What is SOC compliance?
SOC compliance is a voluntary compliance standard for service organizations. It was put together by the American Institute of CPAs (AICPA), built upon five Trust Service Criteria: security, availability, processing, confidentiality, and privacy.
“You will not find a standard checklist of what takes to be SOC compliant,” says Caroline McCoy Director of Compliance at Bit-Wizards. “An auditor actually reviews each one of your policies and procedures and makes a determination on whether it’s enough. So, it’s very much decided on a case-by-case basis.”
The different kinds of SOC compliance
“There are three levels of SOC compliance. SOC 1 is focused on financial reporting,” McCoy explains. “SOC 2 and 3 are suited for technology service companies. SOC 3 is high level and public facing with no confidential information included. Usually, a SOC 2 audit covers each of the five Trust Services mentioned above. As a technology company, this allows us to prove our compliance capabilities to our customers if requested.”
Each level of SOC compliance also has a Type 1 and Type 2. Bit-Wizards is SOC 2 Type 1 compliant.
“With SOC 2 Type 1, an auditor assesses the design of our security controls at a set point in time,” says McCoy. “The auditor reviews everything we have in place to make sure policies are documented, risks are managed, and procedures are followed. Type 2 actually takes six months to a year to complete because an auditor observes operations over time to assess how effective these controls are. Bit-Wizards will be undergoing a Type 2 audit next year."
Why is SOC compliance important?
“SOC compliance confirms that we have a documented, high level security framework and that we handle all sensitive information responsibly,” McCoy explains. “This audit is distinct in that a third-party auditor comes in and validates our controls and systems, which are unique to our company. They don’t just check off boxes or go down a list to see if we’re compliant. The auditor literally looks at every single policy we have and analyzes it to determine whether we have met the five Trust Service Criteria.”
SOC compliance is not a requirement for technology companies.
“This is an extra, voluntary compliance standard that we have adopted to prove to our customers that we can provide the services we are contracted for,” says McCoy. “It gives clients assurance that we’re able to properly defend their data from breaches and cyberattacks.”
In actuality, McCoy says there aren’t a lot of requirements for a technology company to be considered compliant, so it’s crucial to partner with a managed service provider (MSP) that takes initiative.
“We also undergo penetration testing, which is not required for technology companies,” she says. “Annual pen tests are required for us to be SOC compliant, so these additional security measures go hand in hand. Bit-Wizards undergoes biannual pen tests though, so again, we go that extra mile to keep clients protected.”"
Partner with a managed service provider that takes security seriously
“SOC 2 Type 1 compliance can cost anywhere between $40,000 and $150,000 in services, programs, and processes that we utilize to remain compliant each year,” says McCoy. “And that’s not including the time and effort it requires of us.”
McCoy says it’s crucial to partner with a company that invests in your security.
“We complete these compliance audits and penetration tests voluntarily because security, privacy, and performance are fundamental to Bit-Wizards,” she says.
Looking for a managed service provider that goes above and beyond to protect your business from security breaches, hacks, and cyberattacks? Get started with our Managed IT Services today.