SOC 2 Compliance. What, Why, and How.

What is SOC 2?

Service Organization Controls (SOC) 2 is an InfoSec Compliance Standard maintained by the American Institute of Certified Public Accountants (AICPA). It’s designed to test and demonstrate the cybersecurity of an organization. 

To get a SOC 2, companies must create a compliant cybersecurity program and complete an audit with an AICPA-affiliated CPA. The auditor reviews and tests the cybersecurity controls to the SOC 2 standard, and writes a report documenting their findings. 

The resulting SOC 2 report facilitates sales and vendor management by providing one document that sales teams can send to potential customers for review, instead of working through cybersecurity questionnaires.

5 Trust Services Criteria

  • Security (REQUIRED)
    • Guidelines on company management and culture, risk assessments, communication, control monitoring, and cybersecurity strategy
  • Availability – uptime of a vendors services
    • Controls include plans to maximize uptime and restore availability after an outage. 
    • Business continuity, data recovery, and backup plans are all important controls for this criteria.
  • Processing Integrity – how a vendor processes the data it collects
    • Controls are meant to evaluate that data processing is being performed in a consistent manner and that exceptions are handled appropriately.
      • It is challenging and laborious work to create the documentation needed to meet this criteria, because it requires SOC 2-specific content with detailed descriptions on how data is being processed. (Almost all other content used in a SOC 2 audit has applications outside of SOC 2, this does not.) 
  • Confidentiality – used to keep confidential business data confidential
    • This criteria expects vendors to identify and protect confidential data. 
    • Example controls for confidentiality include encryption and data destruction. 
  • Privacy – how personal information is kept private.
    • This criteria requires that vendors have a privacy policy, that personal data is collected legally, and is stored securely. 
    • SOC 2 Privacy is more applicable to Business-to-Consumer companies as opposed to Business-to-Business companies.

How Do I Get There?

To achieve SOC 2 Type 2 compliance, you will need to implement and maintain strong controls over your systems and processes. This will typically involve the following steps:

  • Identify the systems and processes that need to be covered by your SOC 2 Type 2 compliance efforts.
  • Develop policies and procedures to ensure that these systems and processes are secure and meet the relevant standards.
  • Implement technical and organizational controls to support these policies and procedures.
  • Test and monitor your controls to ensure that they are effective.
  • Conduct an independent audit of your controls by a certified third-party auditor.
  • Obtain a report from the auditor indicating that your controls meet the relevant standards.

Achieving SOC 2 Type 2 compliance is an ongoing process, and you will need to continually review and update your controls to ensure that they remain effective.

What Can I Do To Prepare?

  • Determine Scope
    • SOC 2 is about demonstrating your commitment to security and improving customer confidence in your security program. You should include all services and products that you expect customers will have security concerns for. 
  • Identify and fill gaps
    • Evaluate your current cybersecurity program in comparison to the SOC 2 control set. Even companies with mature cybersecurity programs do not meet every single control from the get-go.
      • There are a number of administrative and technical security controls that are often overlooked prior to getting a SOC 2, and they can be sticking points that generate a lot of additional work before and during the audit process
  • Document – create and edit security policies and other documentation
    • Define access controls. Who is required to have it? What types of apps are required to use it, versus which ones are not? What authenticator apps are allowable?
      • Most controls need to have a policy and evidence your organization is sticking to the policy created for them. It’s a lot of work – but your company will become much more secure in the process. 
  • Modify internal procedures.

What Are The Benefits?

  • Demonstrating to customers that you have strong controls in place to protect their data can help you build trust with them and increase customer satisfaction.
  • Achieving SOC 2 Type 2 compliance can help you comply with regulatory requirements, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA).
  • Demonstrating that you have been independently audited and have met industry standards for information security can give your business a competitive advantage.
  • Achieving SOC 2 Type 2 compliance can also protect your business from potential liabilities, as it shows that you have taken reasonable steps to protect your customers’ data.
  • Finally, implementing strong controls as part of your SOC 2 Type 2 compliance efforts can help you improve the security and reliability of your systems, which can ultimately benefit your business by reducing the risk of data breaches, system failures, and other security incidents.

How Can We Help?

  • Perform a Gap Assessment – A gap assessment is crucial for taking stock of an existing cybersecurity program and finding gaps that need to be filled to get your company audit-ready.
  • Acquire and implement technical controls – if there’s a deficit, consultants help companies add those needed controls to to improve security and ensure compliance.
  • Adjust policies and procedures – As we just mentioned, policies and procedures are likely not be audit-ready until efforts are made to make them so.
  • Create content – The content that’s created is going to be key documentation for a SOC 2 audit. Policies, procedures, reports – they can write it and get it in place. 
  • Project manage – Virtual CISOs can project-manage the whole audit project. There’s something to be said about domain-expert project managers. 
  • Perform risk assessments – if this is not something that you were doing before you will now! Risk Assessments are mandatory for SOC 2 compliance, and a Virtual CISO can perform the assessment and write the report. 
  • Perform vendor evaluations – Vendor management is a part of every SOC 2 compliance program. If this is not already in practice at an organization, it can valuable to outsource the activity to an expert. 
  • Perform “External Internal Audit” – Internal audits are necessary for SOC 2 compliance – they help make sure that your company is doing everything needed before the auditor catches you. Some firms don’t have an internal audit function, so an “External Internal Auditor” who is familiar with the standards and can keep the organization accountable is helpful.
  • Select an Auditor – A good Virtual CISO will know what makes a good SOC 2 auditor and can remove auditor selection from your plate. 
  • Advocate on your behalf with the Auditor – Your Virtual CISO will be with you for every audit call. They will advocate on your behalf, ensuring the auditor sets realistic compliance expectations for your organization. 

Reach out to us if you need help @ mdesai@intervision.com