Security is often one of the critical parameters reviewed in the purchase of any EHS software.

As part of that review, you may come across a System and Organization Controls (SOC) report provided by the software vendor. A SOC report is a certification issued following an audit that effectively assures that an organization has effectively managed controls related to security, availability, processing integrity, confidentiality, privacy of a system, and in some cases, its financial reporting. There are two main types of SOC reports – SOC 1 reports focus on the internal controls over financial reporting system of the service provider, while SOC 2 reports pertain to the effectiveness of controls that are relevant to the security, confidentiality or privacy of a system used by the service provider to process customers’ information.  

Both reports validate the robustness of an organization’s systems and processes, providing assurance to customers or potential customers that their data is safe and that controls are in place.  These reports are created after completion of a SOC audit, which reviews all pertinent information and identifies any potential risks related to the scope of the audit. For most software purchases, the SOC 2 report is primarily of interest, since it covers the security of the software’s servers and data systems.  The SOC 2 report not only covers security, but also availability, processing integrity, confidentiality, and privacy. 

When requesting a SOC report, it is important to understand not only the type of SOC audit that was completed, but also the scope of the audit itself.

Many software vendors will provide a SOC report, but if you review it carefully, you may notice that is limited to the data hosting service (e.g. Amazon Web Services or Azure).  While it is important to assess security of the hosting service, that only covers part of the software’s overall footprint.  The EHS software itself must be run and managed securely in order to protect confidential and private data, which is especially critical for certain EHS applications.  The security and availability of the hosting service will not mean much if the EHS software itself is down or subject to security flaws.  

If you are considering a software purchase for your organization, a SOC report can provide an excellent way to evaluate the integrity and security of potential systems, following a standardized protocol.  But not all SOC reports are the same, and looking beyond the cover of the SOC report and understanding the scope and coverage of the SOC audit can help you avoid the potential pitfalls of buying EHS software that isn’t as secure or available as you need it.