Why Are SOC 2 Assessments Becoming More Popular in the UK and Europe?

soc 2 type 2 - how to prepare for audits
This is a guest article written by Ty Brush. The author’s views are entirely his own and do not necessarily reflect the views of Risk Crew. Enjoy!

Many European and UK organisations are already ISO 27001 (Information Security Management) certified, and rightfully so as the International Information Security Standard (ISO 27001) serves as the principal cyber security standard for much of the world, and has for some time. However, cyber security compliance is continuously evolving and organisations are now receiving an influx of requests from European companies requesting SOC 2 assessments in addition to ISO 27001. In many vendor contracts, SOC 2 (System and Organization Controls) is now outright replacing ISO 27001! Let’s define SOC 2 and take a look at why the assessment is becoming so popular among the UK and European organisations.

What is a SOC 2 Assessment?

To obtain a SOC 2 report, organisations must undergo an audit by an accredited Certified Public Accountant (CPA), governed by the American Institute of Certified Public Accountants (AICPA). To help organisations ensure the protection of their data and the privacy of their client’s information, a SOC 2 assessment focuses on an organisation’s security controls that are related to overall services, operations and cyber security compliance. SOC 2 assessments can be completed for many organisations of various sizes and across different sectors.

What’s the difference between a SOC 2, Type I and Type II?

SOC 2 assessments can be carried out in one of two ways, classified as Type I or Type II. The biggest difference is, Type II is essentially a historical window.

  • A SOC 2 Type I assessment attests to the design and implementation of controls at a single point in time. The assessor reviews evidence from systems in their current state and produce a Type I report.
  • A SOC 2 Type II assessment attests to the design, implementation, and operating effectiveness of controls over a period of time, usually between 3 and 12 months. In a Type II assessment, the assessor provides assurance that controls are not only designed and implemented but that they have also operated effectively and as intended over the defined period.

The SOC 2 Type II report shows if an organisation has historically been adhering to the controls they have in place. While a SOC 2 Type II assessment takes longer to complete, it offers an extra layer of trust to a potential customer or prospect. To help you determine if SOC 2 is right for your business, let’s examine why SOC 2 has started to catch on in the UK, Europe and the benefits it brings to non-American companies.

Although SOC 2 is typically a customer-driven compliance standard published by an American regulatory body, we are seeing a growing number of UK and European organisations undergoing SOC 2 assessments.

Why are SOC 2 Assessments Becoming More Popular?

Over the past decade, SOC 2 reports have become recognised as the information security baseline for selling any “as-a-service” to U.S.-based businesses. The rise of SOC 2 in the U.S. was large because many large companies needed to be more proactive about the cybersecurity risk management of their third-party vendors. After all, they are trusting these vendors with their most valuable asset – data. These organisations began setting forth requirements stipulating that their vendors must have a SOC 2 report completed as part of the due diligence process to ensure all necessary controls are in place. The trickle-down effect then took over and required all downstream service organisations to implement a SOC 2 programme.

In the last 18 months, a similar chain of events has begun to play out in Europe. As the top issuer of SOC 2 reports in the world, A-LIGN began receiving calls from European organisations that were being required to conduct a SOC 2 assessment. The request was the same each time, “our customer/prospect wants to review our SOC 2 report so they can determine that our organisation, among their supply chain, have the necessary controls in place to protect the data of all parties involved.”

What factors are leading to the increasing need for SOC 2?

In addition to helping build trust with prospects, customers, and partners, there are significant business factors that are leading the push for a SOC 2 for the UK and European organisations. Let’s take a look at the most influential aspects leading this change.

Assurance of the organisation’s security posture

The details that your customer receives from a SOC 2 report is more in-depth than an ISO 27001 pass/fail approach. The end result of a SOC 2 audit is an extensive attestation report that can be up to 100+ pages in length detailing a description of your system, a matrix of your internal controls, and the test results from the auditor. This gives the reader of the report a high degree of assurance regarding your organisation’s security posture compared to the end result of an ISO 27001 audit which is a one-page certification letter. This is one of the leading reasons why the cybersecurity compliance norm in Europe is beginning to shift towards the SOC 2 report.

The cost of doing business

In addition to a more detailed report, security compliance standards, in general are now being considered a cost of doing business. European organisations that want to sell into the U.S., and consider the U.S. a strategic market, are being asked for a SOC 2 report early in the sales process. These organisations are now seeing SOC 2 compliance as a line item included in RFPs and tenders as a requirement in order to compete on a project.

Securing a government contract

The most interesting and recent development we have seen are UK government agencies implementing SOC 2 as a requirement for their vendors or for primes looking to participate in a government contract. The fact that the UK government is selecting an American-regulated security standard will likely have downstream effects for CISOs of other regulated industries across Europe.

Does my organisation need a SOC 2 report?

The short answer is that, if your clients are starting to ask for it, or if you are planning to expand in the U.S., then you should begin planning for SOC 2 without delay. However, even if that’s not the case for your business, you would be well-advised to initiate conversations with stakeholders in your organisation to discuss how a SOC 2 report could help facilitate future growth.

Risk Crew