Background / Introduction
AppCheck are often asked whether they are "SOC2 compliant". This is actually a slight misnomer, in that SOC2 is not a certification, but rather a (subjective) attestation for a point in time. We will explain below what this means, and why we do not believe that SOC attestation is useful for our customers at this time in providing security assurance in our company and product.
What is SOC2?
System and Organization Controls (SOC), is the name of a suite of reports produced during an audit conducted to a set of guidelines produced by the American Institute of Certified Public Accountants (AICPA). It is intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue "attestations" or reports of what internal controls (security measures) are implemented on those information systems to protect the service and the data of the users of those services. The reports focus on controls grouped into five categories called Trust Service Principles:
- Security (Firewalls, MFA and intrustion detection);
- Availability (performance monitoring, disaster recovery and incident handling);
- Confidentiality (Encryption, Access controls and firewalls);
- Processing Integrity (Quality Assurance, Process Monitoring); and
- Privacy (Access Control, MFA, Encryption).
How is a SOC Audit Conducted?
SOC 2 attestation is performed by auditors external to the organisation, who must be an independent CPA (Certified Public Accountant) or accountancy organisation. They will be supported by technical and security practitioners as needed.
The AICPA auditing guide in Standards for Attestation Engagements no. 18 (SSAE 18), section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of attestations or reports:
- Type 1 (which describes a service organization's systems and whether the design of specified controls meet the relevant trust principles); and
- Type 2 (which additionally addresses the operational effectiveness of the specified controls over a period of time (usually 9 to 12 months))
Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3. Additionally, there are specialized SOC reports for Cybersecurity and Supply Chain Security.
How does SOC compliance compare to ISO27001?
The main difference between SOC 2 and ISO27001 is that SOC 2 is focused predominantly on providing a subjective attestation that at a given moment in time, the security controls that protect customer data have been implemented - whereas ISO 27001 provides more comprehensive security assurance, in that it asks organisations to prove that they have an operational Information Security Management System (ISMS) in place and that it has been used to effectively manage the organisation's information security program on an ongoing basis for the period audited (typically 12 months).
That is, ISO27001 adds several controls around proving this management system is in place and regularly reviewed for conformity to the ISO27001 standard.
AppCheck is certified to ISO27001. Details including our ISO27001 certification can be found on our compliance webpages at https://appcheck-ng.com/compliance/
How applicable and useful is SOC attestation?
SOC 2 attestation isn’t a requirement for SaaS or cloud computing vendors. The primary market difference is that SOC is a US-focused standard. For companies based outside of the US or doing business internationally, ISO27001 is far more common and more widely accepted by clients.
Unlike ISO27001 or PCI DSS, which have very rigid requirements, SOC 2 reports are unique to each organization. In line with their business practices, each designs its own controls to comply with one or more of the trust principles. Attestation reports provide an opinion by an independent practitioner/auditor attesting to certain elements about the control environment of a service organization. This can mean that the attestation reports vary significantly from one organisation to another and lack the standardisation and simple assurance of ISO27001 certification.
Does AppCheck provide SOC attestation?
SOC accreditation is is not on AppCheck's roadmap at this time for the reasons outlined above. However please contact your account manager if SOC attestation is a key requirement for your business.