9 Things You Should Know About SOC 2 Data Security

Background: How secure is your data?

Data is the lifeblood of your organization. Malicious or accidental disclosure or loss of your data — especially Personally Identifiable Information (PII) such as Social Security numbers, driver’s license numbers, or email addresses — can cause catastrophic consequences. Lawsuits, fines, erosion of public trust, loss of business, and more.

Outsource the risk of catastrophic data loss

Many organizations have concluded that managing the risk of catastrophic data loss on their own doesn’t make sense. They realize that their data can be managed instead by software partners certified to the rigorous and demanding data management and security standards developed by the American Institute of Certified Public Accountants (AICPA). This standard is commonly called SOC, an acronym that stands for System and Operations Controls.

What is SOC?

AICPA developed the SOC regulations and certification standards to regulate the security management processes and policies of service organizations — including software vendors — that store or process customer data. SOC-certified companies must maintain an exacting standard of annual audits, ongoing training, development, and implementation of enhanced security measures, and frequent testing of their processes to ensure they protect their customers’ data.

Why should you care?

If you are a larger organization — or simply wish to minimize your risk of catastrophic data disclosure or loss — your best option for outsourcing that risk is to partner with a cloud-based software vendor. But not just any vendor. You need a SOC 2 compliant vendor, so you can be sure that your customer data will be managed and secured using the most robust and exacting processes developed by the AICPA.

The Bottom Line

You can minimize the significant risks of catastrophic data loss by insisting that any software partner that helps you manage mission-critical data should be SOC 2 compliant. Demand it, and you’ll sleep easier at night knowing you’ve done everything possible to secure your mission-critical data.

Simply put, partnering with SOC 2 compliant software partners provides peace of mind in a world where the threats against your data intensify daily.

PART 2: SOC 2 101 — An Executive Primer

If you’re interested in learning more, read on for the 9 things everyone involved with customer data should know about SOC 2.

Where did SOC originate?
SOC was developed by the American Institute of Certified Public Accountants (AICPA) in 2009 to help assure organizations that service organizations, such as software vendors, proactively employ rigorous data management processes and controls that keep their customers’ data safe and secure.

What is SOC 1 versus SOC 2?
SOC 1 focuses on internal controls related to financial reporting. SOC 2 focuses on information and IT security controls. SOC 2 compliance is the relevant requirement for organizations choosing a software partner to help them manage customer data. The AICPA organizes SOC 2 controls according to the 5 Trust Services Criteria. More on these below.

What is Type 1 versus Type 2?
A SOC 2 Type 1 audit evaluates software vendor’s SOC 2 compliance at a single point in time. A SOC 2 Type 2 SOC audit evaluates the vendor’s compliance over a period of time. Certemy is certified for the more rigorous Type 2 standard that most organizations demand from their software partners.

What are the 5 Trust Services Criteria?
SOC’s Trust Service Criteria (TSC) serve as the control criteria used by auditors when assessing a software vendor’s controls for information and systems security. The 5 TSC are as follows. Of the 5 criteria, Security is the most critical criterion for security-conscious organizations.


  • Security – The vendor’s system is protected against unauthorized access, both physical and logical.
  • Availability – The vendor’s system is available for operation and use as committed or agreed.
  • Processing Integrity – The vendor’s system processing is complete, accurate, timely, and authorized.
  • Confidentiality – The vendor’s system protects client information designated as confidential as committed or agreed.
  • Privacy – The vendor’s system collects, retains, discloses, and destroys personal information in conformity with the commitments in the vendor’s privacy notice and the criteria set forth in Generally Accepted Privacy Principles (GAPP).

What are the basic requirements for SOC compliance?

The most critical requirement of SOC 2 is that software vendors need to develop data security policies and procedures that are written out and followed by everyone in the vendor’s organization. To achieve SOC 2 compliance, a software vendor must document these policies and procedures for an independent auditor and demonstrate that everyone follows them. The auditor reviews this information following the SOC guidelines and only certifies software vendors that meet the stringent requirements set out by the SOC standard.

What needs to be monitored?
Proactive monitoring for data security threats is a major part of the SOC standard. The most important things a SOC-compliant software vendor needs to monitor include any unauthorized, unusual, or suspicious activity related to a specific client’s data. This type of monitoring usually focuses on system configuration and user access and monitors for known and unknown malicious activity, such as phishing or other types of inappropriate and unauthorized access.

What alerts are needed?
SOC-compliant software vendors set up alerts to detect unauthorized access to customer data plus any other abnormal behavior related to a client’s data. To avoid false alarms and unnecessary responses to those alarms, software vendors must employ an alarm system that alerts only when unusual activity is detected beyond what is typical for the operating environment, according to documented policies and procedures.

Who must comply with SOC requirements?
SOC 2 compliance has become mandatory for most large or security-conscious organizations when selecting a software vendor that stores and processes that organization’s valuable and sensitive client information in the cloud.

How often must a SOC-compliant software vendor be recertified?
Once certified, software vendors must pass a SOC recertification audit every 12 months. Regular recertification assures organizations that their software partners continue to maintain the exacting SOC data security standards at all times.


We hope you found this introduction to SOC 2 data security valuable. As we discussed at the beginning of this article, your data is the lifeblood of your organization. Malicious or accidental disclosure or loss of that data — especially Personally Identifiable Information (PII) such as Social Security numbers, driver’s license numbers, or email addresses — can cause catastrophic consequences. Lawsuits, fines, erosion of public trust, loss of business, and more. You can minimize the catastrophic risks of data loss or disclosure by insisting on SOC 2 compliance for any software partner that helps you manage your mission-critical data.

Certemy helped us intake an entire field of counselors in a very short period and allowed us to achieve a goal that would have otherwise been unachievable. The software has already paid for itself, and we plan to move the rest of our certifications to Certemy very soon. 

One-Platform for Compliance (Staff, Equipment & Facilities)

Tags :
Share This :