Cloud 101CircleEventsBlog
The CCSK v5 and Security Guidance v5 are now available!

How Do I Communicate My New SOC 2 Report? SOC 2 Certified?

How Do I Communicate My New SOC 2 Report? SOC 2 Certified?

Blog Article Published: 01/03/2024

Originally published by MJD.

Written by Mike DeKock, CPA, Founder & CEO, MJD.

Q: How do I communicate my new SOC 2® Report? SOC 2 Certified?

A: MJD Answer

We highly recommend you do not use the phrase “SOC 2 Certified”. Yes, you see it everywhere, and your competitors are celebrating their certificate - but don’t do it because such a thing does not exist. The AICPA goes as far as to say explicitly that you should not use that phrase when referring to your SOC 2 report. Technically, it’s trademark infringement.

There isn’t an auditor jail they throw you in, and well, “everybody else is doing it,” but people will notice and raise an eyebrow toward the seriousness of your program.

And the reason it’s important is that it is foundational to the report. SOC 2 is not a control framework and doesn't offer a required level of security posture. You are reporting on and being audited against your own business objectives - so there’s nothing to certify. This is why the service can be flexible and dynamic to meet the needs of a two-person company or Google.

The best way to think about it is that the auditor is making sure you are doing what you say you will do. Or that the commitments you have made to customers and the trust they have put into you as a company has been subjected to an audit. So instead of saying “SOC 2 Certified,” you might focus on why it was important to the company and its customers and your intentions to continue building a company that prioritizes security and transparency (which, in many ways, is a much more personal touch).

You should also collect and share the official SOC for Service Organizations logo provided by The American Institute of Certified Public Accountants (AICPA). Before you do this, though, read the terms, conditions, and guidelines.

ChatGPT answer

When it comes to communicating a new SOC 2 report, there are a few key steps you can follow to ensure that the information is effectively communicated to your stakeholders. Here are some suggestions:

  1. Determine your audience: The first step in communicating your new SOC 2 report is to identify your audience. Who needs to know about the report and why? For example, you may need to share the report with customers, investors, or regulatory bodies.
  2. Choose your communication channels: Once you know your audience, you can choose the best channels for communicating your report. Some common options include email, social media, press releases, and direct mail. Consider the most effective channels for reaching your audience.
  3. Develop a messaging strategy: Craft clear and concise messaging that highlights the key findings of your report. Your messaging should emphasize the areas of your company's operations that were assessed in the report, and any steps you took to address any issues or concerns raised during the assessment.
  4. Provide context: Provide context for your report by explaining the importance of SOC 2 compliance and how it aligns with your company's overall mission and values. Help your stakeholders understand the significance of the report in the context of your industry.
  5. Follow up: After you have communicated your new SOC 2 report, be sure to follow up with your stakeholders to answer any questions they may have. Provide additional resources as needed and be prepared to address any concerns that may arise.

By following these steps, you can effectively communicate your new SOC 2 report to your stakeholders and reinforce your commitment to security and compliance.



About the Author

Most people describe me as a passionate, unconventional thinker with a unique talent for simplifying the complex. I have a degree from the University of Iowa, am a licensed CPA, and started my career as a financial statement auditor, where I developed a passion for process improvement and became a subject matter expert in applying the audit and attestation standards. I spent much of my career as a general practitioner, but when I began focusing on SOC reports in 2017, everything became clear, and I discovered the next step in my career path. I started MJD Advisors in 2021 with a niche focus on SOC reports for technology companies, and I hope I never have another job.

Share this content on your favorite social network today!