SOC 2 certification: 5 things we learned

Maybe you’re considering AICPA SOC 2 certification? Aikido was recently examined to check that our system and the design of our security controls meet the AICPA’s SOC 2 requirements. Because we learned a lot about SOC 2 standards during our audit, we wanted to share some of the insights that we think might be helpful to someone starting the same process.

Read our top tips on becoming ISO 27001:2022 compliant.

Type 1 vs. Type 2

The first thing to understand is that there are two different types of SOC 2 certification: SOC 2 Type 1 and SOC Type 2. If you’re only starting to think about SOC certification, Type 1 might be a good first step. It’s faster to get and the requirements aren’t as demanding. Type 1 is also less expensive than Type 2 report.

But the difference is that it doesn’t cover monitoring over an extended period. Your cybersecurity measures are only checked at one specific time during a SOC 2 Type 1 audit. In contrast, the SOC Type 2 certification process tests your security controls over a period of time. In effect, Type 1 tests the design of your security controls, while Type 2 also tests their operating effectiveness.

Note: You might also read about the ISAE3402 Type I report. That’s the European alternative, but in practice, most industries don’t worry about it. So go for SOC 2 unless you already know you need the European one.

SOC 2 trust services criteria

An SOC auditor will typically use five trust services criteria to evaluate companies for SOC 2 compliance:

• Security: protect data and systems from unauthorized access.
• Availability: make sure customer data can be accessed when needed.
• Confidentiality: make sure that confidential information is sufficiently protected.
• Privacy: protect personal information.
• Processing integrity: ensure that systems process data accurately and reliably.

Not every business needs to include all five criteria. Part of preparing for your SOC 2 audit is deciding which criteria your customers will require.

Additional industry-specific criteria also exist. For instance, a cloud service provider will have more stringent client data encryption requirements, while healthcare providers will need to protect health information.

Our top 5 SOC 2 certification tips

1. You can’t really become SOC 2 “compliant”

Unlike ISO 27001, you can’t reach a state of SOC 2 compliance. It’s a report that a potential customer can request so that they can evaluate the company’s security posture. The customer has to make their own decision on whether that company is secure enough to do business with.

You’ll get an SOC 2 report demonstrating compliance with specified criteria, but that doesn’t mean that you go from non-compliant to compliant. That doesn’t reduce its value for your business partners. They know what they need and will often require an SOC 2 audit report.

For example, SOC 2 doesn’t necessarily require you to carry out a pentest, but it is highly recommended for ISO 27001. Vanta, one of the top SOC 2 compliance monitoring platforms, recommends treating SOC 2 as a bar that you need to get over to be seen as having reached essential security standards. But you might go the extra mile after you get over that bar, and your customers will probably appreciate the extra reassurance.

In that sense, your SOC 2 compliance report means that you’ve satisfied the auditor that your company meets the SOC 2 trust services criteria.

2. Type 2 is based on a compliance observation period

SOC 2 Type 2 reports check your security posture over an observation period called an audit window. You can select a window of between three months to a full year. This is much more thorough than SOC 2 Type 1 and it means that stakeholders and prospective customers get additional reassurance on security systems and data security.

You’ll need to consult with your auditor to choose the audit window. It can depend on factors such as regulatory requirements, customer expectations, or how recently you developed your security frameworks and controls.

3. SOC 2 vs. ISO 27001: if your potential customers are in the US, SOC 2 is for you!

Companies in the United Stated typically request SOC 2 reports more often, while European companies tend to rely more on ISO 27001. This is because SOC 2 is an American standard. If you can, get both. That’s what we did, as we also became ISO 27001 compliant in 2023. If you can’t do both, choose based on where your customers or prospects are based.

If your customers are in the US, there’s a good chance they’ll be looking for your SOC 2 report.

4. We recommend that you work with an auditor in the US

If you’re based in Europe, there are lots of SOC auditors. They’re probably very good, but if you want a US company to trust your report, it makes sense to go with a third-party SOC 2 auditor in the United States.

5. Use a secure system for customers to request your SOC 2 report

You should make it easy for customers to request your SOC 2 report, but don’t make it too easy. Hackers might use it to identify weak spots in your security.

Don’t use email and use a tool that tracks what happens to the report after it gets downloaded. You should know who is requesting it, track when it was requested, and even consider watermarking or password protection. The best approach is to use an NDA.

Aikido and ongoing SOC 2 compliance

Now that we’ve completed our own SOC 2 journey, Aikido Security fulfills all SOC 2 trust services criteria. We have also partnered with compliance monitoring platforms (such as Vanta, Drata, Secureframe, and Thoropass) to regularly sync data on current security controls and make sure that Aikido, and our customers, maintain a strong security posture.

Request our SOC 2 Type 2 report

You can request Aikido’s SOC 2 Type 2 certificate on our security trust center.

Or if you’re considering SOC 2 certification and still have questions, connect with me on LinkedIn and I’ll be happy to discuss the process with you in more detail.