SOC 2 vs. The Other Guys: Comparing Apples to Oranges

Christian Vezina, October 7, 2014

This year, OneSpan set a precedent as the first cloud-based e-signature solution to complete a Service Organization Control (SOC) 2 attestation. In an audit by EY (Ernst & Young), OneSpan's data protection technologies and processes were verified as SOC 2 compliant, setting the system and company in the ranks of organizations including Google, Amazon Web Services (AWS) and Salesforce.

Security-conscious organizations moving to the cloud are looking for assurance that the vendors they work with meet the necessary security requirements. While there are a number of compliance programs in place at the data center level (e.g., HIPAA, SOC 1/SSAE 16, SOC 2, SOC 3, PCI DSS Level 1, ISO 27001, etc.), as well as military-grade physical controls, we wanted to go above and beyond for our customers. The SOC 2 attestation ensures our customers and prospects that controls and procedures are operating effectively at the system level, day in and day out.


Electronic Signature

The Beginner's Guide to Electronic Signatures

Comprehensive guide to getting started with e-signatures

Download Now

With multiple frameworks and certifications in the market, there is a lot of confusion about what can attest to the security of a system.

  • SSAE 16 / SOC 1 focuses on controls over financial reporting. Its value is best suited for financial processing systems such as payroll system. SOC 1 does not look at technology. According to French Caldwell, VP and Gartner Fellow, "So, to be clear, SSAE 16 (or SOC 1) is relevant for compliance with Sarbanes-Oxley and similar laws. It does not provide comprehensive assurance for security, availability, processing integrity, confidentiality or privacy controls. That’s the purpose of SOC 2, a companion standard to SOC 1."
  • ISO 27001 certification is proof of an organization’s ability to maintain an effective Information Security Management System. It’s comparable to getting a house inspected. The house may be very clean on the day of inspection, but once the inspection is complete, there is no real way to verify the cleanliness standard of the house. Similarly, ISO 27001 provides "point-in-time" assurance and the process does not provide enough assurance that a system is secure every day over an extensive period of time.
  • SOC 2 focuses on technology and the processes behind the security of the service.   It ensures that controls are in place at all times -- not just a single point in time. SOC 2 was introduced in 2011 to answer the need to assess technology and how it was used by service organizations to offer security, confidentiality, availability, processing integrity and privacy. We selected SOC 2 because it’s the most meaningful and relevant security standard in the market. Prospects or customers wanting insight into technology and processes behind the security of OneSpan can request a copy of our SOC 2 report.

SOC 2 is being used more and more by service organizations to attest to the security of their SaaS service and provides the right level of assurance that an e-signature system is secure.  If you want to know more about SOC 2, give your sales representative a call. 

As CISO for OneSpan, Mr. Vezina’s role is to lead the overall OneSpan corporate information security strategy. With 30 years of IT experience in varied environments, Mr. Vezina has dedicated the last 15 years to information security.