SOC 2: Certification versus Attestation

If you’re involved in cybersecurity, or even just interested in it, you’re very likely to have seen the abbreviation SOC, and perhaps even heard it used as a word in its own right.

(Almost everyone just says ‘sock’, rather than spelling it out as ‘ess-oh-sea.’)

You’ve probably also heard of SOC 2, with the digit 2 very deliberately added at the end.

In this article, we’re going to look at this second meaning of SOC, and what it can do for you, your customers, and your suppliers.

What does SOC stand for?

The best-known meaning of SOC in cybersecurity is Security Operations Center, shorthand for a dedicated team of security responders and researchers who work together to protect their own business, or other people’s businesses, against cyberattacks.

Indeed, you may have listened to our podcast Tales from the SOC, where we talk about the issues that SolCyber’s own security operations teams have to deal with, and how they do so with diligence, humanity and skill.

This second meaning of SOC stands for System and Organization Controls, a name that reflects what it measures, although you will still find websites referring to Service Organization Controls, an earlier name that reflects the sort of business that the controls are intended to cover.

The SOC series was created, and is overseen by, the American Institute of Certified Public Accountants (AICPA).

What SOC levels are there?

The best-known SOC controls are undoubtedly those covered by SOC 2, but it’s worth knowing that there are three levels of SOC, numbered simply 1, 2, and 3:

• SOC 1. This is intended as a baseline assessment for companies offering financial services, as you might expect given that SOC comes from the AICPA. Loosely speaking, a SOC 1 report covers what are known as internal controls over financial reporting. This provides customers of a financial services business with an assurance that the correctness of their own financial reports won’t be compromised by sloppy practices on the part of their service provider.
• SOC 2. The popularity of cloud-based providers for a huge range of services, many or most of which involve the collection of data that could put the financial respectability and viability of customers at risk, created the need for a more comprehensive level of assurance. SOC 2 therefore deals with a much broader range of business practices than SOC 1, covering five aspects known as the trust services criteria. These cover the three principles often referred to as the ‘holy trinity’ of cybersecurity, namely confidentiality, integrity, and availability (sometimes jocularly known as CIA), together with explicit assessments of security and privacy. Briefly expressed, SOC 2 measures the degree of care and control that a service company maintains over all aspects of its own and its customers’ data.
• SOC 3. Despite having a higher number than SOC 2, a SOC 3 report doesn’t offer a higher level of assessment and assurance. Loosely speaking, a SOC 3 report is a slimmed-down SOC 2 report that omits any confidential or proprietary details that a SOC 2 report typically includes. A SOC 3 report therefore provides a readable, high-level public overview suitable for general sales and marketing use. You can’t obtain a SOC 3 report without completing a full-on SOC 2 assessment first.

What types of SOC report are there?

Somewhat confusingly, SOC 1 and SOC 2 reports can be produced at what are essentially two grades, also numbered 1 and 2:

• Type 1. Simply put, SOC 1 Type 1 and SOC 2 Type 1 reports describe an audit of an organization’s practices conducted at a single point in time. This provides an assessment of how well those practices, if correctly followed, would protect the organization and its customers.
• Type 2. In contrast, SOC 1 Type 2 and SOC 2 Type 2 reports generally provide a much stronger assessment, because the auditing involved is conducted over an extended period, typically several months. During this time, the degree to which the organization actually ‘practices what it preaches’ is evaluated. A Type 1 report affirms to your customers that, in theory, you are capable of protecting their data properly. But a Type 2 report provides a much stronger assertion that you really do achieve in real life the level of control that you are aiming for, and will continue doing so.

Note that SOC 3 reports come in only one format, being the public-facing summary of an existing SOC 2 report, so they don’t need or get a Type 1 or Type 2 suffix of their own.

What level and type should you look for?

Many service organizations that go through a SOC assessment will aim for SOC 2 Type 2, given that Type 2 shows not only that they ‘talk the talk’ and have a plan for keeping data safe, but also that they ‘walk the walk’ and are therefore likely to succeed in doing so.

Ideally, therefore, SOC 2 Type 2 Attestation is the level and type of report you should look for from your suppliers.

However, don’t expect a company to share a report of this sort with you out of the blue.

Don’t be alarmed or offended if you are asked to sign a non-disclosure agreement (NDA) in advance.

SOC 2 Type 2 reports typically contain operational details that no company would be expected to put into the public domain for competitors or cyberattackers to consult at will.

Why is it Attestation, not Certification?

Above, we carefully used the word attestation instead of certification, although you may have seen press releases or corporate websites announcing “SOC 2 certification,” and seen adverts for companies that will help you in getting a “SOC 2 certificate.”

