The United States represents an attractive market for many European companies, but international expansion can be fraught with risk because of a completely different regulatory landscape.
Some of these regulations are imposed by the United States government, while others are voluntarily self-imposed by organisations that want to take additional steps to demonstrate their information security and cybersecurity maturity and trustworthiness. SOC 2 is representative of these voluntary compliance initiatives. European organisations are no strangers to compliance. After all, the General Data Protection Regulation (GDPR) ushered in a new wave of privacy regulations that were so impactful that organisations around the world were forced to adapt. In fact, so many American companies get asked to prove their compliance with GDPR when they begin to do business with European partners that the ability to demonstrate compliance has become a unique selling proposition. Just as American companies leverage GDPR compliance to expand into Europe; likewise, European companies can leverage a common security framework, SOC 2, to expand into the United States.
Furthermore, some of these voluntary security frameworks – including SOC 2 – have grown so popular that many organisations include them as a requirement for new business partners. These certifications may seem voluntary, but they are essentially mandatory regulations to do business with the largest companies in the United States. Other organisations that do not explicitly require security certifications frequently include lengthy security questionnaires in their new business proposals, which can be much more easily addressed by producing a SOC 2 report.
A SOC 2 report can only be produced by a US-based certified public accountant (CPA) since SOC assessments are governed by the American Institute of Certified Public Accountants (AICPA). A SOC report is intended to validate the controls of an organisation, so they can quickly establish trust. There are five Trust Services Criteria categories that a SOC report can assess: security, availability, processing integrity, confidentiality, and privacy. Of these five, only security is required – security is frequently referred to as the common criteria.
A SOC 2 report can also be produced in two types. A SOC 2 Type I report details the controls an organisation has implemented to address its Trust Services Criteria, which provides a snapshot of a single moment in time. A SOC 2 Type II provides a more in-depth examination of the efficacy of those controls over a period of six to twelve months.
A SOC 2 report is valid for 12 months, so an audit should be conducted annually A SOC 2 report is typically conducted on an annual basis, and organisations often align the Type 2 report to cover a consistent 12-month period. If an organisation is approaching a SOC 2 audit for the first time, they may want to begin with a readiness or gap assessment to identify which controls need to be implemented or improved. Many of these controls are focused on codifying organisational policies and procedures, while others are focused on implementing technical solutions.
Many European organisations are already ISO 27001 (information security management) certified. So an obvious question is why do they also need to obtain a SOC 2 report? There is certainly a significant overlap between the SOC 2 and ISO 27001 frameworks – organisations that are already ISO 27001 certified are well–placed to work towards becoming SOC 2 compliant. However there are areas where the SOC 2 and ISO 27001 frameworks don’t coincide. Being blunt, many US customers are unwilling to accept ISO 27001 certification as an alternative to SOC 2, in which case European organisations are obliged to obtain a separate SOC 2 report to complement their current ISO 27001 certification.
European organisations that want to expand into the United States are well–advised to pursue a SOC 2 report. However, these organisations may soon find that SOC 2 is just the tip of the iceberg, as there could be additional value to be gained from other US-focused security frameworks, such as SOC 1, HIPAA, HITRUST, FedRAMP, CMMC and others. As organisations begin to conduct these transactional audits to demonstrate trust and win new business, they should also start to think about strategic compliance. Strategic compliance is the process of consolidating audits and audit service providers to streamline the audit process, which offers great savings of time and money, along with the potential to accelerate digital transformation initiatives.
A-LIGN is the world’s leading information and cyber security assurance specialist, capable of undertaking accredited assessments and certifications for a wide range of standards and frameworks, including SOC, ISO and many others. This makes us the ideal strategic compliance partner. And with more than 300 employees around the world, A-LIGN can be your global partner. If you are a European organisation that is looking to expand into the United States, you should start with a SOC 2 assessment and if you are ready to begin, let A-LIGN guide your way.
Contact A-LIGN today with any questions about how a European company can grow its business in the United States with compliance.