SOC 2 compliant or it is not. But when it comes to SOC 2, the reality is more nuanced than that.
The result of a SOC 2 audit isn’t a certificate of compliance. It’s an attestation report that indicates the auditor’s opinion on the design and operating effectiveness of the security controls the organization has in place.
Some frameworks, like ISO 27001, are simple: a company is either certified, or it is not. It’s black and white. SOC 2 on the other hand, involves a report that will indicate which criteria were met and which were not and whether the controls in place were designed appropriately and operating effectively.
There is also room for the auditor to include certain qualifications, if most (but not all) criteria were met, or if the audit was impossible to perform fully for some reason. SOC 2 reports are detailed, and they contain a significant amount of information. This is good because it makes it easy for a company to “show their work,” so to speak. A potential partner or customer doesn’t just have to trust that a positive report means everything is squared away—they can dig into specifics.
Myth #2: All SOC 2 reports are the same
There are actually two types of SOC 2 attestations: Type 1 and Type 2. A Type 1 attestation is a point-in-time snapshot. It’s not uncommon to see vendors promising to “help you achieve SOC 2 compliance in two weeks!” or a similarly accelerated time frame.
Those promises aren’t necessarily false, but they are misleading. Yes, it is possible to generate a SOC 2 Type 1 report in a relatively short period of time, but that report will only include data on the effectiveness of the controls in place at the moment of the audit.
While a point-in-time snapshot of security controls can be valuable, it usually isn’t what potential partners and customers are looking for when they ask for a SOC 2 report. What they want is a Type 2 report, which gauges the effectiveness of security controls over a longer period of time (typically six months).
This type of report carries significantly more weight. A point-in-time snapshot lacks context — for all the reader of the report knows, the company might have scrambled to put new controls in place the day before the audit was conducted. A Type 2 report demonstrates that not only are the necessary controls in place, but the organization has had them in place for some time and knows how to use them effectively.
This is absolutely critical for organizations to understand. A clean SOC 2 report is a must for businesses operating in the cloud, but a Type 2 report isn’t something that can be rushed. It requires foresight and planning.
Myth #3: SOC 2 mandates specific controls
SOC 2 is more subjective than other standards — it is up to the organization being audited to demonstrate that the controls it has in place satisfy the requirements laid down by the framework.
That means there are no specific controls prescribed or required for SOC 2 attestation. Instead, it has a set of criteria (known as the Trust Services Criteria) that breaks down the framework’s requirements into five categories: Security, Availability, Confidentiality, Processing Integrity, and Privacy.
How individual businesses choose to meet those criteria can vary greatly. Certain data privacy controls might work better for companies in a certain industry, or with a certain organizational structure.
While some may find it curious that SOC 2 does not prescribe specific controls, this flexibility is actually a positive for companies. It allows them to identify the solutions that not only meet the required data privacy standards, but work best for them as a company. As long as they can demonstrate to the auditor that those controls are performing as expected, they’re in good shape.
Myth #4: Auditors are ‘out to get’ the companies they audit
To most companies, “audit” is a dirty word. But security audits are different from financial audits, and the truth is that companies engaged in a SOC 2 audit should seek to build a good working relationship with their auditor.
As SOC 2 audits grow more common, auditing firms are hiring more and more people from IT and security backgrounds, ensuring that those performing the audits are experts in the field—and not, as some assume, the same people performing financial audits. These auditors carry with them experience and expertise and can often make suggestions and recommendations to help the company navigate the auditor more smoothly.
Auditors aren’t “out to get” the companies they audit. Why would they be? A poor SOC 2 report doesn’t come with any fines or penalties that enrich the auditor or their firm—just reputational damage for the company being audited.
If anything, SOC 2 auditors want to help the companies they work with meet the framework’s requirements. SOC 2 auditors have to be both knowledgeable and flexible, and that knowledge and flexibility can be very helpful for organizations who enter the audit—and the auditor relationship—with the right mindset.
Myth #5: SOC 2 compliance automatically applies to other frameworks
Because SOC 2 deals with securing data stores in the cloud, it has a good deal of overlap with other frameworks — but that doesn’t mean it automatically covers them. Yes, a company with a good SOC 2 report likely meets many of the requirements laid down by HIPAA or ISO 27001, but a separate audit is still required to provide adherence to those frameworks.
It’s important to not make assumptions when it comes to compliance—a potential customer asking whether a company is HIPAA compliant will not be satisfied with a SOC 2 report, no matter how glowing it is.
That said, some auditing firms will work with organizations to conduct expanded audits that cover multiple frameworks, streamlining the process where those frameworks overlap. This can be handy for businesses that know they will ultimately need to meet multiple compliance standards and want to make the process quicker and more efficient.
Knowledge Is Power
Compliance isn’t easy, but too many organizations wind up stumbling over common misconceptions and putting themselves in a more difficult position than they need to.
By understanding what a SOC 2 audit actually looks like, the degree of planning that goes into it, and how to engage with auditors, businesses can avoid falling victim to common misconceptions and setting their compliance programs back unnecessarily. For companies beginning the compliance process, the best piece of advice is to approach it with as much information and knowledge as possible.
Troy Fine serves as Drata’s director of cybersecurity risk and compliance and advises customers on building sound cybersecurity risk management programs while meeting security compliance requirements. Fine is a CPA, CISA, CISSP and CMMC Provisional Assessor, ISO 27001 Lead Auditor, and a Registered Practitioner, whose areas of expertise include GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST assessments, HIPAA assessments, ISO 27001 assessments and third-party risk management assessments.
