Board of Directors Requirements: SOC 2 Type II Compliance

  • By: Josh Palmer
  • February 1, 2023
SOC 2 Type II Compliance
Reading Time: 5 minutes
SOC 2 Type II Compliance

Information security proves critical to the operation and success of any organization.

It helps to protect sensitive data, systems, and assets from unauthorized access, use, disclosure, disruption, modification, or destruction. Without adequate governance, risk, and compliance solutions, an organization risks data breaches, cyberattacks, and other security incidents that can have serious consequences, such as financial loss, reputation damage, and legal liabilities. 

The most effective boards rely on software solutions that help them service stakeholders efficiently, effectively, and collaboratively, all with the highest level of security and compliance that progressive governance requires. Such tools must be SOC 2 Certified, which we’ll discuss in detail below.

What is SOC 2 Type II?

SOC 2 Type II is a set of standards for evaluating and auditing a company’s information security controls. It is one of several types of service organization control (SOC) reports designed to give customers and clients confidence that a company’s information security measures are effective and trustworthy.

SOC 2 Type II primarily focuses on controls related to the security, availability, processing integrity, confidentiality, and privacy of a company’s systems and data. To achieve SOC 2 Type II compliance, a company must undergo a thorough audit of its information security controls by a qualified third-party auditor, who will determine whether they meet the SOC 2 Type II standards.

One of the board of directors’ responsibilities is to ensure the organization takes appropriate measures to protect sensitive data, systems, and the company’s values and integrity. SOC 2 Type II compliance helps enhance risk management strategies to ensure the company’s information security measures are effective and trustworthy.

Effective information security measures are crucial for any organization, including nonprofits, for the following reasons:

  • It protects sensitive data. Information security measures help to protect sensitive data, such as customer data, employee information, financial records, and trade secrets, from being accessed or compromised by unauthorized individuals.
  • It ensures the confidentiality and integrity of information. Placing information security measures can help ensure only authorized individuals can access sensitive data and that it is not tampered with or altered in any way.
  • It maintains the availability of systems and assets. Having functional information security measures ensures systems and assets are available when needed and that they are not disrupted or taken offline by security incidents.
  • It complies with laws and regulations. Many industries are subject to rules and regulations that require companies to implement specific information security measures. Failing to act by these requirements can result in costly fines and penalties.
  • It protects the company’s reputation. A security incident can damage an organization’s reputation and cause customers, clients, and other stakeholders to have skepticism in the company. By implementing effective information security measures, an organization can protect its reputation and maintain the trust of its stakeholders.

When evaluating whether to invest in a new piece of software, the board of directors should consider if the software complies with the relevant SOC 2 Type II standards and if it will help the company maintain or enhance its compliance.

Here are a few specific steps the board can take to ensure that the decision to invest in a new piece of software is consistent with the company’s SOC 2 Type II compliance:

  • Review the software’s documentation and any available certification or accreditation information to determine whether it meets the relevant SOC 2 Type II standards.
  • Engage the company’s information security team or an independent third party to assess the software’s compliance with SOC 2 Type II standards.
  • Consider the potential impact of the software on the company’s overall information security posture.

OnBoard is SOC 2 Type II Certified. Its secure system of record for board meeting content, communication, and data limits exposure to risk and reduces the number of vulnerable endpoints.

How to Achieve SOC 2 Type II Compliance

SOC 2 Type II compliance focuses on the American Institute of Certified Public Accountants’ (AICPA) trust service principles. Achieving SOC 2 Type II compliance requires engaging a third-party auditor to thoroughly evaluate a company’s information security controls. The process of achieving SOC 2 Type II compliance includes the following steps:

  • Determine the scope of the SOC 2 Type II assessment. It includes a detailed description of the systems and processes the evaluation will cover.
  • Prepare for the assessment. This may involve reviewing and updating the company’s information security policies and procedures, and testing and documenting the effectiveness of the controls.
  • Engage a qualified third-party auditor. The auditor will review the company’s controls and determine whether they meet the SOC 2 Type II standards.
  • Review and respond to the assessment report. The auditor will prepare a report documenting the assessment results and any recommendations for improvement.
  • Maintain the controls. SOC 2 Type II compliance requires the company to maintain its controls, and the auditor must test them regularly to ensure they are operating effectively.

Achieving SOC 2 Type II compliance requires a significant investment of time and resources, but it can provide valuable benefits to the company, such as demonstrating to customers and clients that the company takes data security seriously.


Discover OnBoard's Secure System of Record

OnBoard has achieved SOC 2 Type II compliance, meaning data procedures, controls, and security practices have been audited by outside firms with a focus on availability, security, privacy, confidentiality.

Using SOC 2 Type II compliant board management software can give customers and clients confidence that the software is secure and that their data is being handled properly.

Modern Boards Rely on OnBoard

OnBoard gives boards and their teams technology that uncovers insights and simplifies meeting management so they can anticipate challenges before they arise. In addition to SOC 2 Type II compliance, it comes with the following security features:

  • ISO 27001 Certified: OnBoard’s security and infrastructure are ISO 27001 certified, ensuring data assets such as financial info, intellectual property, and PII stay safe.
  • Two-Factor Authentication: Two-factor authentication creates more secure access. OnBoard accounts can be enabled to verify the user’s identity separate from their password.
  • Compliance and Records Controls: OnBoard enables you to deploy customizable, multi-level, and granular control for sensitive data, including the ability to purge notes and annotations.

To improve meeting effectiveness, OnBoard’s drag-and-drop agenda builder makes assembling a board book faster than ever. OnBoard sends reminders about upcoming meetings, and then lets directors track who engages with board materials and for how long so they know what needs the most discussion. 

Download OnBoard’s free Meeting Minutes Template for an example of how the best boards write their minutes to accurately and legally reflect what occurred during the board meeting.

Ready to upgrade your board’s effectiveness with OnBoard the board intelligence platform? Schedule a demo or request a free trial

About The Author

Josh Palmer
Josh Palmer
Josh Palmer serves as OnBoard's Head of Content. An experienced content creator, his previous roles have spanned numerous industries including B2C and B2B home improvement, healthcare, and software-as-a-service (SaaS). An Indianapolis native and graduate of Indiana University, Palmer currently resides in Fishers, Ind.