Ten Steps to Achieve SOC 2 Compliance

With only a little more than 3 months left in 2018, many businesses are focusing on what goals they want to attain in the new year. Maybe your company is discussing the possibility of achieving SOC 2 compliance. Successfully completing a SOC 2 audit establishes a level of trust with customers, prospects, and partners about the secure operation of your service organization. SOC 2 requires you to put in place well defined policies, processes and procedures that demonstrate how you manage the security of customer information and then have an auditor assess these internal practices against the Trust Services Criteria over a period of time.

Preparing for a SOC 2 audit will provide you with a baseline of your environment, including how you monitor that baseline for irregular activity, your plan to review the activity, how you will act on that plan to mitigate risk, as well as how you will communicate the overall effectiveness of the plan after an event.

The steps below define the process of applying Trust Services Criteria to your business and documenting system assertions for the SOC 2 audit.

1.    Choose the Trust Services Criteria (TSC) you want to apply to your business. The Criteria selected will vary from organization to organization. A business isn’t required to address all TSC, the audit can be limited only to the Criteria that are relevant to the services your organization performs. Becoming familiar with the TSC should be the first step in determining the scope of your SOC 2 audit.

2.    Ensure your organization meets the selected TSC. For the SOC 2 audit, you will be required to demonstrate the suitability of your system design and the operating effectiveness of controls included in your system description relevant to the selected Trust Services Criteria.

3.    Choose the systems within your organization that meet your specified business objectives. A system may include one specific business process or a set of processes. A system is made up of the following elements: infrastructure, software, people/roles, processes, data.

4.    Document your system description, criteria and controls as well as assertions about how your company meets the controls’ objectives. Controls are the activities your company has in place designed to meet the Criteria and provide the SOC 2 auditor with assurance about the secure operation of your service organization. You will be required to produce evidence that illustrates you meet a specific control. For example, you will need written policies on password protection, access control, encryption, change management, system backup and recovery.

5.    Integrate a risk management framework or service delivery model into your system documentation. SOC 2 complements an IT governance model that exhibits basic risk remediation. The Trust Services Criteria map to various frameworks such as ISO 27001, NIST CSF and COBIT5. Many service organizations are adopting the Cloud Security Alliance (CSA) framework as it contains an excellent set of prescriptive criteria for assessing cloud providers.

6.    Collect artifacts of compliance. Artifacts are the logs, reports and other materials that serve as evidence of your compliance activities. It is a necessity to be able to produce these types of documentation for your audit. An early conversation with your auditor may reveal that, for example, your audit program requires a sample size of at least 6 months. So, in most cases this will require advanced preparation or a longer lead time prior to conducting the audit than your company might have considered.

7.    Walk through the relevant processes and documents before facing the audit. Whether you choose to perform the readiness assessment on your own or engage a third party, this step is crucial. Once documented, the policies and procedures should be reviewed to verify that the controls accurately reflect your processes. Address any gaps that emerge from the walk through and adjust documentation accordingly before being tested by the auditor. Locking down the controls prior to the audit is essential to efficiently navigate your SOC 2 audit. Failing a control and having to modify it after auditing has begun will create delays in your auditor being able to issue the SOC 2 report which can cost your company a great deal in both time and money.

8.    Participate in the audit to prove the system assertions. Your auditor will conduct many interviews during the compliance audit to assess the controls with the individuals who perform them. You will also be asked to produce evidence to fulfill the auditor’s requests. Any automated tools that can produce evidence that controls are operating effectively will ease the burden on your IT Security staff and make the auditor’s job easier too.

9.    Remediate processes/documentation post-audit as required. Hopefully, your organization will receive an exception-free SOC 2 report indicating that your controls were suitably designed and operated effectively throughout the specified period.

10. Prepare to do it all over again next year! Since SOC 2 certification is required annually, it is important to integrate the required processes and controls into your organization’s internal practices by conducting annual risk assessments, policy and procedure reviews, security awareness training programs, vendor management compliance, and testing of both your Incident Response Plan and Business Continuity Disaster Recovery Plan.

Having a solid set of security controls in place should be the goal for all technology-focused companies today. Being SOC 2 compliant will force you to follow a set of strong best practices to keep your company’s and customers’ data safe. Achieving SOC 2 compliance gives your company and your customers external validation that you are managing risks appropriately. If your company is considering a SOC 2 audit in the new year, please contact me. I would be happy to assist your IT organization develop compliance documentation in preparation for the audit.