If you’re a product or service organization that handles client data, you should seriously consider getting a SOC 2SOC 2 is a type of Service Organization Control (SOC) report that evaluates the effectiveness of an organization's controls related to security, availability, processing integrity, confidentiality, and privacy. These reports are based on the Trust Services Criteria (TSC) developed by the AICPA and are commonly used by technology and cloud service providers to demonstrate compliance with industry standards and best practices. audit. Larger companies that contract your services often require having a SOCService Organization Controls (SOC) are a set of standards developed by the American Institute of Certified Public Accountants (AICPA) to help organizations assess and report on the effectiveness of their internal controls. SOC reports provide assurance to customers and stakeholders that service organizations have appropriate controls in place to protect sensitive data and assets. 2 audit report to do business with them.
More importantly, though, you’ll need to develop a security program that addresses the security challenges of handling client data. SOC 2 compliance is a framework that helps you do that. The SOC 2 standard organizes its data security requirements into five trust service criteria (TSCs): security, availability, process integrity, confidentiality, and privacy. We go into detail about the SOC 2 standard itself here. Now, let’s talk about the SOC 2 audit process and how to prepare for it.
How your SOC 2 audit turns out largely depends on the auditor. Some have sophisticated knowledge about information security and others, well, don’t. We always prefer to work with auditors experienced in information security. An auditor who doesn’t actually understand security can’t speak to what really matters—namely, whether the security controls you have in place genuinely address the trust service criteria. An auditor who can only check boxes that a control does or does not map to a certain TSCTrust Service Criteria (TSC) are a set of standards developed by the American Institute of Certified Public Accountants (AICPA) to evaluate the effectiveness of controls over information and systems. TSC cover areas such as security, availability, processing integrity, confidentiality, and privacy. These criteria are used in SOC 2 and SOC 3 audits, which assess the controls and processes of service organizations that provide services to other businesses. or that a control test did/did not show expected results (an “exception”) isn’t much help. For example, such an auditor can’t assess whether you have compensating controls in place that reduce the risk of an exception. An auditor with a strong grasp of security can make those determinations, which directly impacts whether the audit results in a qualified, unbiased opinion (which is what you want).
When looking for an experienced SOC auditor, ask whether they’ve audited companies similar to yours, specifically in terms of company size and level of security maturity. If your industry has a specialized set of security risks, it’s even more important that the audit firm has worked with other companies in your industry.
Many firms use multiple auditors in a layered review. Find out what the auditor firm’s process is. They may have junior auditors do the initial review who don’t yet have the experience to properly identify and address exceptions. However, the firm could still be a good fit if it uses senior auditors with which you can have constructive conversations as a second review layer.
In addition to experience, we also value auditors who are transparent about what they’re going to ask for and how they operate. If you don’t feel a sense of transparency from them in response to your qualifying questions about their experience and process, it is possible they won’t be forthcoming during the audit process.
Some of our clients chose to go with the “big name” audit firms because they audit major companies like Salesforce and Google. They feel these auditors are a safe option, because who’s going to question their expertise? They’ll pay for that safety, of course, as audits by the big firms can cost $100,000 or more.
You don’t need to spend six figures on your SOC 2 audit, but you also don’t want to choose an auditor solely on price either. A “cheap” SOC 2 audit can be around $25,000, but that’s likely a small firm that lacks the security sophistication you want your auditor to have. We refer clients to five reputable audit firms, ranging from medium to large and specialized.
To put it bluntly, you will need documentation and lots of it. Your documentation starts as a result of developing security policies and processes to secure your and your customers’ data. You’ll need additional documentation that demonstrates how your company consistently applies and communicates its security policies and procedures. Change management documentation regarding your security policies and information security environment will also be necessary.
