At present, cybersecurity is one of the prime interests of all organizations, including third-party service organizations or vendors. If you are such a service provider, having standard security controls is vital for establishing trust and confidence with your clients.
What is SOC 2?
SOC 2 provides an essential framework that you can use to prove that you take information security as one of your top priorities by demonstrating you have implemented necessary security policies. Also, if you are outsourcing critical business operations to SOC 2 compliant third parties, this means that your data within them are guaranteed to be secured.
SOC which stands for System and Organization Controls (SOC), has been developed by the American Institute of Certified Public Accountants (AICPA). They provide a suite of control reports as:
SOC 2 is what focuses on internal controls related to cybersecurity of the services provided by service organizations within the following five Trust Service Categories or Trust Services Criteria (TSC).
A SOC 2 report provides information regarding the effectiveness of controls within these criteria and how they integrate with controls at the user entity. SOC 2 report is an outcome of the SOC 2 audit which is carried out by an independent, licensed CPA under Statement on Standard for Attestation Engagements (SSAE) No18: Attestation Standard.
To become SOC 2 compliant, your organization needs to satisfy the TSCs defined by AICPA. Depending on what kind of client information you have and how they are processed, you need to choose what criteria to include in the SOC 2 report. Let’s get to know more about the points of focus related to each of these criteria.
Organizations that satisfy this criterion can protect information and systems from unauthorized access, unauthorized disclosure, and system damages that affect their availability, integrity, confidentiality, and privacy.
Security focuses on the protection of:
Controls over security criteria help detect and rectify system failures, unauthorized removal of information or system resources, software misuse, incorrect data processing, and improper use of, alteration, destruction, or disclosure of information.
Availability focuses on the accessibility of information used by your organization’s systems and the products or services you provide to your customers. If your organization meets this criterion, your information and systems are always available for operation and can meet its objectives at any time. It addresses if the systems include controls to support accessibility for operation, monitoring, and maintenance. However, it doesn’t address the functionality and usability of the system.
If you are doing data processing or transactions on behalf of your customers, you need to include this criterion as part of your audit. The Processing Integrity principle is the criteria to check if the system achieves its intended purpose and functions properly without errors, delays, omissions, and unauthorized or accidental manipulations. It focuses on the completeness, validity, accuracy, timeliness, and authorization of system processing.
Your company may be storing data classified as confidential information, which is restricted, disclosed, and allowed to be used only for certain people. For example:
Besides, there can be laws, regulations, and Non-Disclosure Agreements (NDA) with your clients to keep these data confidential. Confidentiality policy addresses your company’s ability to protect such information throughout its life cycle from its collection and creation to removal from your control. This sensitive information can be in the form of physical documents or digital documents. Therefore, controls need to be applied considering their nature.
To meet this criterion, all sensitive and Personally Identifiable Information (PII) data such as social security number, name, address, sexuality, and race need to be protected from unauthorized access. Their collection, use, disclosure, and disposal need to be done according to Generally Accepted Privacy Principles (GAPP) of AICPA and the organization. Privacy controls only apply to personal information. Whereas, confidentiality applies to various types of sensitive information.
|Trust Services Criteria (TSC)||Controls|
If your organization falls under the following categories, you may require this compliance at any time.
Since the report contains information about the internal security control of a company, it will not be accessible to everyone. It can be used by different persons linked with the service organization under a Non-Disclosure Agreement. Examples of users of a SOC 2 report include:
Usually, the service organization management prepares a description of its system using AICPA SOC 2 description criteria. Also, they include the design and suitability of internal controls related to one more of the TSCs they chose to be relevant and their effectiveness in operation.
After that, service organization management hires the certified CPA to examine and provide a SOC 2 report on their view of managements’ claims. There are two types of SOC 2 reports.
In this report, the auditor examines and evaluates the following at a specific point in time.
This report does not evaluate the operating effectiveness of the controls. It is rather the auditor’s opinion about the service organization managements’ description of the system and the suitability of the design of controls. This report is generally the first step of getting SOC 2 compliance for a company. Typically, it can take between 2-4 weeks to generate this type of report.
This report provides a more comprehensive look at the design of the service organization’s controls specified in the Type 1 report. Type II report includes both Types I criteria and the operating effectiveness of the service organization controls. Usually, it can take six months to up to one year to examine, prepare and provide this report.
Overall, a SOC 2 report will include the following statements:
1. From the service organization’s management
2. From the auditor
Generally, a SOC 2 report is valid for twelve months since the report was issued. The cost of a SOC 2 depends on a number of factors such as:
Whether you are a service provider or a receiver, SOC 2 Type II report is what provides the best assurance that your organization complies with the TSCs. However, SOC 2 Type I report itself is useful in some scenarios.
Type I report is suitable in circumstances where a SOC 2 report is required immediately by a customer or any business partner. If you are getting this assertion for the first time or your organization is a startup, then it is suitable to get a SOC 2 Type I report first before proceeding with the Type I report.
SOC 2 Type I is also suitable for smaller companies that have minimum sensitive data and does not require strict security policies. In addition, sometimes you may be just comparing potential service organizations for your next business venture. Then SOC I report will be ideal for you to request from the potential vendors.
A SOC 2 audit can only be performed by an independent and licensed Certified Public Accountant (CPA). Specifically, the CPA must have received the required training, possess the technical expertise and knowledge in information security. The SOC 2 auditor should always be updated with the changes for the TSCs done by AICPA and comply with the standard rules. Since this audit is regulated by AICPA, non-CPAs cannot perform or partner with CPAs to perform the audit.
