The Transition from SOC 1 to SOC 2 and Why it Matters to You
Posted on July 7, 2014
A certification provides official confirmation of specific characteristic(s) a person or company has achieved through an external assessment. Businesses conduct SOC 2 certification to ensure that the inner workings of an organization meet audit and compliance standards.
As a follow up to our blog post on The Information Security Certification Challenge, VelocityEHS conducted our first annual SOC 2 audit. The purpose of the audit is to evaluate an organization’s information system as it relates to the five Trust Service Principles (security, availability, processing integrity, confidentiality and privacy). We hope that by explaining the standards for compliance and defining the necessary changes that were made in the audit will help our customers sleep better at night knowing their data is secure and always available.
The majority of our clients select software as a service (SaaS) to store and manage their EHS data securely and efficiently. More and more frequently, VelocityEHS was asked to provide detailed explanations of internal controls and policies. As explained previously:
“Providing this type of assurance to our clients one by one was a very time consuming and often tedious and complicated matter. It became a necessity to find an internationally recognized certification.”
Like so many other service providers, VelocityEHS suffered through the maturation of compliance standards: limited options, too industry specific – none that fit “just right.”
We found that prospective clients understood the benefits of moving services to a SaaS provider but were understandably hesitant to do so without a thorough understanding of how VelocityEHS protects their data (security controls) and how their data would be protected (availability controls). The SOC 1 (SSAE 16 Type 2) standard did not contain a list of control objectives (the controls are specified by the vendor and agreed upon by the auditor, and thus not necessarily comparable with other service providers). It was this absence of standardized controls which made it virtually impossible for “apples to apples” comparison of service providers. An additional obstacle was that the SOC 1 report was not intended to be shared with prospective clients and worse yet, reports of misuse of SSAE 16 reports were tarnishing its legitimacy.
Even though VelocityEHS had implemented the majority of the controls required for SOC 2, too much time was being spent trying to prove this to prospective clients and reassure existing ones. Clients were submitting extensive security questionnaires which needed to be completed and returned to their security staff for review; and while completely understandable, was obviously an inefficient use of everyone’s time and of course as we all know, time is money… So how could we help our clients perform their due diligence more efficiently?
Enter SOC 2.
The AICPA (American Institute of Certified Public Accountants) and CICA (Canadian Institute of Chartered Accountants) established a new guide for SOC 2 engagements using the Trust Services Principles, Criteria and Illustrations (TSP) to assist CPAs in reporting on the effectiveness of a service organization’s controls related to operations and compliance. The new guide requires the use of standardized control objectives based on the proven SysTrust-derived standards of Availability, Security, Confidentiality, Privacy and Processing Integrity. Due to the nature of our service offering and the fact that VelocityEHS is not bound by Health Care Compliance and does not process financial transactions, the decision was made to focus on the standards most important to our clients – Security and Availability.
After a year-long project with major revisions to policies and procedures and the introduction of a formalized Security Awareness Program, VelocityEHS completed the SOC 2 audit and was formally certified in June 2014. It is important to understand that SOC 2 audits are specifically designed for vendors in the service organization marketplace and focus on the same foundations of security (Trust Service Principles) you are hopefully already using internally. The demise of extensive, redundant, complicated and inefficient security questionnaires is drawing to a close, replaced by an annual SOC 2 Compliance Report – that really is The Simplest Solution.