SOC 2 Type II Compliance: Why You Should Partner with a Compliant MSP

Transcription​

Carol: Hi, I’m here with Eric Hammond at MIS Solutions, and this month we’ve been talking a lot about SOC 2 Type II compliance. I wanted to get with you if we could, and just find out a little bit more about what is it, what kind of companies need it and why is it important for an MSP to be SOC 2 Type II certified?

First of all, why is it important for businesses to partner with an MSP that is SOC 2 Type 2 certified?

Eric: Yeah, great question. The first thing I want to put out there is, what does SOC stand for? Do you know?

Carol: The little things you put on your feet?

Eric: Yep. Nope, not them. S O C. is System and Organization Controls.

And now to answer your question, why is it important that you partner with an MSP who has a SOC 2 Type II? So, it’s helpful to understand that when it comes to the managed service provider industry, it’s a bit like the Wild West. There is no governing body out there that is licensing you to be a managed service provider.

Meaning that tomorrow, I could go out, buy some software, and start calling myself a managed service provider. How are you, the client, going to know that I’m of any substance? I don’t have a state or federally issued license. You’ve got no way of knowing, right? And so, what the SOC 2 Type II certification allows us to do is in lieu of having that governing body that’s absent, right?

We can say, hey, we have met this standard, which is a globally recognized standard, okay? And so it’s a way to differentiate ourselves in the marketplace and let our clients know, hey, we’re not just some guy or girl who started yesterday, right? We have been vetted, right?

Carol: Okay, so there’s SOC 2 which MIS Solutions is SOC 2 Type II compliant. What is SOC 2 Type I?

Eric: Yeah, good question. SOC 2 Type I is really step one in getting your SOC 2 Type II. And basically, what the difference is a Type I means You have all of the procedures in place and documented to comply with all of the controls, right? Pursuant to a SOC certification. You’ve got the documentation.

And you’ve shown the documentation to a third-party auditor, right? Now the difference between, that’s SOC I. Now the difference to get to a SOC 2 means, not only do I have the documentation, here’s evidence that I’m actually following my SOP. My standard operating procedures, right? And so, it is a significant difference, right?

Someone who’s just Type I All that means is they’ve written out all their policies and they’ve provided those policies to an auditor And while that’s a huge step and that’s good and folks who have done that should be applauded, it is a giant leap from saying here’s my policies to here’s evidence showing that I’m actually doing it. So, it’s actually walking the walk. 100%. Yeah. And it is a third-party auditor that comes in and conducts the audit annually.

Carol: Oh, okay. Alright, so it’s not just us saying, Hey, we…

Eric: No, it’s not a one-and-done, unfortunately. It is a lengthy process, typically six to eight months every year.

Carol: Alright. So how does an MSP’s SOC 2 Type II certification ensure stronger data security for their clients?

Eric: Yeah. So great question. So, there are roughly 99 controls, okay? And they range in criteria from backup disaster recovery plans, antivirus, policies regarding your hiring practices, your vendor management.

And so it’s meant to give a holistic view of how your business operates based on known best practices. For example, we know we should be backing things up. We know we should back data up. Are you doing it? And how are you doing it? And show me evidence that you are doing it.

Carol: Okay.

Eric: And so, it’s meeting that standard of best practice across a plethora of business operations.

Carol: Okay. And so, what specific operational practices or safeguards are guaranteed by the MSP with SOC 2 Type II compliance?

Eric: So really what you’re guaranteeing with SOC 2 Type II is that an unbiased party has come into the picture and they’ve evaluated. You’re no longer taking my word for it that I’m awesome.

I can tell you I’m awesome all day, right? Yeah. But if we have an unbiased party that comes in and evaluates me and says, yes, he is really awesome, there’s some more credibility and legitimacy to the statement that I made that I am awesome, right? And it’s the same thing for the SOC 2 Type II. Across all of those, business-critical aspects.

We have somebody that comes in who is unbiased, verifying and legitimizing our claim of being awesome.

Carol: Okay. really, when it, you just get right down to it, having the SOC 2 Type II certification or working with an MSP who has SOC 2 Type II certification, it just provides more peace of mind for the client.

Eric: Yeah. Yeah, no, it really does provide peace of mind, but it is that, that one standard that you can say this managed service provider has gone the extra mile to differentiate themselves, to develop all the policies and the processes and the procedures, to make sure they are meeting and exceeding the best practices across these functional areas.

And they’ve done so with a third party coming in and taking a look, and they’re doing it year over year again, because in the absence of that, how do you know, I can tell you, I backed up data and I follow best practice, but how do you know, right? You don’t, you just got to take my word for it, right? This is a way of saying, don’t take my word for it. Take theirs, right?

Schedule a free 15-minute discovery call
We’ll discuss your IT requirements and assess whether we’re the right fit for you.

Share: