SOC 2 Readiness Assessment: A complete guide to getting ready for a successful SOC 2 Audit

SOC2 ready for audit.png

Are you SOC 2 certified? Did you complete a SOC 2 audit? Can you share your SOC report?

Chances are that your customers or your prospects have asked you these questions, and if you do not already have a SOC 2 report, you have struggled to answer. Your inability to confidently answer these questions is perhaps also blocking a sale. Yes, a SOC 2 examination has become the go-to standard for cybersecurity assurance for service providers, and you probably should be getting one done.

With our work helping customers meet their compliance objectives, such as SOC 2, we have written this guide to help you with your own SOC 2 initiative.

What is SOC 2 ?

Very simply, SOC 2 is an examination of your company’s security controls performed by an external certified CPA. Let’s dig into more details.

SOC 2 compliance is a component standard of the American Institute of Certified Public Accountants (AICPA)’s, which consists of Service Organization Controls (SOC 2) requirements and supporting guidance that may also include an examination of an organization’s controls with a resulting audit report. According to AICPA (the governing body that designs, develops, and maintains guidance on SOC 2 reports), a SOC 2 report is a “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.”

The SOC 2 report itself is an outcome of an audit conducted by an external Certified Public Accountant (CPA) on the company’s compliance controls relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. The examination of these controls is based on the Trust Services Criteria (TSC) and modeled around four broad areas:

  • Policies
  • Communications
  • Procedures
  • Monitoring

The report helps assure your customers and partners that your company takes cybersecurity and data privacy seriously. The report provides detailed information about your company’s security and privacy controls while highlighting the risk management processes, vendor management processes, and other company governance processes.

So what’s a control? – A control is a statement describing any management, operational, or technical method used to manage risk. Controls are designed to monitor and measure specific aspects of standards to help the company accomplish stated goals or objectives.

A SOC 2 evaluation categorizes the controls in high-level categories such as security, availability, processing integrity, confidentiality, and privacy, known as Trust Services Principles (TSPs).

At a minimum, a SOC 2 report must evaluate controls for Security where the system is protected against unauthorized access (physically and logically). Each TSP and associated Trust Services Criteria list the requirements your company must meet and points of focus that you must implement as controls to be ready for a SOC 2 examination. Below is a high-level overview of the various TSCs and the overarching requirements included for each.

Trust Services Principle

Security: Evaluates the protection of Information Security Systems from unauthorized access and other threats that could damage the information system's confidentiality and availability.

Availability: Evaluates controls related to the availability of information systems as defined by your SLA objectives.

Processing Integrity: Evaluates controls that ensure that information is processed accurately, in time, and entirely according to your company’s objectives.

Confidentiality: Evaluates controls that secure and protect confidential information from unauthorized access.

Privacy: Evaluates controls that are in place to protect the privacy of Data Subjects’ information and other data processed and stored in the information systems.

Requirements and Points of Focus

This TSC covers 33 requirements with more than 120 points of focus implemented as controls.

There are three additional requirements for the Availability TSP: about 15 points of focus typically implemented as controls.

The additional criteria for Processing Integrity have five additional requirements and about 14 points of focus.

The additional criteria for Confidentiality specify requirements for an entity to identify and maintain confidential information to meet its objectives related to confidentiality.

This TSP deals with the additional requirement for handling your customers’ and users’ private and personal data. There are eight additional requirements to be implemented and 50 points of focus.

Areas covered

It covers Personal Conduct, Corporate governance, Awareness training, Code of Conduct, Access Control, Asset Management, Data Protection, Change Management, Hiring & Termination workflows.

These additional requirements cover current capacity, forecasting system usage demand, data backup, and alternate processing infrastructure.

Processing integrity covers data related to processing inputs, detection and correction of production errors, and other system processing specifications.

This area’s controls and requirements deal with protecting, identifying, and maintaining sensitive information.

The additional requirements for Privacy cover criteria related to choice, consent, and collection of private information, access, disclosure, and monitoring.

What are the types of SOC 2 Reports?

There are two types of SOC 2 reports.

