SOC 2 Penetration Testing Services
SOC stands for Service Organization Control, and SOC 2 compliance is the industry standard for technology for SOC members. To become SOC 2 compliant, companies must conduct a cybersecurity audit. This audit analyzes five controls, known as the Trust Service Principles (TSP): security, availability, processing integrity, confidentiality, and privacy. Auditors assure that these five controls are relevant to the industry. Cybersecurity experts recommend penetration testing once a quarter or twice a year as part of SOC 2 compliance audits.
There are two types of SOC 2 Audits - Type I and Type II. A SOC 2 Type I audit is more of a documentation review, whereas a SOC 2 Type II audit is a review of operations - control implementation effectiveness.
Penetration testing is primarily used to test control effectiveness in SOC 2 Type II audits.
Below is a high-level comparison of SOC 2 Type I and SOC 2 Type II:
- SOC 2 Type I - an audit of management's description of a service organizations system and the suitability of the design (documentation) of controls. A SOC 2 Type I audit looks at "a point in time" of the systems in scope, how management of the organization describes the systems, and what controls are in place around the systems. An auditor will issue an opinion (attestation) based on management's description of the controls and a review of the documentation (artifacts provided) around these controls.
- SOC 2 Type II - an audit of management's description of a service organizations system and the suitability of the design and operating effectiveness of controls. A SOC 2 Type II audit looks at how the controls are described and used over a minimum of a 6-month time-frame. The intent is to determine if controls are functioning as described by management. An auditor will test the controls and provide an opinion (attestation) based on the description by management versus the operating effectiveness (test results) of the controls.
Although SOC 2 only specifies a penetration test every 180 days, we recommend a quarterly program that includes validation testing.
Contact us for a free consultation on penetration testing.