866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

SOC Benefits For Blockchain Blog Feature
Scott Perry

By: Scott Perry

Print/Save as PDF

SOC Benefits For Blockchain

Crypto and Digital Trust | SOC Examinations

These days, blockchain providers find themselves in an interesting position—you have a revolutionary service to offer, but the market is still coming around to it. You need a way to validate your product so they will. Luckily, there is something you can do—you can take the initiative to acquire a SOC report. 

Those in our devoted Crypto & Digital Trust practice have noted that some blockchain users in the industry have already made moves to leverage a SOC report and the insight it provides, and so have gotten ahead of their competitors.

The question now is, should you do so as well?

In this article, we’ll provide some insight to help you answer that—we’ll talk about the current market maturity of blockchain before providing 5 reasons why you, as a blockchain provider, should invest in SOC.

If blockchain really is the future, let us convince you how SOC can help improve yours.

The Current Market Status of Blockchain

Over the last seven years, we’ve all closely watched the emergence and development of blockchain technology for commercial business use. In that time, it has followed a trackable market lifecycle similar to that of other revolutionary tech:

  1. Technical Feasibility by Industry Trailblazers
  2. Promotion and Churn through the Technical Community
  3. Emergence of Initial Service Providers Establishing Backbone Code and Infrastructure
  4. Technical Collaboration and Joint Proofs of Concept
  5. Funding and Broader Application of Pilot Projects
  6. Roll-out of Operational Use Cases
  7. Emergence of Proprietary and Open-Source Market Leaders
  8. Consolidation and Normalization of Market Offerings Backed by Interoperable Standards
  9. Broad Market Impact Revolutionizing Use Cases
  10. Erosion of Market Due to a Competing Technology Evolving from Phase 1-9

Within this 10-step pattern, we believe that the blockchain market and the service providers of Web 3 / Web 5 are at Phase 6 with market trailblazers pushing into Phase 7.

Why? Because blockchain has:

  • Proven itself to be robust and scalable.
  • Demonstrated compelling digital trust attributes for its immutable data, network redundancy, and collaborative governance that are suitable for higher trust applications in FinTech, Healthcare, Digital Identity, and Supply Chain.

With these breakthroughs, the market is seeing an emerging explosion of service providers all touting that they have built a better mousetrap. That may very well be true, but as things progress fully into Phases 6 and 7, these same service providers will develop a critical need to demonstrate the legitimacy and accountability of these “mouse traps.”

Yet how to do that when Blockchain has yet to reach Phase 8 (at which point globally interoperable standards will be established)?

This is where SOC comes in—as the gold standard in compliance, an attestation report of this kind can pave the way to blockchain service provider prominence right now.

5 Reasons to Get SOC for Blockchain

Since 1992, Service Organization Controls (SOC) reports have been a mainstay of compliance, as this independent third-party attestation of internal technology controls creates a minimum standard of assurance that your customers and reliant parties need to satisfy their concerns over your security and trust claims.

But as is usually the case with compliance initiatives, SOC reports aren’t a trivial pursuit, so why should blockchain and Web 3 / Web 5 service providers invest in one? Are there compelling reasons for such organizations to undergo a SOC project?

In fact, there are five good reasons, and we’ll examine them here.

1. Process Transparency and Legitimacy

While the terms “blockchain” and “crypto” have already solidified themselves in the global vocabulary, most customer executives remain uneducated on what the technology is, how it functions and why its operations add trust in business applications.

Right now, there’s a gap of comfort between wanting to be into the next best thing and understanding its processes, but a SOC report requires you to provide narratives of your system processes and controls. You’re required to document:

  • Types of services provided
  • Principal service commitments and system requirements 
  • Components of the system
  • Trust services criteria and corresponding controls
  • Complementary user entity controls
  • Complementary subservice organization controls
  • System incidents
  • Significant changes to the system during the period 

Having to record these narratives will help bridge the gap of understanding while providing clarity and legitimacy regarding the underlying care the blockchain network takes in serving your users’ needs. 

2. Accountable Control Maturity

Though SOC 1 examinations can be performed if the blockchain affects financial reporting, typically SOC 2 reigns as the more popular compliance option for service provider’s customers.