The first step in getting SOC 2 certified is establishing the scope and priorities for the evaluation. It is a form of a planning phase which is a very critical step most companies tend to overlook. In this phase, you need to:
1. Identify auditors – Identify and contact the certified and experienced auditors who have built a reputation for proper SOC 2 audits.
2. Define the system description – Write up a description of your system to the auditor. For example, if the company provides a payroll processing service to clients, describe its components, boundaries, and controls. The length of the description may vary depending on the complexity of your system. This description will later be included in the SOC 2 report.
3. Identify Trust Service Criteria you should include in the report.
Typically, this phase can last several weeks depending on the facts such as your organization’s preparedness, available information, experience about the process, etc.
Before taking the actual audit, organizations may want to identify the gaps and risks associated with the existing internal controls using a SOC 2 readiness assessment.
This phase is optional if you have a thorough understanding of the system controls in place and are confident about the success of the examination. Several SOC 2 consultancy services can assist you on those who are ideally experts in this field.
This assessment will provide you a detailed description of what controls would meet the auditors’ expectations, what controls are not enough to be SOC 2 compliant, and a set of guidance to remediate the identified gaps. If you have this understanding before the formal audit, you can immediately take the required corrective steps rather than waiting till the final report.
After the scoping and the readiness assessment phases, then you can start preparing your formal audit. Usually, in this phase, the auditor explains the examination process in detail and requests a list of documents which is also called Information Request List (IRL), and evidence for the formal audit.
You have to prepare and ready whatever documentation he or she may ask you during the phase. You are allowed to take assistance from audit assisting companies to collect these documents as well. You can get their required support during the formal audit because they know what exactly the auditors need.
After completing all the preparations, you can begin the formal SOC 2 audit. The auditor will collect all the evidence and carry out the necessary tests to identify whether the internal controls comply with the chosen SOC 2 TSCs. Usually, the auditor visits the organization for this process. In some cases, they will work remotely or use a combination of both working methods.
During this process, you may have to answer a lot of questions about the controls in place. Sometimes, the auditor may be required to interview certain employees of the organization. In addition, they may request additional documentation to support as evidence which will require a significant amount of time to prepare. Therefore, you need to make sure you are well-prepared for the formal audit to save additional costs and time.
Once the auditor has collected all the evidence and completed all the required tests, he or she will begin drafting the report. After the draft is complete, you will get the opportunity to review the draft and provide suggestions and comments. The auditor will incorporate the required changes to the draft based on your feedback and finalize the report. Finally, you will receive this final report as a soft copy, but some auditors may provide a hard copy as well.
Use the following 12 policies as a checklist to see how well you are prepared for the audit. Again some of these policies may not be applicable for your organization based on what type of client data you have and what type of processing do with them.
|Information Security (IS) Policy||Controls to protect data from unauthorized access and disclosure from unauthorized users.|
|Access Control Policy||Restrict access to high-security systems for authorized users by defining role-based access control policies.|
|Password Policy||Enforce the users to create strong and secure passwords according to the defined format, set expiration times and send reminders via emails and securely store the password in an encrypted format.|
|Change Management Policy||Define how changes to the system should be requested, reviewed, approved, or deferred that minimizes the impacts to data and systems.|
|Risk Assessment and Mitigation Policy||Specify risk identification and management approaches, periodic risk assessment strategies, mitigation plan, and roles and responsibilities of different parties in risk management.|
|Logging and Monitoring Policy||Define the approaches for logging user activities and monitoring them.|
|Data Classification Policy||Identify and establish classification definitions for sensitive, protected, and public data and default data classification|
|Incident Response Policy||Roles and responsibilities of members of the incident response team in the event of a security incident or data breach and authorized tasks|
|Information, Software and System Backup Policy||How frequent the data and system backups should be taken, how long they are retained and storage of backups||Acceptable Use Policy||Appropriate and inappropriate activities when using internal resources and rights and responsibilities when using them.||Business Continuity and Disaster Recovery Plan (BCDR)||A plan to continue business operations when the business is affected by a disaster to minimize the outages and impact to the users.||Vendor Management Policy||Define the responsible parties for vendor management, due diligence, and contract management.|
1. Delegate tasks
As part of the SOC 2 certification audit, you may need to gather a large number of documents. Consider this as teamwork and delegate this workload to responsible parties as much as possible. For example, assign the company’s incident response team to provide incident response plans and evidence for the mandatory training provided. You can also consider getting the help of an external service that can do these tasks on behalf of these teams.
2. Store all the required documents in a centralized repository
This will be helpful when accessing the documents by anyone involved in the audit. Also, make sure to make backup copies and hard copies in case of damages. Use an easy naming convention to organize them to easily identify and pick up the required document.
3. Educate your employees
Give a heads up about the audit to all the members of the organization so that everyone will be aware of the process. When everyone is informed, It can make auditors as well as your tasks easier during the process.
4. Consider automating the process
You can use audit workflow and preparation software which provides pre-built policies to map with SOC 2 compliance policies and many other functionalities to automate the compliance process.
Investing in this certification can provide you with the following key benefits.
Achieving SOC 2 compliance helps your organization stand out from the crowd. This guide explained in detail everything you need to know about this standard framework starting from its definition to the certification process.
You can follow the checklists and tips described in this guide to better prepare for the audit and save time and costs associated with it. Because the more you prepare, the fewer problems you face and meet the expected success from the examination.