What is SOC 2 Compliance? | A Guide to SOC 2 Certification

We’re excited to announce that Blameless is officially SOC 2 compliant! This is part of our larger efforts to assure all the users of Blameless and visitors to our site that we’re meeting and exceeding all of your privacy and security needs. Learn more by visiting our security page!

When choosing a service, it’s important to have trust in the provider – especially for something as important as your incident management. Frameworks like SOC 2 provide a universally recognized proof of our trustworthiness.

What is SOC 2 Compliance?

The Systems and Operations Controls 2 (SOC 2) is a security framework that prescribes standards for an organization’s security, availability, and confidentiality. Originally developed by the American Institute of Certified Public Accountants (AICPA), the SOC 2 helps users trust that an organization complies with the responsibilities needed to protect them.

The standards prescribed by SOC 2 vary based on the organization’s specific commitments to users and the risks those commitments entail. For example, if a medical organization is storing healthcare data for users, then their SOC 2 compliance will depend on having that data be reliably available to just the user, and securely unavailable for everyone else.

The scope and requirements of SOC 2 are defined by Trust Services Criteria, or TSC. TSCs generally fall into three broad categories:

Security – these factors are probably what you think of when you think “security”: how do we stop hackers and other bad agents? This covers restricting access and account type management, password management and other login requirements, and sealing off any other back doors. These are essential to any SOC 2 compliance.

Confidentiality – when you provide data to a service, you want to be sure that no one else gets to peek at it. Confidentiality criteria defines standards of privacy for the different types of data you submit and restricts access accordingly. Aside from user-submitted data, this also covers business relationships where company secrets have to be shared privately.

Availability – this category looks at something near and dear to our heart: a service’s ability to remain consistently available and meet users’ expectations. The TSCs here push you towards a good foundation of reliability, requiring things like disaster recovery plans and regular backup tests.

Your organization will choose TSCs that reflect the services offered. If no user data is being stored, then you don’t need to worry about confidentiality TSCs, for example. Once the TSCs are chosen, the organization works together to achieve compliance with them. This is a cross-team multi-functional process that may require everything from changing the codebase, to having legal teams rewrite contracts, to rolling out new hardware to employees.

Once your organization meets the TSCs, a third party auditing service is called in. The auditors work through each criterion and judge if the organization is meeting them. They’ll also judge whether any additional TSCs are required.

If the organization passes the audit, hooray! They’re now SOC 2 compliant and can proudly proclaim it to their users. We’re happy to join this illustrious club.

Want to make a disaster recovery plan that inspires confidence? Blameless can help with our one-stop incident response workflow! See how by starting a free trial!

‍