SOC 2 is technically an attestation, not a certification or accreditation. However, it’s often referred to as “certification” in everyday conversation, but I’m not going to spend any time explaining the difference. The primary reason companies decide to pursue a SOC 2 attestation is that their clients and potential clients expect them to have one. Otherwise, they may lose current business or become unable to acquire new business customers. If you have another altruistic reason to pursue SOC 2 compliance, that is fine. In any case, I recommend you take the following three steps to prepare for your SOC 2 compliance journey:
(1) First Step - Define the scope of your SOC 2 audit
Determine which systems, processes, and services to include in the audit. A SOC 2 report can cover a single major service or system, multiple services, or the entire organization, depending on how management and the auditor define the scope. The scope is flexible and should be determined by business needs and client requirements.
(2) Second Step – Decide which criteria (TSC) are relevant
Ensure that you clearly understand which Trust Services Criteria (e.g., Security, Availability, Confidentiality, Processing Integrity, or Privacy) are relevant to your organization. Most companies auditing for SOC 2 focus on the mandatory Security criteria (Common Criteria) and then select from the Availability, Processing Integrity, Confidentiality, and Privacy criteria, depending on their services and client needs, with Security being the universal baseline for protecting systems and data. Security ensures systems are protected from unauthorized access, while the others address uptime (Availability), proper system functioning (Processing Integrity), safeguarding confidential data (Confidentiality), and handling personal information (Privacy).
(3) Third Step – Conduct a gap assessment
This is where a competent IT security auditor with extensive experience in SOC 2 assessments can help. Before you engage a CPA firm to charge you “mega” bucks for a SOC 2, have an experienced SOC 2 auditor perform a gap assessment against the SOC 2’s Trust Services Criteria at minimal cost.
I developed a well-designed evidence collection system using Sync.com, a highly recommended, secure cloud storage platform. You will be able to use a free sync.com account and securely upload requested evidence, policy documents, and answer specific questions into a safe storage location that only you or other assigns can access.
Please email me at info@bwtas.com and let me know your needs. Then let’s set up a conference call so I can demonstrate this process. Thank you for your kind attention!
Barry Williams, MBA, CISA, CISSP