Type 1 Report – This report evaluates the suitability of the design of the controls at a point in time. The auditor assesses the effectiveness of control design and implementation. This report does not evaluate the operating effectiveness of the controls themselves. A Type 1 evaluation report is generally the first step for a company.

Type 2 Report – A type 2 report evaluates the design of controls and their operating effectiveness of the controls for a period of time. This period must be at least six months and no more than 12 months before the Type 2 audit. An auditor assesses the controls operating effectiveness; completeness of the evidence collected and then provides the report with an opinion and detailed description of tests of controls performed and those tests’ results.

Which SOC 2 report is right for my organization?

First-timers and startups most commonly get a SOC 2 Type 1 report, followed by a SOC 2 Type 2 report. After achieving the SOC 2 Type 2 report, there is mostly no need for another Type 1 report.

What does the SOC 2 report contain?

A SOC 2 report is produced by an AICPA accredited auditor and may vary based on the company’s needs, scope, and environment. It typically contains the following information:

  • Management assertion and representation letters provided by you to the auditor in writing as part of the audit report.
  • A section describing the company’s in-scope environment, including products and services provided.
  • A description of system boundaries, infrastructure, integrations, software/tools, people, processes and procedures, information/data, data security and encryption, and incident management.
  • Description of applicable Trust Services Criteria framework & controls and related Trust Services Principles in the organization.
  • Description of control objectives, control activities, and control tests and results.
  • An auditor’s opinion after examining the controls of the company information systems in-scope evaluated against the Trust Services Criteria.

Does my company need a SOC 2 Report ?

A SOC 2 report can help provide positive assurance to customers for many types of businesses; however, we see that companies dealing with customer data and doing business in the Cloud are the ones who most definitely need a SOC 2 Report. Most SaaS companies and software service providers fall in this category.

For other enterprises and businesses, SOC 2 may or may not be the right choice, and they may choose to pursue other cybersecurity certifications such as ISO 27001, NIST CSF, or others.

How long does it take to get a SOC 2 Report?

It takes anywhere from 30 days to one year to be ready for a SOC 2 audit. The time varies greatly depending on the organization’s size, complexity, the scope of the products & services, and preparedness for a SOC 2 audit. The examination/audit itself can last from 4 to 6 weeks. A Type 1 SOC 2 audit typically lasts 2-3 weeks, while a Type 2 SOC 2 audit can last up to six weeks.

Where do I start to get ready for SOC 2 audit?

Here’s what we see works best to get off the ground for SOC 2

  1. Obtain clear management commitment: Management sponsorship goes a long way in securing resources, designing and building controls, policies, processes, and procedures.
  2. Identify your internal team: Identify a business process owner (BPO) within your company who will oversee the entire SOC 2 initiative and ongoing compliance.
  3. Recruit external resources (Service Providers & Consultants): Connect with external resources and services to augment your internal team. These resources generally are service providers or cybersecurity consultants to help you with your IT gap remediation.
  4. Pick an end-to-end SOC 2 platform (ControlMap): A platform such as ControlMap brings all your compliance work into a single platform, automates evidence collection, and is much more efficient than doing it manually.
  5. Select a competent Auditor: Auditors can help with the right plan, approach, and gap assessments for you to get started. Interview at least three SOC 2 auditors to find the right technology and cultural fit for your organization. ControlMap has a vast network of partner auditors well versed in the platform. Contact us so that we can introduce you to an excellent network of partner auditors.
  6. Scope your SOC 2 audit/report: Scoping your SOC 2 is essential to focus all your teams & auditor efforts in the right areas
  • Identify the applications and services and other parts of your company that will be part of the SOC 2 evaluation.
  • Identify Trust Services Principles you need to be evaluated on. Remember that the Security Trust Principle is required while Availability, Confidentiality, Processing Integrity, and Privacy are optional and should be included based on your individual company needs. If you don’t know, you can always start with Security and then add other TSPs later.
  • Pick the type of report you want to be evaluated for. Most commonly, if you are doing an audit for the first time, then a Type 1 report is suitable. All subsequent audits are for a Type 2 report.

