SOC 2 Readiness Assessment: A complete guide to getting ready for a successful SOC 2 Audit

Chances are that your customers or your prospects have asked you these questions, and if you do not already have a SOC 2 report, you have struggled to answer. Your inability to confidently answer these questions is perhaps also blocking a sale. Yes, a SOC 2 examination has become the go-to standard for cybersecurity assurance for service providers, and you probably should be getting one done.

With our work helping customers meet their compliance objectives, such as SOC 2, we have written this guide to help you with your own SOC 2 initiative.

Very simply, SOC 2 is an examination of your company’s security controls performed by an external certified CPA. Let’s dig into more details.

SOC 2 compliance is a component standard of the American Institute of Certified Public Accountants (AICPA)’s, which consists of Service Organization Controls (SOC 2) requirements and supporting guidance that may also include an examination of an organization’s controls with a resulting audit report. According to AICPA (the governing body that designs, develops, and maintains guidance on SOC 2 reports), a SOC 2 report is a “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.”

The SOC 2 report itself is an outcome of an audit conducted by an external Certified Public Accountant (CPA) on the company’s compliance controls relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. The examination of these controls is based on the Trust Services Criteria (TSC) and modeled around four broad areas:

• Policies
• Communications
• Procedures
• Monitoring

The report helps assure your customers and partners that your company takes cybersecurity and data privacy seriously. The report provides detailed information about your company’s security and privacy controls while highlighting the risk management processes, vendor management processes, and other company governance processes.

So what’s a control? – A control is a statement describing any management, operational, or technical method used to manage risk. Controls are designed to monitor and measure specific aspects of standards to help the company accomplish stated goals or objectives.

A SOC 2 evaluation categorizes the controls in high-level categories such as security, availability, processing integrity, confidentiality, and privacy, known as Trust Services Principles (TSPs).

At a minimum, a SOC 2 report must evaluate controls for Security where the system is protected against unauthorized access (physically and logically). Each TSP and associated Trust Services Criteria list the requirements your company must meet and points of focus that you must implement as controls to be ready for a SOC 2 examination. Below is a high-level overview of the various TSCs and the overarching requirements included for each.

There are two types of SOC 2 reports.

Type 1 Report – This report evaluates the suitability of the design of the controls at a point in time. The auditor assesses the effectiveness of control design and implementation. This report does not evaluate the operating effectiveness of the controls themselves. A Type 1 evaluation report is generally the first step for a company.

Type 2 Report – A type 2 report evaluates the design of controls and their operating effectiveness of the controls for a period of time. This period must be at least six months and no more than 12 months before the Type 2 audit. An auditor assesses the controls operating effectiveness; completeness of the evidence collected and then provides the report with an opinion and detailed description of tests of controls performed and those tests’ results.

A SOC 2 report is produced by an AICPA accredited auditor and may vary based on the company’s needs, scope, and environment. It typically contains the following information:

• Management assertion and representation letters provided by you to the auditor in writing as part of the audit report.
• A section describing the company’s in-scope environment, including products and services provided.
• A description of system boundaries, infrastructure, integrations, software/tools, people, processes and procedures, information/data, data security and encryption, and incident management.
• Description of applicable Trust Services Criteria framework & controls and related Trust Services Principles in the organization.
• Description of control objectives, control activities, and control tests and results.
• An auditor’s opinion after examining the controls of the company information systems in-scope evaluated against the Trust Services Criteria.

A SOC 2 report can help provide positive assurance to customers for many types of businesses; however, we see that companies dealing with customer data and doing business in the Cloud are the ones who most definitely need a SOC 2 Report. Most SaaS companies and software service providers fall in this category.

For other enterprises and businesses, SOC 2 may or may not be the right choice, and they may choose to pursue other cybersecurity certifications such as ISO 27001, NIST CSF, or others.

It takes anywhere from 30 days to one year to be ready for a SOC 2 audit. The time varies greatly depending on the organization’s size, complexity, the scope of the products & services, and preparedness for a SOC 2 audit. The examination/audit itself can last from 4 to 6 weeks. A Type 1 SOC 2 audit typically lasts 2-3 weeks, while a Type 2 SOC 2 audit can last up to six weeks.

Here’s what we see works best to get off the ground for SOC 2

1. Obtain clear management commitment: Management sponsorship goes a long way in securing resources, designing and building controls, policies, processes, and procedures.
2. Identify your internal team: Identify a business process owner (BPO) within your company who will oversee the entire SOC 2 initiative and ongoing compliance.
3. Recruit external resources (Service Providers & Consultants): Connect with external resources and services to augment your internal team. These resources generally are service providers or cybersecurity consultants to help you with your IT gap remediation.
4. Pick an end-to-end SOC 2 platform (ControlMap): A platform such as ControlMap brings all your compliance work into a single platform, automates evidence collection, and is much more efficient than doing it manually.
5. Select a competent Auditor: Auditors can help with the right plan, approach, and gap assessments for you to get started. Interview at least three SOC 2 auditors to find the right technology and cultural fit for your organization. ControlMap has a vast network of partner auditors well versed in the platform. Contact us so that we can introduce you to an excellent network of partner auditors.
6. Scope your SOC 2 audit/report: Scoping your SOC 2 is essential to focus all your teams & auditor efforts in the right areas

• Identify the applications and services and other parts of your company that will be part of the SOC 2 evaluation.
• Identify Trust Services Principles you need to be evaluated on. Remember that the Security Trust Principle is required while Availability, Confidentiality, Processing Integrity, and Privacy are optional and should be included based on your individual company needs. If you don’t know, you can always start with Security and then add other TSPs later.
• Pick the type of report you want to be evaluated for. Most commonly, if you are doing an audit for the first time, then a Type 1 report is suitable. All subsequent audits are for a Type 2 report.

