Data Backups for SOC 2 Compliance

Andrew Abwoga


SOC 2 is an auditing procedure, developed by the American Institute of CPAs (AICPA), that seeks to verify if your service providers are securely managing your data to protect the interests of your business and the privacy of its customers. SOC 2 defines the criteria for managing data based on five “trust service principles”–security, availability, processing integrity, confidentiality and privacy.

Types of SOC 2 Reports

There are two types of SOC 2 reports; that is, SOC 2 Type 1 and SOC 2 Type 2 reports. Both reports have similarities as far as describing an organization’s processes and controls are concerned. Their key difference is time.

  • SOC Type 1 report describes a vendor’s systems and whether their design is suitable to meet relevant trust principles.
  • SOC Type 2 report describes the operational effectiveness of those systems.

Why comply?

SOC 2 compliance is not a legal or regulatory requirement. It is essentially a means to prove compliance with its requirements to your customers. The worst-case scenario for not being SOC 2 compliant is that you could lose prospective customers who may require you to prove your compliance against SOC 2 requirements. Furthermore, SOC 2 gives you the opportunity to fix your security controls. Considering the trust service principles that you have to adhere to, you will be basically turning the table against:-

  1. Lack of proper data security – You may have thought of protecting data throughout its life cycles; that is, during collection or creation, use, processing, transmission, and storage.
  2. Lack of availability controls – Having availability controls essentially means that you are protecting your data/services from denial of access as a result of actions from external/internal threat actors like ransomware or internal systematic issues. This is very key in ensuring your customers always have access to services and data.
  3. Lack of processing integrity – Keeping your data integrity in check ensures your data is not corrupted or destroyed while it’s being processed.
  4. Lack of confidentiality – The opposite end of confidentiality is disclosure. You may need to protect intellectual property or even personal information from disclosure against unauthorized parties.
  5. Lack of privacy controls – You may have regulatory obligations to protect personal information and in that case, SOC 2 guides in ensuring you have the necessary controls to protect your customer’s personal information. In many jurisdictions, a lack of privacy compliance may attract fines.

Data Backup Processes and SOC 2 Compliance

SOC 2 is composed of a set of criteria that are categorized according to the trust service principles mentioned earlier. When it comes to the data backup process there is an availability criterion that says, “The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.” To meet this specific criterion you, as a service provider, ought to think about your data backup processes.

There is a set of critical questions that you may need to answer with regards to your backups. Some of these are:

  1. What are your data backup processes? At the least, you need to show evidence of a documented data backup process.
  2. Do your database backup processes align with your business continuity plan? Do you store data offsite? In case of a disaster, you may have to justify the availability of the data that supports your business operations.
  3. Are your data backup tools efficient enough to support your data backup processes? Your technical controls need to seamlessly support your processes to guarantee your business continuity and disaster recovery (BC&DR). Do you test the integrity of your backups, and make sure they are restorable?
  4. You can’t improve what you can’t measure. How well can you measure the efficiency of your processes? Your database backup tools should help you understand precisely how well you are able to back up your data. Ideally, you should be able to measure aspects such as the time gap between a disastrous event (Recovery Point Objectives, RPO) and the time of your last backup and what time-lapse is acceptable for your business to be down until you have recovered from the failure (Recovery Time Objectives, RTO).


Data backup processes should be a top priority when you have to think about your business continuity let alone your SOC 2 compliance. For you to achieve efficiency in your data backup processes, you may need to pay careful consideration to the efficacy and efficiency of your data backup tools

Subscribe below to be notified of fresh posts