Now you know where and how to start, the next step is to define a plan with timelines to keep you on track for your SOC 2. You will typically create this plan in collaboration with your service provider and auditor. Here’s what a typical plan looks like,
- Readiness Assessment (1 – 2 Weeks)
- Control Environment Design (1 – 12 weeks)
- Type 1 Audit
- Control Operations, Monitoring & Evidence Collection (6 – 12 months)
- Type 2 Audit
These durations are highly company-dependent and sometimes could take more than a year. A platform like ControlMap can cut down readiness and control design time by 90% with its built-in controls and evidence collection connectors.
Legwork is about Getting Started. It’s all about company internal readiness, team, objectives, and another scope exercise that we discussed. Where do we start?
2. Readiness Assessment
In this phase, you and your readiness consultant assess where you stand and what gaps are required to be addressed. One of the following or both readiness assessment approaches would work for you based on your company’s maturity, products, and services.
- Answer a SOC 2 Readiness Assessment: A SOC 2 readiness assessment guides you through a Yes / No questionnaire to identify gaps and come up with a list of to-do’s before you are audit-ready.
- Perform an Automated Cloud Compliance Check / Scan: Start here if your products and services are in Cloud environments such as AWS, Azure, or Google Cloud. An automated scanner can check your Cloud configuration against standard security rules and present a list of areas that need remediation.
3. Control Environment Design
There are four key activities that are typically performed in this stage,
- Information Assets Inventory
- Risk Assessment, Report, and Treatment Plan
- Design the control environment – aka, information security management system
- Establish and document policies, process, and procedures
1. Information Assets Inventory
The information assets inventory is one of the most crucial information security assurance principles. Every single information asset in the business or organization’s data processing infrastructure must be accounted for and listed. This includes information sources and systems, physical computing assets, licensed software assets, and open-source software assets used within the in-scope control environment.
2. Risk Assessment
This phase aims to identify the critical risks your business faces and create mitigating controls for those risks. It usually varies based on the business environment, but there are common risks for Cloud businesses, software products, and services that you should mitigate. A formal periodic Risk Assessment exercise guides your team in identifying/updating critical risks, assigning scores, and reviewing controls to mitigate those risks.
3. Controls Design
During this step, you design and define controls based on the assessment gaps and identified risks. You identify owners for each control and define the evidence that has to be collected and its frequency.
Here are the most critical control areas for defining controls for a successful SOC 2 audit. You can sign up for free to look at all controls required for SOC 2.