What is SOC 2 Type 2 Compliance & Why Your IT Provider Should Have It

Aldridge understands the value of our clients’ data to their reputation and future success. Because of this, we obtained our SOC 2 Type 2 Report and completed the certification through the MSP Cloud Verify Program™. Like many other professionals today, you may be asking what exactly is SOC 2 compliance, and why is Type II attestation a value add for the companies Aldridge serves? The American Institute of CPAs (AICPA)’s Service Organization Control (“SOC 2”) audit and report involves a 6-month, third-party Trust Factor Security Audit. The audit is based on the MSPAlliance Unified Certification Standards for Cloud and Managed Service Providers.

“Maintaining SOC 2 Type 2 compliance keeps our organization focused on our processes and controls to make sure that we practice what we preach. Completing the readiness exercise and audit process required a significant investment of money and time, but it was worth it. The audit helps us confirm that our house is in order and that we continue to implement the same processes and controls that we recommend to our clients.”

— Patrick Wiley, Aldridge CEO

The following sections provide a simple explanation of SOC 2 compliance and why you should ask if the IT provider you’re considering is certified.

What is SOC 2 Compliance and How Does It Affect Your Business?

The SOC 2 reporting platform allows companies to measure the integrity of IT Outsourcing Providers they are considering or have already engaged. If an IT Provider cannot complete the SOC 2 Type 2 certification, likely, they are not implementing and enforcing the necessary data governance controls, best-practices, and IT security strategies required to protect your business. SOC 2 compliance audits measure an IT provider’s formal commitment to data management and security best practices. Business leaders are no longer limited to relying on an MSP’s “good word.” They can be more proactive about protecting their core business data and systems Decision makers can see for themselves simply by requesting a copy of the IT Outsourcing Provider’s SOC 2 report. The report is audited and verified by a third party, so decision-makers can trust the credibility of the evaluation. There are two different types of SOC 2 reporting: SOC 2 Type 1 and SOC 2 Type 2. Both types serve to measure the effectiveness of an IT provider’s data governance policies and procedures. However, the Type I report takes a snapshot of the service provider’s standards at a specific point in time. The SOC 2 Type 2 compliance certification aims to prove those policies and standards are being followed over time. The Type II third-party audit and report confirm that the MSP’s policies and standards are being adhered to and maintained throughout everyday business operations.

If SOC 2 Is So Important, Why Don’t All IT Outsourcing Providers Have It?

SOC 2 compliance is just beginning to garner attention from IT Outsourcing and other Technology Solution Providers. However, it’s still uncommon. Many IT providers are not willing to invest in the SOC 2 Type 2 attestation process. Why? Mainly because it takes a significant commitment of money, time, and business resources to complete it. The resulting report also requires MSPs to hold their own organization accountable by highlighting any gaps in their efforts to safeguard both internal and client-related data.

Why Ask IT Providers for Their Audit Report?

IT Providers with SOC 2 Type 2 certification uphold their own data security best practices while helping your business appropriately store, manage, and protect the critical data and systems at the core of what you do. The SOC 2 Type 2 report not only proves an MSP has proper internal controls and best practices in place. It also reveals whether or not the IT provider is following these standards internally, with vendors, and with the clients they serve. A SOC 2 Type 2 compliance report empowers decision-makers to weed out those providers who may put their business data and reputation at risk. Your business’s leadership team can use the report to zone in on MSPs that will add value to the organization by giving them the freedom to reevaluate and act upon hard data to drive business technology decisions.

What is Measured by a SOC 2 Type 2 Report?

SOC 2 Type 2 compliance is not just about the security of a business’s data hosting and transfer systems. It’s about the policies and procedures around how this data is managed, transferred, stored, and secured daily. For a provider to meet SOC 2 compliance, they must manage client data with the five Trust Categories top of mind:

1. Data security
2. Data availability
3. Processing integrity
4. Confidentiality
5. Customer privacy standards

The organization must not only develop security policies and procedures but document and follow these processes. The documentation allows the auditor to review an up-to-date history of the company’s efforts around:

6. Data governance
7. Policies and procedures
8. Confidentiality, privacy and service transparency
9. Change management
10. Service operations management
11. Information security
12. Data management
13. Physical security
14. Billing and reporting
15. Corporate health

If you’re looking for an IT outsourcing provider, you want to choose one that covers its bases, and yours. At Aldridge, we offer IT Outsourcing Services to companies looking for a Technology Solution Partner (TSP) they can trust. We work with our clients to provide the business knowledge and technology expertise they need for success. If you would like to learn more about our approach to data security and how we can help you, schedule time to speak with an Aldridge representative today.