No. In fact SOC 2 isn’t a legal requirement for anyone. But with that being said, SOC 2 is one of the most common compliance frameworks that organizations use to demonstrate security and compliance for protecting customer data. Typically your organization will be required to complete a SOC 2 audit as part of landing a customer contract. We are continuing to see this trend for SaaS companies to have their SOC 2 as a necessity instead of a nice to have.
SOC 2 offers a Type 1 and Type 2 report. The Type 1 report is a point-in-time snapshot of your organization’s controls, validated by tests to determine if those controls are working appropriately. The Type 2 report looks at the effectiveness of those same controls over an extended period of time – usually 6-12 months. A Type 2 report is the most common report organizations look to achieve to demonstrate they continue to maintain their SOC 2 compliance program.
Yes! Security awareness training is a requirement for SOC 2. You can design your security awareness training policy any way you would like, as long as you ensure that every employee is part of a formal security awareness training program and can provide evidence for it. Curricula helps your employees learn to speak the basic language of SOC 2 by giving every employee free access to our SOC 2, Phishing, and Intro to Cyber Security training episodes. Our team worked with industry experts and auditors to define a SOC 2 starter plan to get you up and running quickly to complete your SOC 2 training requirements.
Security awareness training is important because it’s the core of your employees’ knowledge about SOC 2. Curricula helps your employees learn to speak the basic language of SOC 2 by giving every employee free access to our SOC 2, Phishing, and Intro to Cyber Security training episodes. Employee buy-in is just as important as the security controls you are implementing. Think of security awareness training as the hype man behind all of your hard work and effort going into your SOC 2 compliance program.
Trust. When your organization is discussing working with another organization, trust needs to be established. SOC 2 is a way to demonstrate that your customers can trust you by implementing a formal security program and focusing on protecting their data. Most organizations are required now to have a SOC 2 report as part of their contract with new vendors.
Security is the only required criteria as part of any SOC 2 audit. Below is a summary of the 5 Trust Services Criteria.
1. Security: The security section of a SOC 2 audit examines both the physical and electronic forms of security in use.
2. Availability: Are your customers able to access the system as per contractual specifications?
3. Processing Integrity: If a company offers financial or e-commerce transactions, audit reports should include details on controls designed to safeguard transactions.
4. Confidentiality: Are there any restrictions on how data is shared? Include how data is stored, transferred, and accessed as well as adherence procedures for privacy policies.
5. Privacy: Unlike confidentiality, this area focuses on how your organization collects and uses customer information. Your privacy policy must align with actual operational procedures.
Most security and compliance automation vendors already have policies defined for security awareness training. It’s important to remember that YOU make YOUR OWN policies. The biggest mistake we see organizations do in their SOC 2 security awareness program is over-define their controls. Don’t make your requirements so complex that it’s challenging to keep up. That’s why Curricula has designed a program to get you started, keep you compliant, and make it simple for employees to complete annually.
No. While SOC 2 may outline the controls needed, it is up to you and your organization to define what and how those controls operate. There is a lot of flexibility in SOC 2 that your auditor will ask how and why you got to your conclusion to implement those controls. Then they will ensure your defined controls are implemented and operating as expected. Our best advice is don’t overdue it.
Curricula is currently in progress on our own SOC 2 compliance journey! We have implemented most of the required controls and are now gathering evidence to demonstrate evidence for our audit later in 2022.
We are experts at security awareness training, Period. We don’t run SOC 2 audits for you or help you prep for them. Curricula provides your employees a simple security awareness training program designed to meet the SOC 2 requirements. We help your organization launch this program to every employee in less than 15 minutes and will help you provide evidence to your auditors.
Yes! Curricula is designed to grow with an organization and its needs starting from Day 1. Our free plan gives every startup the basic necessities to build and launch their first security awareness program effortlessly. Then as your security program matures, we offer additional paid plans that will unlock more content and tools for a mature security awareness program.