SOC 2 Reports are Report Cards, Not Certifications
So often I hear, "They're good, they have a SOC2". A SOC 2 report simply reflects that a company went through a SOC 2 audit, much like a report card reflects that you went to school. Your performance in the class is reflected in the content of the report card, just as the results of the SOC 2 audit are found in the report. The big difference here is that you can glance at a report card and discover how someone did in the class. Discovering how a company performed in the SOC 2 audit takes some digging.
Here's my quick guide to SOC 2 reports. Nothing new here, but if you're being handed a third party risk hat or are new to GRC, I hope this helps!
1.) Date: is this a current report?
2.) Type: Is this a type 1 or type 2? Type 1 is a point in time and cannot, by its nature, give confidence of consistent control implementation and effectiveness. Type 2 reviews the company's controls over a period of time, giving greater confidence of the reliability of the SOC program.
3.) Scope: Section 1 of the report will include a "scope". You'll want to check what product/services are in scope of the report AND which of the five trust principles (security, confidentiality, availability, privacy and process integrity) are in scope? Are the scoped products/services you are planning to use covered? Are the trust principles in scope applicable to your needs? if you are relying on this vendor for your own services to be available, then you probably want the scope to include availability.
4.) Auditors opinion: Section 1 of the report will include the auditor's "opinion". If they offer a qualified opinion, this indicates a significant deficiency in the company's meeting one or more of the applicable criteria.
5.) Audit findings: Section 4 of the report will detail the auditors testing of the controls and their findings. Some exceptions to controls may not make you lose sleep, but other may. That unencrypted database could be concerning to you!
6.) CUECs: The shared responsibility model is a fundamental part of the vendor<>customer relationship. These are things the vendor has delegated to you in meeting the applicable trust principles. Make sure you've reviewed and implemented these as appropriate and applicable.
7.) If using this vendor carries notable risk for your organization, section 3 is admittedly a lot to read, but it describes the audited control environment of the vendor in some detail. Read it!
If you wish this was easier, DM me https://linkedin.com/rcgrc 😉