Whether you are getting ready for your first SOC 2 audit or whether you are a veteran of successfully achieving SOC certifications, here is a checklist you will find helpful to get prepared for an upcoming Audit.
- Get your executive management on-board.
- Communicate with the responsible parties
- Finalize / Review the scope of the Audit
- Perform an internal review of controls/policies & procedures
- Collect evidence into a central repository
1. Get your management’s buy-in.
One of the most significant factors in the success of any SOC 2 audit is securing your senior management’s buy-in. You must identify an executive sponsor for the program who speaks for the management and can demonstrate the commitment of the executive team to maintain ethics, security, integrity, and privacy in all operations of the organization. You must use your executive sponsor’s support to free up resources across different teams during audits and to communicate the objectives and importance of the Audit. Also, senior management will be required to provide a letter of assertion to the auditors to demonstrate their understanding of the Audit and the certification.
2. Communicate with responsible parties.
Although an Infosec team or a Compliance team can be made centrally responsible for achieving SOC 2 compliance, in reality, its a cross-functional process involving HR, IT, Engineering, and sometimes other departments such as marketing. Proper communication about the expectations, responsibilities must be made to the respective teams. Also, plan to obtain an extended commitment from the senior management of these teams if needed. Here are typical asks from a cross-functional team member
- Present policy and procedure documentation
- Gather evidence to show policy implementation
- Make themselves available for discussions with the Auditor
- Act on any findings or gaps
- Respond with additional evidence requests during the Audit
3. Finalize / Review the scope of the Audit
Scope, a crucial aspect of all SOC 2 audits, is driven by your customer’s requirements, your environment, and type of data your process for your customers. SOC 2 prescribes the following scopes out of which Security is the only mandatory one.
- Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability – Information and systems are available for operation and use to meet the entity’s objectives.
- Processing integrity – System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality – Information designated as confidential is protected to meet the entity’s objectives.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
Also, an essential part of the scoping exercise is to determine the physical and logical boundaries of the audit scope. For example, you may choose to audit only one physical location out of many or only one aspect of your SAAS application or product rather than the whole product. Additionally, document your environment and make a list of software tools, cloud environments, external vendors and outsourcing partners as they will have to provide their own security certifications. Carefully consider this, as it will directly impact the amount of work you will have to do to complete the Audit.
4. Perform an internal review of controls/policies & procedures
SOC 2 for a service organization is about evaluating its controls as relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. That’s what the auditor’sAuditor’s test, and you should be ready with it. 45-60 days before the expected Audit, ensure that you have a consolidated list of your organization’s policies, and related security controls documented. Systematically conduct a test of controls by evaluating that the attached policies are up-to-date and reviewed periodically. Collect evidence that Controls are functional, and policies enforced. Also, document any gaps and delegate responsibilities to various owners to fix the findings. If you still do not have documented Controls, it’s a good idea to start recording the controls as simple procedures.
5. Consolidate evidence
You will be required to prove to the auditors that you are doing what your controls have recorded. Auditors generally use a population/sampling methodology to identify what evidence and data they request. Hence, it’s a good idea to get a grasp of where all evidence exists, who is the owner and, if possible, consolidate the evidence in one place. During the Audit, then you can respond to the Auditor’s data request within no time.
Hopefully, this checklist gives you a headstart as you prepare for the audit. Happy Auditing.