Systems and Organizations Controls 2 (SOC 2) is a cybersecurity framework recommended by the AICPA to demonstrate the efficacy of an organization's security controls concerning Trust Service Principles: privacy, security, confidentiality, processing integrity and availability. SOC 2 reports and audits are vital in evaluating an organization's adherence to said framework and principles.

Types of SOC 2 Reports

Two primary types of SOC 2 reports exist:

SOC 2 Type 1 reports provide confirmation that an organization's controls exist at a specific moment in time. Typically, companies seeking their initial SOC 2 certification undergo a SOC Type 1 audit. During this audit, an independent auditor verifies and reports on the organization's control descriptions and their sustainability.

SOC 2 Type 2 reports encompass the same control validation as Type 1, but with an additional focus on assessing the operating effectiveness of those controls. Unlike the snapshot approach of Type 1, a SOC Type 2 audit evaluates controls over a predefined period, typically a minimum of six months according to AICPA recommendations, to demonstrate their effectiveness in normal operations.

SOC 2 Trust Service Principles (TSP) are a set of criteria used to evaluate and assess the controls implemented by service organizations. These principles serve as the foundation for SOC 2 audits and reports. There are 61 criteria and approximately 300 points of focus for Trust Services. Here are the five main Trust Service Principles:

Privacy: Policy dictates the appropriate use, retention, collection, disclosure, and disposal of personally identifiable information (PII).

Security: Measures are in place to protect systems and data against unauthorized access, disclosure, and damage that could jeopardize the system's ability to achieve its objectives.

Confidentiality: Confidential information is safeguarded and secured in accordance with established protocols.

Processing Integrity: System processing ensures accuracy, validity, completeness, and timeliness, maintaining the integrity of customer data throughout data processing.

Availability: Controls are implemented to ensure the availability of information and systems, supporting the operational and strategic objectives of the company and its clients.

Organizations can choose which of the other trust services they’d like to include in the audit. Service organizations are evaluated against these Trust Service Principles to demonstrate their compliance with SOC 2 standards and provide assurance to customers and stakeholders regarding the effectiveness of their controls in these areas.

BeyondTrust’s Privileged Remote Access has significantly simplified our journey to achieving SOC 2 compliance. It ensures detailed and transparent zero trust security controls around access and monitoring, along with comprehensive auditing and evidence gathering capabilities.

—Shane Carden, CIO, Behavox

SOC 3 reports share similarities with SOC 2 Type II, although they are not as extensive or exhaustive in their final presentation. Nevertheless, both SOC 3 and SOC 2 Type II reports draw information from the same source material. SOC 3 reports cater to companies seeking to streamline the level of detail included in the report, enabling them to distribute it publicly while maintaining confidentiality.

The primary purpose of SOC 2 compliance is to maintain a baseline of security that reduces the likelihood of breaches and other security incidents. Passing an SOC 2 Type 2 audit, in particular, can also ensure an organization does not incur fines due to noncompliance.

Since many SOC 2 requirements represent universal cyber risk management best practices, addressing SOC 2 compliance can also help organizations address compliance for other frameworks, such as ISO 27001 and HIPAA.

Finally, achieving SOC 2 compliance can give your customers more confidence in your solutions, particular with regard to competitor vendors who have not earned compliance.

BeyondTrust has successfully completed and demonstrated SOC 2 compliance for multiple products. Our SOC 2 achievements validate that critical service commitments and system requirements are in place, giving customers and partners the peace of mind they need in an enterprise-class cloud service. Our customers can feel confident that we continue to prioritize investments to establish and maintain the highest level of security and compliance for our solution portfolio.

Learn more SOC 2 Compliance for BeyondTrust Products

BeyondTrust provides foundational security that helps our customers reduce risk and achieve compliance with major initiatives, including SOC 2. With BeyondTrust PAM solutions, you can:

  • Enforce least privilege across all endpoints, accounts, and identities
  • Secure, VPN-less remote access, that includes 2-FA
  • Secure management of all privileged credentials (passwords, secrets, SSH keys, etc.)
  • Monitor, manage, and audit every privileged session--whether human, machine, employee, or vendor
  • Proactively identify identity-based attack vectors and attack pathways

“We prioritize the security and privacy of our data above all. When vendors like BeyondTrust present their SOC 2 report, it instills in us a confidence in their potent security controls for safeguarding our sensitive data. This is more than a mere procedural formality; it is about selecting a partner worthy of our data trust."

—Shane Carden, CIO, Behavox

Talk to us about your SOC 2 Type 1 & Type 2 compliance needs.

Contact Sales
Prefers reduced motion setting detected. Animations will now be reduced as a result.