Why SOC 2 is Hard

Why SOC 2 is Hard

As we kick off a fresh new year, there’s never been a better time to obtain a SOC 2 attestation in order to demonstrate your organization’s security maturity, differentiate yourself from the competition, and accelerate the sales process.?

This year Vanta will pass an important milestone: we’ve moved from helping hundreds of companies achieve their SOC 2 goals to thousands. Part of our mission at Vanta has been to demystify compliance certification and make it more accessible and affordable for more organizations.

To that end I’m going to be regularly sharing blog posts and articles which will provide some insight into common questions that many companies have around their information security and compliance journey, along with insights that I hope are helpful.

I’m starting off with a context-setting article describing what I see as one of the fundamental challenges companies face when they first decide to pursue a SOC 2 attestation. The initial challenge is simply understanding the requirements and what the organization needs to do to satisfy those requirements to become SOC 2 compliant.

For those who aren’t familiar, the SOC 2 Trust Services Criteria are built upon the COSO 2013 Internal Control - Integrated Framework. Without getting into the details, COSO is an internal controls framework which is used primarily to provide public company investors with reasonable assurance as to the accuracy of financial statements. In 2017, the AICPA overhauled the SOC 2 criteria to align with COSO. The updated SOC 2 criteria essentially incorporates the entirety of COSO and applies it to information security. In order to accomplish this, a set of technical criteria were added to COSO to create a complete and holistic internal control framework for information security. The net result is that SOC 2 doesn’t have a simple set of controls for organizations to implement, rather a list of somewhat vague criteria that need to be met by the controls that the company designs and implements for themselves. “Points of Focus” (POF) are provided to clarify the criteria but the POFs themselves are not actually requirements. That’s perfectly clear, right??

For organizations that do not have previous SOC 2 experience, simply understanding the criteria, points of focus and the essential requirements alone can be quite confusing and onerous. What are the actual requirements? How do I know what controls we need? How do I know if our controls meet the criteria?

I’m going to provide an example in order to illustrate the challenge of using the Trust Services Criteria:

Common Criterion 22.1 is based on COSO Principle 13 and reads as follows:

The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.

That’s the criterion which must be satisfied for SOC 2 CC2.1. In order to clarify that criterion, this is the first Point of Focus provided:

A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity’s objectives.

If you’re like me, or most regular humans who haven’t attended the AICPA’s SOC School, your reaction at this point is probably something like, “I don’t get it.” Even for those seasoned information security folks who understand the common control environment, they still might not be able to easily associate security controls with the language of the SOC 2 Trust Services Criteria and POFs shown above.

At this point many organizations get blocked and they need to find an external solution to move forward. The traditional solutions have typically involved hiring a specialty consultant or engaging with a SOC audit firm to conduct a “readiness assessment” that probably also includes a “control design” component. The pain point for both of these solutions is that neither is particularly affordable in terms of time or money.

So why is SOC 2 hard? A cynic might say it was designed that way; SOC 2 compliance requires assistance from a select group of highly specialized, skilled and expensive providers. However, a more generous assessment would be to say that, simply, this is how information security works. There is no “one-size-fits-all” solution. To establish appropriate controls, an organization either needs to build them up based on an understanding of the risk environment, or whittle them down from a laundry list of potential controls, again based on what is appropriate for the risks involved. SOC 2 essentially takes the former approach: it sets high level criteria and leaves it up to each organization to build controls to meet the criteria, based on their unique risks. That’s a reasonable approach but it’s not particularly easy or user friendly for the non-expert.

One of our key value propositions at Vanta is a solution to this problem which I’ll elaborate on in future articles.

Interested in obtaining a SOC 2 and want to learn more? Are you an expert in SOC 2 who has a different point of view? Message me or comment below.