
Steps to Schedule Your SOC 2 Penetration Test:
- Schedule a 30-minute Discovery Session
- We determine IF and HOW we can help
- We provide a Tailored Proposal
- Together, we review the Proposal
Developed by the AICPA, SOC 2 is specifically designed for technology service providers that store client data in the cloud. SOC 2 applies to nearly every SaaS (Software-as-a-Service) company, as well as any company that uses the cloud to store client information. To become SOC 2 compliant, companies must conduct a cybersecurity audit. This audit analyzes five controls, known as the Trust Service Principles (TSP): security, availability, processing integrity, confidentiality, and privacy. Auditors assure that these five controls are relevant to the industry. We recommend penetration testing once a quarter as part of SOC 2 compliance.
There are two types of SOC 2 Audits – Type I and Type II. A SOC 2 Type I audit is more of a documentation review, whereas a SOC 2 Type II audit is a review of operations – control implementation effectiveness.
Penetration testing is primarily used to test control effectiveness in SOC 2 Type II audits.
Below is a high-level comparison of SOC 2 Type I and SOC 2 Type II:
[/vc_column_text][vc_column_text el_class=”ft18″ css=”.vc_custom_1591540421960{padding-left: 30px !important;}”]-
SOC 2 Type I – an audit of management’s description of a service organization’s system and the suitability of the design (documentation) of controls. A SOC 2 Type I audit looks at “a point in time” of the systems in scope, how the management of the organization describes the systems, and what controls are in place around the systems. An auditor will issue an opinion (attestation) based on management’s description of the controls and a review of the documentation (artifacts provided) around these controls.
-
SOC 2 Type II – an audit of management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls. A SOC 2 Type II audit looks at how the controls are described and used over a minimum of a 6-month time-frame. The intent is to determine if the controls are functioning as described by the management. An auditor will test the controls and provide an opinion (attestation) based on the description by management versus the operating effectiveness (test results) of the controls.

Although SOC 2 only specifies a penetration test every 180 days, we recommend a quarterly program that includes validation testing.
Contact us for a no-cost consultation on penetration testing.
[/vc_column_text][vc_custom_heading text=”Have questions or interested in a penetration test or assessment? Complete the form below and we’ll get back with you right away. We appreciate your interest.” font_container=”tag:p|text_align:left|color:%2302548a” google_fonts=”font_family:Roboto%3A100%2C100italic%2C300%2C300italic%2Cregular%2Citalic%2C500%2C500italic%2C700%2C700italic%2C900%2C900italic|font_style:500%20bold%20regular%3A500%3Anormal”][vc_raw_js]JTNDJTIxLS0lMjAlNUJpZiUyMGx0ZSUyMElFJTIwOCU1RCUzRSUzQ3NjcmlwdCUyMGNoYXJzZXQlM0QlMjJ1dGYtOCUyMiUyMHR5cGUlM0QlMjJ0ZXh0JTJGamF2YXNjcmlwdCUyMiUyMHNyYyUzRCUyMiUyRiUyRmpzLmhzZm9ybXMubmV0JTJGZm9ybXMlMkZ2Mi1sZWdhY3kuanMlMjIlM0UlM0MlMkZzY3JpcHQlM0UlM0MlMjElNUJlbmRpZiU1RC0tJTNFJTNDc2NyaXB0JTIwY2hhcnNldCUzRCUyMnV0Zi04JTIyJTIwdHlwZSUzRCUyMnRleHQlMkZqYXZhc2NyaXB0JTIyJTIwc3JjJTNEJTIyJTJGJTJGanMuaHNmb3Jtcy5uZXQlMkZmb3JtcyUyRnYyLmpzJTIyJTNFJTNDJTJGc2NyaXB0JTNFJTBBJTNDc2NyaXB0JTNFJTBBJTIwJTIwaGJzcHQuZm9ybXMuY3JlYXRlJTI4JTdCJTBBJTA5cmVnaW9uJTNBJTIwJTIybmExJTIyJTJDJTBBJTA5cG9ydGFsSWQlM0ElMjAlMjIzNzgwOTcxJTIyJTJDJTBBJTA5Zm9ybUlkJTNBJTIwJTIyM2E5MjIzZjktZjEyYy00NTYyLWJhOWEtN2NjNjBlYjFhNTUxJTIyJTBBJTdEJTI5JTNCJTBBJTNDJTJGc2NyaXB0JTNF[/vc_raw_js][/vc_column][/vc_row]