Authorization in the context of SOC 2 and other certifications – The New Stack


A cyberattack or data breach can have a huge impact on an organization. If your business deals with sensitive customer information, you want to take steps that will protect your customer data and, at the same time, prove that you put security first.

Alex Doukas

Alex is a frontend developer with expertise in web development. He also has extensive knowledge of software testing, UX design, big data, social media marketing and SEO techniques.

The most thorough audits an organization can undergo to demonstrate that it has taken all necessary steps to protect company and user data are assessments such as ISO 27001 and SOC 2. Although not not legally required, they are beneficial for SaaS companies, data centers and other entities that process sensitive data.

Compliance with security standards is a time-consuming and difficult task that will affect the way you operate your organization. Compliance involves the processing and storage of data and the frameworks used to secure it. It ensures that an organization adheres to the minimum requirements of security frameworks.

Authorization is an integral part of data security. To ensure that all aspects of access control, including authorization, meet criteria, organizations must employ a suite of security tools, technologies, and processes designed to protect the network, systems, applications and other assets. Well-implemented data and privacy control is essential if you want to comply with modern security standards.

In this article, you’ll learn more about these standards, how they affect authorization, and how Cerbos, a self-hosted access control provider, can help you.

Popular Security Frameworks


Systems and Organization Controls 2 (SOC 2) is a voluntary data security compliance standard created by the American Institute of Certified Public Accountants (AICPA). It is designed for businesses that keep their customer data in the cloud. To protect customer data, companies must follow the framework defined by each standard.

SOC 2 audits are of two types:

  • SOC 2 Type 1: This type of audit ensures that security and compliance commitments are being met through the development of infrastructure, software, processes, data, and controls that an organization has in place.
  • SOC 2 Type 2: This type of audit goes even further. Controls are evaluated and validated over time, and the effectiveness of organizational security is measured. Achieving SOC 2 Type 2 compliance is essential confirmation that your implemented security and compliance program is working.


ISO 27001 specifies the criteria for an organization to establish an Information Security Management System (ISMS). The ISMS is a framework of good practices for managing the security risks of information that your company processes, stores or transmits on a daily basis. The ISO 27001 standard specifies a minimum level of protection, encryption and security that you must apply to all your customer data and sets the basics for how a company should manage information security processes.

The standard is widely considered best practice and is adaptable to many types of businesses and industries. The ISMS framework includes several areas, ranging from risk assessments, staff training, testing, incident response and disaster planning. The process of implementing ISO 27001 will help your business understand what information you need to protect, why it needs to be protected, what needs to be done to protect it, and how your business will be affected if it is not. . The implementation also demonstrates a commitment to protecting customer data and a willingness to devote valuable resources to maintaining security.

How do standards such as ISO27001 and SOC 2 affect authorization?

SOC 2 and ISO 27001 security frameworks assure users that your company has controls or procedures in place to protect sensitive data. While both of these assessments produce similar results and are extremely useful for businesses, they differ in some ways, so you may need to do some research before deciding which one to choose.


Audits conducted for SOC 2 assess compliance with the framework. This framework is based on five trust services criteria developed by the AICPA:

  • Security: Protect data against threats and unauthorized access.
  • Availablity: Users can rely on your systems to get their jobs done.
  • Processing integrity: Business systems are working as expected.
  • Privacy: Protect sensitive information by limiting its access and use to authorized users.
    Privacy: Protect highly sensitive personal data from unauthorized users.

Although the five categories have a unique role, security is the only category required for an audit. Organizations are responsible for implementing measures that will improve all aspects of access control, such as authorization, authentication, management and identification, and prevent data theft, system manipulation and data, unauthorized access, misuse of software and many other security threats.

In the Trust Services Criteria, Security Controls is the largest section of controls and forms the basis of the report. The suite of security controls covers everything you need, including access, data management, threat prevention and more.

SOC 2 criteria are generally broad and flexible. This means that if, for example, you want to protect your network against unauthorized access, you can use two-factor authentication, but another company can use something else to achieve the same goal. The report is based on the organization’s compliance with standards, not how compliance with standards is achieved.


ISO 27001 and SOC 2 have similar criteria across all categories, including access control policies and procedures. The controls in Annex A of ISO 27001 have 14 categories to help you comply with the requirements of the framework. One of these categories, considered by many to be the most important, is subsection A.9. The purpose of Appendix A.9 is to ensure that employees can only see information that is relevant to their job. It is divided into four sections:

  • Business Access Control Requirements: This requires you to establish an access control policy and determine which users will have access to specific networks and services.
  • User access management: The goal here is to prevent users from accessing systems and services that they are not authorized to use. You must specify under what conditions users must register with your systems, how to grant them access and how to manage authentication data.
  • User Responsibilities: This section asks you to define how users are expected to protect credentials.
  • System and application access controls: You must ensure that only authorized users have access to the system in accordance with the access control policy. Additionally, you should ensure that access is secured with reliable login methods and that passwords are strong and complex.

Compliance Complications

Adhering to a robust security framework will allow your administrators to control what data users have access to and what permissions they have. To achieve the best results, you will need to implement a series of techniques such as privileged access, access revocation, approved access requests and user activity audits, which will allow you to know precisely what what was done in a system, as well as who performed the action. Tools such as two-factor authentication, intrusion detection, and restricted access via VPN are some of the technical security controls suggested for authorizing user identities.

However, meeting the requirements of each framework requires a lot of effort, thorough documentation, and creating auditable workflows, which can be a daunting task if your team isn’t ready with a planned and systematic approach.


Certifications such as SOC 2 and ISO 27001 are extremely important to many companies as they demonstrate a commitment to protecting user data and providing customers with the highest levels of security. However, they make it harder to implement authorization, because you need strong policies and strong controls to comply.

Cerbos is an out-of-the-box, open-source access control provider that provides out-of-the-box, granular access controls to meet your ever-changing authorization needs.

Cerbos has a centralized and standardized audit logging system that generates comprehensive audit logs of all requests and actions for compliance requirements. It will help you:

  • Ensure that all incoming requests and responses are captured and logged appropriately.
  • Get a detailed report of each decision and why it was approved or denied.
  • Debug access requests with role and attribute details.
  • Integration with your current audit process.

Feature image via Pixabay.


About Author

Comments are closed.