What’s a typical plan for a SOC 2 program ?

Now you know where and how to start, the next step is to define a plan with timelines to keep you on track for your SOC 2. You will typically create this plan in collaboration with your service provider and auditor. Here’s what a typical plan looks like,

  1. Legwork
  2. Readiness Assessment (1 – 2 Weeks)
  3. Control Environment Design (1 – 12 weeks)
  4. Type 1 Audit
  5. Control Operations, Monitoring & Evidence Collection (6 – 12 months)
  6. Type 2 Audit

These durations are highly company-dependent and sometimes could take more than a year. A platform like ControlMap can cut down readiness and control design time by 90% with its built-in controls and evidence collection connectors.

1. Legwork

Legwork is about Getting Started. It’s all about company internal readiness, team, objectives, and another scope exercise that we discussed. Where do we start?

2. Readiness Assessment

In this phase, you and your readiness consultant assess where you stand and what gaps are required to be addressed. One of the following or both readiness assessment approaches would work for you based on your company’s maturity, products, and services.

  • Answer a SOC 2 Readiness Assessment: A SOC 2 readiness assessment guides you through a Yes / No questionnaire to identify gaps and come up with a list of to-do’s before you are audit-ready.
  • Perform an Automated Cloud Compliance Check / Scan: Start here if your products and services are in Cloud environments such as AWS, Azure, or Google Cloud. An automated scanner can check your Cloud configuration against standard security rules and present a list of areas that need remediation.

3. Control Environment Design

There are four key activities that are typically performed in this stage,

  1. Information Assets Inventory
  2. Risk Assessment, Report, and Treatment Plan
  3. Design the control environment – aka, information security management system
  4. Establish and document policies, process, and procedures

1. Information Assets Inventory

The information assets inventory is one of the most crucial information security assurance principles. Every single information asset in the business or organization’s data processing infrastructure must be accounted for and listed. This includes information sources and systems, physical computing assets, licensed software assets, and open-source software assets used within the in-scope control environment.

2. Risk Assessment

This phase aims to identify the critical risks your business faces and create mitigating controls for those risks. It usually varies based on the business environment, but there are common risks for Cloud businesses, software products, and services that you should mitigate. A formal periodic Risk Assessment exercise guides your team in identifying/updating critical risks, assigning scores, and reviewing controls to mitigate those risks.

3. Controls Design

During this step, you design and define controls based on the assessment gaps and identified risks. You identify owners for each control and define the evidence that has to be collected and its frequency.

Here are the most critical control areas for defining controls for a successful SOC 2 audit. You can sign up for free to look at all controls required for SOC 2.

Control Area

Human Resource Management

Security Awareness & Training

Risk Management Procedures

Identity & Access Control

Application & Information Security

Cryptographic Protection

Threat & Vulnerability Detection

Logging & Monitoring

Change Management

Control Objectives

Establish policies and procedures relating to the area of Human Resources. These controls typically apply to procedures such as employee background verification, hiring & termination, employee handbooks, code of conduct, etc.

Establish policies and procedures relating to the company workforce’s security awareness and training to prevent data loss and theft.

Conduct an annual risk assessment to identify critical risks to the company and perform a risk mitigation exercise.

Establish controls to restrict user access to sensitive information and document policies and procedures for granting and revoking access to information systems.

The objective of this control area is to define and maintain application development and operation security standards.

This control area aims to define cryptographic protection for data at rest and data in transmission.

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to identify, report, and prioritize the remediation of vulnerabilities to protect systems against vulnerability exploitation. Review and update the policies and practices at least annually.

This control area establishes policies, procedures, and controls for enabling logging for all user access, administrative access and monitors them to detect anomalies in access patterns and security incidents.

This control area establishes policies and procedures for making changes in the environment.

Sample Controls

– Employee Handbook.
– Job descriptions, including security.
– Background Screening Policy and Procedures.
– Hiring & Termination processes and checklists.
– Employment agreements.

– Annual security awareness training.
– Role-based security awareness training.

– Annual risk assessment, report, and treatment plan.