You may need documentation of how you regularly test and validate your controls and policies. If you’re engaging in a SOC 2 Type 2SOC 2 Type 2 is a type of Service Organization Control (SOC) report that evaluates the effectiveness of an organization's controls related to security, availability, processing integrity, confidentiality, and privacy over a period of time, typically six to twelve months. These reports are based on the Trust Services Criteria (TSC) developed by the AICPA and cover both the design and operating effectiveness of a service organization's systems, processes, and procedures. audit, you’ll need to provide documentation of test results over a period of time, typically six to 12 months, showing how your controls hold up over time. A SOC 2 Type 1SOC 2 Type 1 is a type of Service Organization Control (SOC) report that evaluates the effectiveness of an organization's controls related to security, availability, processing integrity, confidentiality, and privacy at a specific point in time. These reports are based on the Trust Services Criteria (TSC) developed by the AICPA and cover the design of a service organization's systems, processes, and procedures. report validates that you have controls and policies in place as of a specific date.
You’ll have to prepare a System Description, which AICPAIn terms of cyber security, the AICPA (American Institute of Certified Public Accountants) is an organization that provides guidelines and best practices for assessing and reporting on the effectiveness of an organization's cybersecurity risk management program. This includes the AICPA's SOC (Service Organization Controls) reporting framework, which consists of three types of reports: SOC 1, SOC 2, and SOC 3. breaks down the System Description into nine “description criteria” categories:
The above is not an exhaustive list of the documentation you’ll need for a SOC 2 audit. However, if you’re approaching information security right, much of the documentation needed will be a natural output of building a strong security program.
There are tools that can help automate evidence gathering and preparation, which can make preparing for an audit less onerous, but they can’t do the job on their own. For example, you can run a tool to document how permissions are organized and applied. However, if you want to know that permissions for a given application are set-up correctly, you need to know what the application does and who should have what type of access. A tool can’t make that assessment. The tools leveraged by the SPIO platform to collect and document evidence needed for an audit do speed up the process, but we always advise clients to use them in the context of human judgement.
You definitely want a senior person to provide executive oversight. We recommend appointing someone with budget authority to take responsibility for company security as a valuable first step in improving your company’s security (it is one of 21 actions your company can take to improve its security fast). Depending on personnel available, this person could also be the one who coordinates all SOC 2 audit activities.
IT staff and others in more junior roles can pull together the documentation and other evidence that you’ll need to provide to the auditors. If you have dedicated security personnel, like asecurity DevOps engineer, they’ll certainly be involved. These personnel are key to showing how your security program can detect and respond to security events.
A clear, well-written System Description will be helpful, so you’ll need someone with writing skills and strong knowledge of information security. As with other assistance in preparing for a SOC 2 audit, you can outsource writing the System Description, say by using the SPIO platform and Virtual CISO services.
As you think about the actual audit process, it is useful to know how much time the auditing firm expects you to spend with them. From our observation, it usually requires an ongoing commitment of 2-8 hours per week during preparation and then a fairly full two weeks of time during the audit period. Many audits involve a week of evidence gathering meetings that require not only the leader but also the company expert in the particular meeting topic who can help collect evidence.
While SOC 2 has five trust service criteria, you don’t need to include all five in your SOC compliance program. Security is the “common criteria” that’s part of all SOC 2 audits. You can stop with that criterion, but you will have to explain why your security program and SOC audit don’t include the other four TSCs in your System Description. The more TSCs you include in your audit, the more valuable your SOC 2 report will be. Further, as a service provider, some of your potential clients and partners may specify what TSCs your SOC 2 report needs to cover.
As for the SOC 2 audit itself, there’s a formal, highly recommended path you can follow:
While following this framework can be quite involved, it’s a good model for assuring that controls are in place to achieve security growth as fast as possible, while also building a body of evidence regarding their implementation.
When you do consider getting a SOC 2 audit, don’t think of it simply as obtaining a report with a stamp of approval. You can always find auditors who take that approach, but it won’t be a meaningful path towards building a mature security program that impresses potential partners.
You may be motivated in the moment because a client or your sales team is telling you having a SOC 2 audit report is necessary. Yet the report won’t matter much if it doesn’t reflect a substantive security program that can, in fact, protect your clients’ data. Practical security is the goal, and the carefully prepared documentation and reporting are a critical means to that end.