Security compliance TrustOps Designing security programs SOC 2

SOC 2 framework: a path to good operational governance

By Michelle Strickler

Before joining Strike Graph, Michelle coached companies, from startups to public enterprises, through their compliance initiatives. She is a passionate advocate for a risk-based approach to IT compliance, as well as for an increased role of effective IT governance. In a past life, she was an IT Auditor, but don’t hold that against her.

Before joining Strike Graph, I was an IT compliance program manager for a handful of my own clients. During every annual SOC 2 audit, one VP of engineering would consistently ask why the auditors wanted to see so much HR “stuff.” My go-to answer was that the SOC 2 framework isn’t just about IT and security controls. It covers operational business controls that reflect a holistic approach to good governance.

What is the SOC 2 framework?

SOC 2 — which stands for System and Organization Controls — is one of the most common attestations and is quickly becoming a requirement for security-conscious enterprises that rely on cloud service providers. The SOC 2 report is issued by an independent Certified Public Accountant (CPA) stating that an organization's data management practices are meeting a set of criteria issued by the AICPA

Unlike some frameworks that have a narrower focus, SOC 2 requires you to demonstrate solid corporate governance practices across the organization.


How does the SOC 2 framework assess business operations?

Because about a quarter of the SOC 2 framework criteria relate to business operations, various departments in your organization will be involved in the compliance process for the SOC 2 framework. The leadership team, HR, procurement, and even customer support should be prepared to participate in establishing the following controls: 

  • Corporate oversight from your board (or owners, if there is no board)
  • Corporate values and ethics
  • HR hiring and personnel practices
  • Internal and external communication practices
  • Vendor management
  • Risk oversight

SOC 2 Controls by department

Why are there so many business and operational controls in the SOC 2 framework?

  • Enron debacle put the spotlight on corporate governance.
  • Sarbanes Oxley (SOX) Act requires internal security controls.
  • SOC2-COSO merger added operational controls.

To understand why the SOC 2 framework has such broad business and operational controls, we need to go back a bit in time. Remember the Enron debacle in 2001? In response, a new focus on corporate governance through compliance emerged. The Sarbanes Oxley (SOX) Act was passed, requiring all companies to document their internal security controls. And, the Committee of Sponsoring Organizations of the Treadway Commission (COSO)’s security framework, created in 1992, came to the forefront. The COSO framework outlines a set of overarching corporate governance controls related to monitoring, risk, communications and oversight of a control environment.   

The SOC 2 framework was developed by a member of COSO — the American Institute of Certified Public Accountants (AICPA). A few years ago, the AICPA merged COSO and the existing SOC 2 framework, introducing more operational controls. That’s why today’s SOC 2 framework includes a broader array of criteria than the original SOC 2 framework.

Why do SOC 2 framework business operational controls matter?

The answer is simple — trust through certification. Because the SOC 2 framework covers more than just IT security, it allows organizations to demonstrate that they prioritize all-around good corporate governance.

Meeting traditional IT security criteria (like those in the Security SOC 2 Trust Services Criteria) is important but not sufficient. For example, well-designed HR hiring practices, such as background checks or a robust interview process, can help mitigate the risk of hiring unscrupulous individuals that could leak sensitive information and land you in the news — or worse.

Your customers will appreciate knowing that your executive team is ethical, employees are well trained, laws are adhered to, and that you take the security of their data seriously. This is what makes the SOC 2 framework more valuable than just an IT framework. Spending time to get the operational controls right is just as important as all of the IT controls and is integral to achieving SOC 2 compliance. This, in turn, leads to customer trust — which is key to unlocking revenue.

Using a SOC 2 framework

Ready to start building trust in your operational governance through SOC 2 compliance?

Strike Graph’s tailored, scalable approach — alongside our expert customer success managers who are familiar with both IT security solutions and business operations — makes it easy and painless for your company to achieve SOC 2 compliance. 

Rather than taking a traditional checklist approach to compliance, Strike Graph rightsizes the SOC 2 process for your company’s unique needs, eliminating busywork and helping your business achieve SOC 2 compliance faster and more efficiently.

When you're ready to expand your culture of compliance, building further trust with your customers, Strike Graph grows with you, working alongside your team to guide you through your unique compliance journey. Our platform supports PCI DSS, ISO 27001, ISO 27701, HIPAA, GDPR, and CCPA.


  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

Are you ready to build trust through cybersecurity?