What is SOC2 compliance?
System and Organization Controls 2 (SOC 2) is an audit procedure applicable to all technology services or SaaS companies that collect and store customer data in the cloud. It is designed to ensure that a company’s organizational security controls and practices can effectively safeguard the privacy and security of client data. SOC 2 is often the first compliance standard that SaaS companies choose to comply with and has become the defacto standard of choice for many customers assessing the security of their SaaS suppliers.
Who needs to be SOC2 compliant?
As a service provider, your clients rely on you to protect their valuable data. Increasingly, businesses choose to work with providers who can prove their ability to handle data securely. Be SOC2 compliant – unlock your business potential and give reassurance to your clients and prospects
SOC2 Type I
SOC2 Type I
SOC2 Type II
SOC2 Type II
SOC2 Trust Principles
| Security | Availability | Processing Integrity | Confidentiality | Privacy |
|---|---|---|---|---|
Information and systems are protected against unauthorized access, disclosure, and damage that could affect the entity’s ability to meet its objectives. | Information and systems are available for operation and use to meet the entity’s objectives. | System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. | Information designated as confidential is protected to meet the entity’s objectives. | Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. |
What are the Common Criteria?
- CC1 – Control Environment
- CC2 – Communication and Information
- CC3 – Risk Assessment
- CC4 – Monitoring Activities
- CC5 – Control Activities
- CC6 – Logical and Physical Access Controls
- CC7 – System Operations
- CC8 – Change Management
- CC9 – Risk Mitigation
Why SOC2?
Broadly accepted
Povides a competitive edge
Improves information security practices
Ensures sensitive information is protected
Protects organization from negative effects of breaches
Graduated approach
“Kobalt.io gives us peace of mind as our trusted advisor. They are responsive and provide advice quickly when needed.”
– Hieg Khatcherian, Chief Information Security Officer, Thrive Health
Achieving SOC2 with Kobalt.io
Kobalt.io is a certified service partner of Vanta. Kobalt.io and Vanta work together to provide our clients with value beyond compliance. With Kobalt.io cybersecurity, compliance and data privacy expertise, combined with Vanta’s best-in-class technology, you can quickly achieve your security compliance goals at a lower costs, proving trust and driving growth.
Typical SOC2 Process
Preparation for audit
Typically 3-12 months, depending on maturity and needed pace
Type I audit
Typically runs for a month, first “point in time certification”
Type II audit
Typically the first audit runs 6-12 months after completion of the Type 1
Annual audits
Once the initial audit is complete, additional audits will run every 12-18 months to prove recent compliance
Chat with us now
Frequently asked questions
When going through a SOC2 audit it is important that your teams are prepared in order to avoid delays in assessment and additional assessment costs. In order to achieve SOC2 compliance, you should take the following steps to prepare for a SOC2 audit:
- Implement all applicable administrative policies and internal controls
- Perform a SOC2 readiness assessment
- Collect all policies, security documentation, and agreements with vendors and contractors
In order to ensure SOC2 compliance, organizations should perform a SOC2 audit before the current report pasts its effective coverage period. Typically, organizations go through a SOC2 audit annually to keep their SOC 2 Type 2 report current.
This means that organizations generally continue to maintain all SOC2 internal controls in place to pass future audits. You will want to ensure that administrative policies are current and that security controls continue to stay in place and are applied to newly created infrastructure and resources.
