I’m extremely proud to announce that Pagefreezer is now SOC 2 Type 1 and Type 2 compliant. We have always made use of compliant data centers to store information, but over the last year our organization itself has now gone through the rigorous SOC 2 auditing process to achieve compliance.
This is yet another crucial step in our ongoing commitment to the protection of customer data, proprietary information, and personal data. By attaining ISO 27001:2013 certification last year, we showed that we’re doing everything we could to protect the confidentiality, integrity, and availability of information, systems, and services. Having now gone through the full SOC 2 auditing process as well, we can further demonstrate that we have the necessary controls in place to mitigate the risks inherent to the service we provide, and we can better measure how we conduct and regulate the information we manage.
What Is SOC 2?
Where ISO is a recognized framework for implementing an effective information security management system, SOC is a more detailed assessment with a customer-focussed approach that looks at the logical and physical controls a service organization has put in place. It examines how the company controls and limits access to data, how those users are authenticated, and how any inappropriate activity is reported and managed.
SOC stands for System and Organization Controls, and was developed by the American Institute of Chartered Public Accountants (AICPA). It is governed by this accounting institute because it originally started with SOC 1, which examines a service organization’s controls related to the potential audit of a customer’s financial statements. SOC 2, however, reports on the effectiveness of security controls created by a service organization to protect the security and confidentiality of information.
SOC 2 defines criteria for service organizations to manage customer data based on five Trust Services Principles and the outcome of the audit process is an independent auditor’s SOC 2 report.
Saying that, it’s important to distinguish between SOC 2 Type 1 and Type 2. Type 1 is a point-in time audit reporting that organizational controls are adequately designed to meet the trust services requirements at the time of the report—we received this Type 1 report in October 2019. Type 2 is a full audit involving examination and testing of the controls described. It reports results of the operating effectiveness of the controls over a period of time.
Why SOC 2 Compliance Is Important
Our goal is to offer transparency by providing a third-party's detailed account of Pagefreezer’s controls related to security and confidentiality.
Many organizations offer security policies and practices on their websites. But if these are self-reported, a customer has no real insight into the efficacy of the controls. ISO 27001 certification and a SOC 2 report provide third-party evidence that Pagefreezer is living up to our security commitments.
Potential customers often have questions about our security policies; about how we respond to incidents, protect data, and control access. The SOC 2 report is a lengthy and detailed document that offers answers to these questions and the opportunity to understand our company, the systems we have in place, our operations, and our technical controls. They can then use this information to assess risk and know they’re making the right choice in Pagefreezer as a vendor. Our SOC 2 Type 2 report also gives existing customers assurance that the controls we have in place are implemented and operating effectively to meet the criteria for security and confidentiality of their data.
The SOC 2 Audit Process
In Pagefreezer’s case, the independent auditor’s report is a lengthy 125-page document. It attests that Pagefreezer has put in place controls for information security and confidentiality that are suitably designed (according to the trust services criteria), and that after in-depth testing and examination, these controls operated effectively throughout the review period.
The report provides a detailed description of the controls in place that meet the SOC Trust Services Criteria, including the product and services we provide, our corporate oversight and internal corporate governance, descriptions of our infrastructure and systems, the technical safeguards in place, vendor management, risk management, and policies and procedures in place for management of security and confidentiality across the organization.
At the start of the process, we provided descriptions of controls—every aspect of the company and policies and practices in place—and these were reviewed to make sure controls were adequate. We then provided evidence, as requested, covering a three-month period. Our Security Team and process owners for all control areas took part in an inquiry process with the auditors who observed processes, inspected systems and records, and tested controls. After this period, the audit company then provided feedback and created the report based on evidence provided and our descriptions of systems. The auditor found that we met all the criteria and that there were no exceptions in our test results.
Tips for Preparing a Company for SOC 2 Audit?
For more information about security at Pagefreezer, please visit our Security Page. Below I’ve also put together some tips for any company preparing to embark on certification:
- Be diligent when choosing an auditor. Finding a CPA firm whose auditors also have the right technical knowledge and experience relevant to your business can streamline the lengthy auditing process.
- Take time to train and educate employees across the organization in your security policies and expectations, as their compliance in day to day operations of the company will be closely examined. There are plenty of great online cyber security courses that you can use to help train and educate employees.
- Put a dedicated security team in place to coordinate with SOC auditors, understand expectations and prepare your team - far before the examination process begins.
- Prepare process owners from across your organization. Its likely members from finance, HR, operations, customer experience to IT will be asked to contribute in the SOC auditing process.
- Maybe you’ve implemented great security practices and controls, but for SOC 2 you also need to be able to prove their effectiveness, so you’re going to need good evidence! Keep logs, reviews, and records of all the work your security team and entire organization is doing over time.