Now you know where and how to start, the next step is to define a plan with timelines to keep you on track for your SOC 2. You will typically create this plan in collaboration with your service provider and auditor. Here’s what a typical plan looks like,

1. Legwork
2. Readiness Assessment (1 – 2 Weeks)
3. Control Environment Design (1 – 12 weeks)
4. Type 1 Audit
5. Control Operations, Monitoring & Evidence Collection (6 – 12 months)
6. Type 2 Audit

These durations are highly company-dependent and sometimes could take more than a year. A platform like ControlMap can cut down readiness and control design time by 90% with its built-in controls and evidence collection connectors.

1. Legwork

Legwork is about Getting Started. It’s all about company internal readiness, team, objectives, and another scope exercise that we discussed. Where do we start?

2. Readiness Assessment

In this phase, you and your readiness consultant assess where you stand and what gaps are required to be addressed. One of the following or both readiness assessment approaches would work for you based on your company’s maturity, products, and services.

• Answer a SOC 2 Readiness Assessment: A SOC 2 readiness assessment guides you through a Yes / No questionnaire to identify gaps and come up with a list of to-do’s before you are audit-ready.
• Perform an Automated Cloud Compliance Check / Scan: Start here if your products and services are in Cloud environments such as AWS, Azure, or Google Cloud. An automated scanner can check your Cloud configuration against standard security rules and present a list of areas that need remediation.

3. Control Environment Design

There are four key activities that are typically performed in this stage,

1. Information Assets Inventory
2. Risk Assessment, Report, and Treatment Plan
3. Design the control environment – aka, information security management system
4. Establish and document policies, process, and procedures

1. Information Assets Inventory

The information assets inventory is one of the most crucial information security assurance principles. Every single information asset in the business or organization’s data processing infrastructure must be accounted for and listed. This includes information sources and systems, physical computing assets, licensed software assets, and open-source software assets used within the in-scope control environment.

2. Risk Assessment

This phase aims to identify the critical risks your business faces and create mitigating controls for those risks. It usually varies based on the business environment, but there are common risks for Cloud businesses, software products, and services that you should mitigate. A formal periodic Risk Assessment exercise guides your team in identifying/updating critical risks, assigning scores, and reviewing controls to mitigate those risks.

3. Controls Design

During this step, you design and define controls based on the assessment gaps and identified risks. You identify owners for each control and define the evidence that has to be collected and its frequency.

Here are the most critical control areas for defining controls for a successful SOC 2 audit. You can sign up for free to look at all controls required for SOC 2.

4. Establish and document policies, process and procedures

Within each Trust Services Principle, there are four main categories of documented activities that must be performed during the examination/audit period.

Policies: Company has defined and documented its policies relevant to the particular principle.

Communications: Company has communicated its defined policies to responsible parties and authorized users of the system.

Procedures: Company placed in operation procedures to achieve its objectives in accordance with its defined policies.

Management & Monitoring: Company monitors the system and takes action to maintain compliance with its defined policies.

A SOC 2 evaluation requires the following policies established and documented:

• Information Security Policy
• Security Awareness and Communication Policy
• Code of Conduct Policy
• Change Management Policy
• Encryption Policy
• Access Control Policy
• Remote Work policy
• Risk Assessment Policy
• Vendor Management Policy
• VPN Policy
• Logging and Monitoring Policy
• Incident Management Policy
• Wireless Access Policy
• Asset Classification & Management Policy

5. Control Operations, Monitoring & Evidence Collection

During this focused period, your company operates the designed controls, continuously monitors them, and collects relevant evidence about the controls’ proper functioning.

The activities during this period are continuous, and evidence collected is specific to the environment, controls, products, and services. Illustrative activities and the evidence that must be collected are following,

Evidence collection is a broad topic. We will write a detailed blog about how to automate each type of evidence; however, you can automate and streamline up to 90% of evidence collection. A platform like ControlMap can continuously monitor your cloud environment, your HR systems, your vulnerability scanning tools, among others, so that it never feels like you are out of compliance.

The cost for your SOC 2 will vary and will depend on the scope you select and the complexity of your company’s products and services. Typically the SOC 2 cost is comprised of the following components:

1. Internal team cost
2. External service provider cost
3. Auditor Cost
4. IT Services cost (Vulnerability / Penetration Testing)
5. Cost of other tools & services, such as log management

All combined, a SOC 2 report can be a costly affair. A typical audit can cost upwards of $40,000 for a Type 1 and Type 2 report. Additional services such as internal audits, service providers for penetration testing, etc., generally range from $15,000 to $50,000 but can be even more depending on the control environment scope, information security maturity, and staff participation.