But the official terminology is SOC 2 Attestation, even if the two terms feel interchangeable in day-to-day language.

A great way to think of the difference can be found on the gloriously old-fashioned test certificates that used to be issued in Great Britain for cars that had passed their mandatory annual safety check. (The online era means that paper certificates are no longer used, but until surprisingly recently they had to be filled in by hand by the tester and embossed with a company seal.)

Official certificates included the following blunt observation:

“Warning. A test certificate is not evidence that the vehicle is in a satisfactory mechanical condition.”

The mandatory certification implies no more than official compliance, at the time of the test (which is conducted in a garage, not on the road), with a list of minimum standards covering specifics such as tire tread, lighting, and brake efficiency.

In other words, failing the test means that a vehicle is definitely not in a satisfactory condition, and therefore establishes a negative.

But passing the test, though compulsory, doesn’t really establish a positive, because it isn’t ‘proof’ that the vehicle is actually safe and reliable for everyday use, or that it lines up with the claims of its seller in respect of value and durability.

The vehicular equivalent of a SOC 2 Type 2 attestation would involve hiring an independent expert to examine and form an opinion about all aspects of the vehicle, under a range of different conditions, both statically in the garage and in a series of real-life outings on the road.

The expert would then write up a considered and detailed assessment of how safe and reliable the vehicle really is; whether it lives up to the seller’s claims and promises; what it is likely to be worth now and in the future; what sort of service you might get out of it in the long term; and more.

SOC 2 Type 2 attestations aim to provided similarly detailed levels of fact and informed opinion about the real-world safety and security that customers can expect from a service organization that keeps and works with other people’s data.

Just another marketing ‘check box’?

In theory, any compliance process, certification or attestation could be treated as nothing more than a ‘check box’ by a company that merely wanted to boast that it had gone through the motions, paying lip service to the process rather than treating it as a way to improve.

But the ongoing, real-life attestation process of SOC 2 Type 2 actively draws in the humans who are involved.

This helps them to be active participants in the organization’s online safety and security, rather than just rule-followers whose ‘skills’ consist merely of what David Emerson, SolCyber’s CTO and Head of Operations, humorously describes as the unfinishable process of following an infinity of lists.

As Bonnie Powell, SolCyber’s compliance manager, explains:

“The SOC 2 Type 2 audit isn’t just a checkpoint. It’s a valuable roadmap for improvement that any company can use.

It actively helped us uncover hidden compliance gaps, strengthened our internal processes, and deepened our cybersecurity maturity.

Audits can seem intimidating, but the SOC 2 Type 2 process empowered us to address blind spots and think like vigilant data guardians, anticipating threats and seeking opportunities for improvement.”

If you’re thinking of going in for a SOC 2 Type 2 attestation in your own business, whether you’re directly involved in providing cybersecurity services or just looking to build your own resilience against cyber attackers, make sure that you treat the SOC 2 process as an opportunity, not as an imposition.

Becoming proactive in compliance

SOC 2 Type 2 isn’t like taking a driving test at the DMV, where you have to be on your very best behavior for half an hour, but are then set loose to drive unadvised and unaccompanied from the moment that your license is granted.

SOC 2 Type 2 is more like a long-form advanced driving course, where you’re simultaneously advised and assessed over many different journeys under a range of different conditions, by an expert instructor who is both a teacher and an examiner, and who will equip you with safety skills you probably didn’t even know you needed.

As Bonnie puts it:

“Unlike SOC 2 Type 1’s point-in-time validation, SOC 2 Type 2 requires continuous compliance over time.

This ensured our processes were effective in the long term.

In a way, the audit felt like a fire drill at first: it seemed disruptive and a little chaotic.

In the end, however, it prepared us for real-world challenges by exposing areas we could fortify, helping our entire team respond better to future risks.

Audits like SOC 2 Type 2 are a great way to be proactive in compliance rather than merely reactive in incident response.”

How can I learn more?

If you’re thinking of going for SOC attestation in your own business, make sure you get the most out of it.

For the AICPA’s official documentation about the SOC process, please consult the Institute’s System and Organization Controls: SOC Suite of Services portal.

For a dynamic and informative real-life story of SolCyber’s own SOC 2 Type 2 journey, watch this blog for our forthcoming podcast with Bonnie, who will give you a fresh and upbeat view of process and compliance!

To understand how you can benefit from SolCyber’s SOC 2 Type 2 attestation, please visit our Foundational Coverage pages, or sign up today for a free trial.

Remember: Security is a journey, not a destination!

Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!