SOC 2 isn’t a set of hard and fast rules. Rather, it is a framework that sends a strong signal that an organization prioritizes key attributes: security, availability, processing integrity, confidentiality, and privacy. Completing a SOC 2 certification on its own is generally not enough to prove that you are 100% secure as an organization, but it’s a very good start and will go a long way toward instilling trust in your customers.
Unlike ISO-27001, which has very rigid requirements, SOC 2 reports are unique to each organization. In line with specific business practices, each designs its own controls to comply with one or more of the trust principles.
These internal reports provide you (along with regulators, business partners, suppliers, etc.) with important information about how your service provider manages data.
The SOC 2 reporting standard is defined by the AICPA. All SOC 2 audits are signed by licensed CPAs . To achieve SOC 2 compliance, most companies spend anywhere from six months to a year on focused preparation. This includes identifying which systems are in scope for the audit, developing policies and procedures, and implementing new security controls to reduce risks. When ready, an organization will hire a licensed AICPA auditor to conduct the audit. The actual process involves scoping, artifact document collection, and an on-site visit. The time commitment is typically several hours of introductory phone conversations and two days in-person at your office.
The Common Criteria for Information Technology Security Evaluation, referred to as Common Criteria, is an internationally recognized standard for computer security certification. Common Criteria is a framework that assures that the process of specification, implementation, and evaluation of a computer security product has been rigorously tested in a repeatable manner. The goal of Common Criteria is for vendors to make claims about the security of their products and that independently run testing laboratories can determine if they meet those claims. Below are the nine Common Criteria that are typically associated with SOC 2 compliance for SaaS providers and vendors.
SOC 2 certification is issued by outside auditors. They assess the extent to which a vendor complies with one or more of the five trust principles based on the systems and processes in place.
Trust principles are broken down as follows:
While SOC 2 compliance isn’t a requirement for SaaS and cloud computing vendors, its role in securing your data cannot be overstated.
Imperva undergoes regular audits to ensure the requirements of each of the five trust principles are met and that we remain SOC 2-compliant. Compliance extends to all services we provide, including web application security, DDoS protection, content delivery through our CDN, load balancing, and Attack Analytics.