SOC 2
SOC 2 is a compliance framework that evaluates how service organizations manage security, availability, and confidentiality. It includes assessment of identity and access controls, and SOC 2 Type II reports require continuous monitoring over a defined period.
# WHAT TEAMS RUN INTO
- —
SOC 2 audits are snapshot audits. Even a Type II audit covers a specific time period. Practices that exist during the audit might not exist before or after, creating compliance theater.
- —
SOC 2 scope is defined by the organization. Organizations define what systems and processes are within scope, and they often exclude the most important systems to reduce audit burden.
- —
SOC 2 does not require specific technology. Organizations can be SOC 2-compliant with weak authentication systems, weak encryption, and poor access controls as long as they document and implement something.
# WHY IT MATTERS
SOC 2 compliance is often required by customers who need assurance that a service provider is taking security seriously. Organizations that maintain SOC 2 compliance must sustain identity and access controls consistently. While SOC 2 can be gamed, maintaining genuine SOC 2 compliance forces good identity security practices.