SOC 2 Type II
What is it?
- "A SOC 2 Type 2 Report is a Service Organization Control (SOC) audit on how a cloud-based service provider handles sensitive information. It covers both the suitability of a company’s controls and its operating effectiveness."[1]
- I'm not sure how it's actually perceived in the industry, but feels more like a marketing gimmick/exercise than a security exercise and ripe for abuse by limiting what's within scope.
- Ostendio has a blog which discusses something similar:
- "... the ability to manipulate the scope has led to significant abuse of this audit. This ability to manipulate the scope means that it is difficult to compare one SOC 2 with another and also allows organizations to avoid auditing areas that are perhaps their weakest link."[2]
- It has to be conducted in good faith and paired with something like the NIST RMF to actually be effective
- Ostendio has a blog which discusses something similar:
Resources
Official
Supplemental
SecureFrame
- They seem to have a lot of material freely available online.
- SOC 2 Type II Compliance: Definition, Requirements, and Why You Need It
- Overview of AICPA
- Your Step-by-Step SOC 2® Audit Checklist
- Audit Checklist
- SOC 2 Compliance: Everything You Need to Know | Secureframe - YouTube
- IT SOC 2 Audit Ask Me Anything : r/cybersecurity
- Laika Team/SOC 2 Auditor AMA
- SOC 2 assessment first timer : r/cybersecurity
- First time assessment asking for assistance, includes possible links to follow up on
Other
- SOC 2 Type 2 Compliance Guide: Everything You Need To Know | StrongDM
- Short guide discussing the SOC 2 as it might relate to a client
- Compares against other audits, like SOC 1, ISO 27001, and HITRUST
- SOC 2 Simplified: Full Framework Review in Plain English - YouTube
- 1 hour long video
- Goes over the requirements for SOC 2 compliance
- SOC 2 Compliance: The Complete Introduction | AuditBoard
- Seems to be written more for a practitioner