What is SOC 2 and why is everyone talking about it?

19 June, 2019

As the number of companies who hold customer data increases, so too has the demand for SOC 2 reports. Technology companies are expected to be SOC 2 compliant, particularly when they store customer data in the cloud. This is particularly the case in the Software as a Service (SaaS) sector.

SOC 2 compliance means that a company has established and follows strict information security policies and procedures. These policies must cover the security, availability, processing, integrity and confidentiality of customer data.

PwC provides SOC 2 reports to companies of all sizes across Ireland. But what are SOC 2 reports, and how do you get one? Here are answers to some of the most common questions we are asked about SOC 2.

Businessman with an open laptop looking out the window of a meeting room.

What is a SOC 2 report?

A SOC 2 report evaluates your data systems using the American Institute of Certified Public Accountants' (AICPA) Trust Services Principles (TSPs). The TSPs are industry-recognised standards for cloud service providers, software providers and developers, web marketing companies and financial services organisations.

SOC 2 reports provide assurance to prospective and current customers about the security, availability, confidentiality and privacy of the information systems your organisation uses.

Why is everyone talking about it?

Organisations need to prove to customers that their data is secure. They need to show that a strong control environment is in place. They also need to show that there is the same level of control and oversight of third parties who hold or access that data.

Customers are asking for evidence that these controls are in place and operating effectively. The main way to do this is to attain SOC compliance. This confirms the robustness and reliability of an organisation's information systems.

Being able to say you have a SOC 2 compliant information system is a great marketing tool for your organisation. With an expanding network of vendor-customer relationships in the tech sector and the importance of data security in these relationships, having a SOC 2 report is a badge of trust.

SOC 2 reports are being used as a screening technique early in the sales process throughout the Tech and Financial Services sectors. Organisations that do not have them are missing out on business opportunities.

How is a SOC 2 report prepared?

A SOC 2 report is based on a number of different Trust Service Principles. The five Trust Service principles are Security, Availability, Processing Integrity, Confidentiality and Privacy. The SOC 2 report provider assesses and reports on each of the principles. Each principle has criteria that the organisation seeking the report must meet to get their certification.

The Security principle is mandatory for all SOC 2 reports. The organisation can then decide which of the other principles are relevant for their business or for their customers' needs.

The Processing Integrity principle is important for organisations whose services need accurate calculations based on the data they hold. The Confidentiality principle is important for organisations that hold and process high volumes of confidential data. The Availability principle is important for organisations providing on-demand systems or services that must function round the clock. The Privacy principle is important for organisations who hold client or customers' personal information. Privacy is receiving increased attention in light of EU GDPR regulations.

What does the SOC 2 reporting process involve?

The process for obtaining a SOC 2 report usually begins with a readiness review. This identifies any gaps in the control environment, and allows time to address these gaps. Once the organisation seeking a report and the SOC 2 report provider are satisfied that the organisation's control environment is ready to pass the SOC 2 category requirements outlined above, a SOC 2 Type I report can be completed. This involves testing the controls to confirm that they are designed and operating as expected at the date of the report.

A Type II report will then cover the design and operational effectiveness of controls over an extended period of time, usually six months to a year.

How long does it take?

The length of time it can take to obtain a SOC 2 Type I report will vary depending on several factors. These include the number of gaps identified in the readiness review, and the maturity of existing controls.

A reasonable timeframe to assume for the completion of a readiness review and SOC 2 Type I report would be six months.   

We can work with you on a timeframe that suits your and your clients' needs for the SOC 2 report.

How much does a SOC 2 report cost?

The costs of a SOC 2 report can comprise a readiness review and a Type I report. It can also include the cost of a Type II report. The readiness review is optional, but we would always recommended one to ensure a smooth Type I report process.

The cost can also vary depending on the size of the company, the scope of the SOC 2 report, and the level of support needed.

It can be confusing to receive quotes with a variety of fee ranges. You need price certainty when you are about to invest in a significant undertaking of time and money. If you are interested in obtaining a SOC 2 report, we can provide you with a fixed-price quote.

Contact us

Fiona Gaskin

Partner, PwC Ireland (Republic of)

Tel: +353 1 792 6923

Follow PwC Ireland