30th May, 2021 4 Min read
Book a Demo
Are you chasing an endless trail of screenshots? Awake at 3am, stressed about bugging your stakeholders for evidence–again? Wondering why you decided that this dang compliance framework was worth it?
Congrats! You must be preparing for a SOC 2 audit.
Becoming compliant with SOC 2 is an important move in any company. Developed by The American Institute of Certified Public Accountants (AICPA), SOC 2 applies to nearly all businesses collecting, storing, and sharing customer data. Achieving compliance serves as a powerful external measure of competency and credibility, enabling organizations to feel confident about using your services.
But as important as it is to achieve SOC 2 compliance, it can be, shall we say, slightly stressful.
Organizations typically spend months preparing for an audit, setting up the needed controls and ensuring the existing compliance/security posture is optimal. A ton of manual work is required, which leaves plenty of room for errors to occur. This maddening situation has given the concept of prepping for SOC 2 somewhat of a negative image.
So to help you get there as painlessly as possible, we’ve created this SOC 2 Compliance checklist. Use it as a self-assessment tool to enable your organization to prepare for, and achieve, SOC 2 certification with less stress and worry.
AICPA has outlined 5 Trust Service Criteria, which serve as the basis for audits and your organization must choose which criteria to be audited for. These are:
Security – How the business protects data, systems, and networks from breaches and attacks. This is also referred to as the Common Criteria, the most prominent—and only mandatory—section of any SOC 2 audit.
Availability – How the business ensures the uptime of systems.
Confidentiality – How the business ensures the data it stores remains confidential.
Processing Integrity – How the business ensures that processing is, in the words of the AICPA, complete, valid, accurate, timely, and authorized.
Privacy – How the business collects, uses, shares, stores, and deletes personally identifiable information (PII).
The only required criteria is the Security, or Common, Criteria. The remaining ones are not required, but may be required by certain organizations—for example, organizations storing sensitive financial data may require organizations they partner with to include the Confidentiality Criteria. Other businesses where uptime is critical may require partners to include the Availability Criteria. On the other hand, many businesses won’t opt to fulfil the Privacy Criteria, as they are already working towards aligning their privacy efforts with the requirements needed for GDPR compliance.
So which ones should you choose? It depends on what you’re hearing from your leads—what is most important to them?
There are two flavors of SOC 2 reports – Type 1 and Type 2. Which one should you choose? Here’s how to determine which one meets your needs better:
SOC 2 Type 1 assesses security design controls at a specified point in time. The intention is to demonstrate that best practices are being followed and is a fast and relatively easy way to show customers that security is important to your organization. It’s sort of like looking at your kid’s latest math test. The grade on the test is an indication of her performance at one point in the year.
SOC 2 Type 2 assesses your organization’s security design controls but goes much deeper and examines how effectively the controls are managed and upheld over a specified period of time, instead of simply looking at one point in time. This is more similar to a cumulative grade given at the end of the year, to assess how well your kid did over the course of many months.
SOC 2 Type 2 is definitely harder to prepare for and achieve, but is the gold standard in InfoSec Compliance, and further, may be required by some organizations.
Now is the time to evaluate your controls and look for any gaps or deficiencies. Start by gathering any evidence you’ve got regarding procedure documentation or policies, based on the criteria you’ve chosen to include in the audit. You may have some of this information from other compliance frameworks your organization may be compliant with. The key here is to do this step well in advance of the audit, since there will likely be many gaps to be filled.
In this final step, create a plan to address the gaps located in Step 3. This plan should include changing process workflows, setting up new security controls, and adding in missing policies, if needed. Once you have addressed the gaps, test them to determine if your remediation plan was successful. Rinse and repeat as necessary.
Okay, we know you don’t assume it’s going to be a breeze…and if you do, well, think again. But the thing is that as complex as achieving SOC 2 compliance is, it doesn’t have to be quite so arduous. With automated evidence collection, organizations can take the frustrations out of meeting SOC 2.
With the right solution, you can collect hundreds of pieces of (normalized) evidence in minutes to meet your compliance requirements simply and easily.
Or, contact us to start enjoying SOC2 right away.
The Challenge: Dealing with the Back-and-Forth There are so many shared challenges when it comes to cloud compliance. The constant back-and-forth with the auditor has become a draining routine. As you dart through digital archives for necessary audit evidence, precious minutes slip away from your actual duties. Each passing hour pulls you further from your […]
What is the most annoying thing about compliance work? Out of 150 security leaders surveyed on Pulse, 41% pointed out their struggle for cooperation from core teams in producing evidence needed for InfoSec audits. In other words, compliance work is ungrateful and unpopular. Cloud compliance in hyper-growth companies poses a significant challenge in terms of […]
Abstract In most companies, InfoSec compliance is a necessary evil, creating lots of bureaucracy and grunt-work for core teams like Sales and Development. It is yet another way in which security and its by-products slow down the business. Growing, cloud-native companies have zero tolerance to whatever slows them down. Therefore, a security stack that can […]
As important as it is to achieve SOC 2 compliance, the manual work involved, along with all the minutia required, often leaves CISOs and Compliance leaders feeling overwhelmed at the prospect of preparing for audits. But preparing for, and ultimately achieving, SOC 2 compliance doesn’t need to be complicated or overwhelming. Today, organizations are starting […]
Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.