 

Moreover, SOC reports come in two types that can help you meet stated service commitments to customers:

 

  • Type 1: Asserts and attests control design and implementation at a point in time; and
  • Type 2: Asserts and attests control design, implementation, and operation over a period of time (3-12 months). 

Many organizations opt for the Type 2 SOC 2 (if eventually, after a Type 1) for the added reassurance regarding operational controls. If that’s what you choose to do as a blockchain company, you’ll need to do the following if you want to obtain an unqualified (clean) audit opinion:

 

  • Design your controls to meet generally accepted trust criteria (security, availability, process integrity, confidentiality, or privacy);
  • Consistently meet these criteria for a sustained period. 

In order to do so, you’ll not only need to ensure your controls work as designed, but you’ll also need to produce sufficient and compelling evidence proving that to impartial auditors. No easy task, but it will help legitimize your system. 

3. First Option as Safe Harbor for Critical Applications

The promise of blockchain has the potential to drive right to the heart of vital infrastructure—this technology can assert the unchangeable records of:

  • Currency transactions;
  • Events in a supply chain; or
  • High-value assets such as real estate titles and gemstones. 

But before anyone trusts blockchain with the things most important to individuals and the collective, the security assurance of blockchain network players must be overwhelming to the pillars of our economy and government leadership. 

If these are your potential customers, you should know that they’ve performed detailed risk assessments and have specific and high assurance requirements to preserve the security of their critical applications. A SOC report can be a conduit for meeting those stated requirements in a familiar format. 

4. Consolidated Market Response and Assurance

SOC reports first came into being as a method to reduce the numerous requests from all your customers and their specific needs. Within the SOC brand, the AICPA created a standardized report that would best satisfy the most requested of those needs, and that’s still true regarding blockchain. 

If you complete a SOC examination, you’ll receive one audit report that you’ll be able to distribute to all customers who request it, thereby reducing the disruption of multiple asks while also creating one consolidated voice for all your customers’ auditors. When you consider the alternative of full-time resources caretaking to all customers’ auditors, this one audit looks not only cost-effective but like an easier lift for your team. 

Of course, you’ll need to take care as to who to trust with this singular response. Unfortunately, the proliferation of SOC reports across the business landscape has led to low-cost providers commoditizing the report to a checklist. But if you take care to engage a leading audit firm, you—and other major market players—will discern the difference. 

5. Market Leadership Before Mass Competition

As we mentioned prior, there aren’t any generally accepted, blockchain-specific audit schemes in practice today. If you’re aiming to be a market leader, you don’t have time to wait for one.

Market innovators, such as crypto.com, Engiven, Bittrex, Zventus, Fireblocks, Brane, and AlphaPoint have already completed SOC projects and duly promoted the event in press releases and on their websites. When will you? 

Build Trust in Blockchain with SOC

If you’re a blockchain service provider, you know that you’re sitting on something cutting-edge that can likely serve many potential customers. While you wait for the market lifecycle to catch up, you have an opportunity now to elevate your product and its legitimacy through compliance’s “Old Faithful”—the SOC standard.

Now that you understand why you should move forward with a SOC report for blockchain, read our other content that will break down the different aspects of this examination and simplify your experience:

Of course, you may have specific organizational questions, and if that’s the case, we encourage you to reach out to our crypto and digital trust practice leaders, who would be happy to address any further concerns you may have.

About Scott Perry

Scott Perry is a Principal at Schellman where he heads up its crypto and digital trust services practice. Prior to joining Schellman in 2022, Scott owned and operated his own firm specializing in cybersecurity consulting audits and governance, GRC implementation, digital identity and verifiable credentials, and WebTrust. Scott is also a Steering Committee member and co-Chairs the Governance Stack Working Group for the Trust Over IP Foundation (a Linux Foundation project). Scott has worked with the world's most respected SSL-certificate issuers, aerospace and defense companies, and government agencies. He has authored and contributed to a comprehensive governance and trust assurance methodology suite for Trust Over IP, has written a key chapter on Trust Assurance in a published book on Self Sovereign Identity and the FinClusive Rulebook. As a hands-on crypto and cybersecurity consultant and auditor, Scott provides deep and impactful advice that you would expect from a leader in the field.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.