– Centrally manage all users & identities in the company.
– A strong password policy is defined for all sensitive systems.
– Enable multi-factor authentication to sensitive and administrator access and other sensitive areas.

– All code development follows security standards such as OWASP.
– Establish baseline security configuration for all applications and systems.
– Separate software development, QA / testing, staging, and production environments.

– All databases are encrypted.
– Protect all data transmission using secure protocols, i.e., HTTPS, TLS.
– All sensitive removable storage is encrypted.

– Malware Protection Policy and Procedures.
– Perform quarterly penetration testing. – Perform application vulnerability testing & detection each quarter.

– Retain audit logs for at least 60 days or longer to support investigations.
– Monitor security logs to detect activity outside of known patterns.
– Log and monitor cryptographic key user lifecycle events.

– Centrally track all application changes.
– Production changes require explicit approval.
– The security team reviews Security-related changes.

4. Establish and document policies, process and procedures

Within each Trust Services Principle, there are four main categories of documented activities that must be performed during the examination/audit period.

Policies: Company has defined and documented its policies relevant to the particular principle.

Communications: Company has communicated its defined policies to responsible parties and authorized users of the system.

Procedures: Company placed in operation procedures to achieve its objectives in accordance with its defined policies.

Management & Monitoring: Company monitors the system and takes action to maintain compliance with its defined policies.

A SOC 2 evaluation requires the following policies established and documented:

  • Information Security Policy
  • Security Awareness and Communication Policy
  • Code of Conduct Policy
  • Change Management Policy
  • Encryption Policy
  • Access Control Policy
  • Remote Work policy
  • Risk Assessment Policy
  • Vendor Management Policy
  • VPN Policy
  • Logging and Monitoring Policy
  • Incident Management Policy
  • Wireless Access Policy
  • Asset Classification & Management Policy

5. Control Operations, Monitoring & Evidence Collection

During this focused period, your company operates the designed controls, continuously monitors them, and collects relevant evidence about the controls’ proper functioning.

The activities during this period are continuous, and evidence collected is specific to the environment, controls, products, and services. Illustrative activities and the evidence that must be collected are following,

New hire onboarding & employee termination activities

– List of new hires.
– Proof that background checks were conducted.
– Proof that access authorizations were approved.
– Proof of employment contract and handbook signatures.
– Proof that terminated employees’ assets were returned.

Change management activities

– List of change tickets for the examination period.
– Proof of change management approval.

User access provisioning and de-provisioning

– List of approvals for administrative access.
– List of access requests.
– Proof of role-based access.
– List of privileged and least functional access.

Application vulnerability scans

– Quarterly vulnerability scan reports.
– Proof of vulnerability remediation.

Penetration testing reports

– Proof of penetration testing performed by a third-party.
– Proof of penetration testing findings and remediation.

Which evidence collection can be automated?

Evidence collection is a broad topic. We will write a detailed blog about how to automate each type of evidence; however, you can automate and streamline up to 90% of evidence collection. A platform like ControlMap can continuously monitor your cloud environment, your HR systems, your vulnerability scanning tools, among others, so that it never feels like you are out of compliance.

How much does a SOC 2 report cost?

The cost for your SOC 2 will vary and will depend on the scope you select and the complexity of your company’s products and services. Typically the SOC 2 cost is comprised of the following components:

  1. Internal team cost
  2. External service provider cost
  3. Auditor Cost
  4. IT Services cost (Vulnerability / Penetration Testing)
  5. Cost of other tools & services, such as log management

All combined, a SOC 2 report can be a costly affair. A typical audit can cost upwards of $40,000 for a Type 1 and Type 2 report. Additional services such as internal audits, service providers for penetration testing, etc., generally range from $15,000 to $50,000 but can be even more depending on the control environment scope, information security maturity, and staff participation.

Is it worth it?

Yes, it is ABSOLUTELY worth it! A SOC 2 Report not only impacts your business reputation and its ability to compete in the market today but also sets up acceptable security practices and even improves operational effectiveness.

Closing remarks

We wish you all the best as you get started on your SOC 2 journey.

Book a Demo