How to Prepare for a SOC 2 Security Assessment

Security assessments, such as SOC 2 reports, are increasingly becoming a requirement in modern business. Organizations often approach us needing a SOC 2 but need help knowing where to start.

So, let’s break down the significant steps in preparing for a SOC 2.

 

Step 1: Identify Your Commitments

The foundation of the SOC 2 lies in the commitments you make to your users and stakeholders. The criteria within the SOC 2 are the measuring stick you are adopting to determine if you have achieved your service commitments.

So, the first step is to identify and document what those commitments are. We often look in terms of service, master service agreements, or other external communication mechanisms to help our clients identify any promises they are making.

The commitments relevant to the SOC 2 are the baseline commitments you make to the broad base of your users and not any one-off negotiated items. These commitments are referred to as the Principal Service Commitments and are disclosed within your SOC 2 report, so it is vital to give them focused consideration.

 

Step 2: Choose the SOC 2 Categories Relevant to Your Commitments

The next step is determining which SOC 2 Categories should be incorporated into the scope. There are five categories, each with its own criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy). Sometimes, we see ambitious companies who want to shoot for the moon and tackle all five categories, but that isn’t necessarily the right approach.

The categories chosen should directly relate to the nature of your service and your commitments to your users. For example, if you are making explicit commitments regarding the uptime of an application or other service level metrics, then the Availability Category should be considered. Or if you are handling personally identifiable information (PII) and making commitments regarding the use of that information, then the Privacy Category may be pertinent. The Security Category contains criteria applicable to all other categories and is generally incorporated by default.

You should consider the additional categories only if you have commitments around availability, processing integrity, confidentiality, or privacy.

 

Step 3: Define Objectives and Perform a Risk Assessment

After your commitments are defined and you’ve adopted the appropriate categories, the next step is to determine the objectives for your program. Just like your company likely sets objectives or goals for other aspects of your business, the same is true for your security and compliance program.

Many of the criteria in SOC 2 actually reference your objectives. These should be the high-level operational, reporting, and compliance goals you have for your program and should be specific enough to allow you to assess the risks toward achieving them.

Here is a cheat code we often give our clients: Because you have adopted SOC 2 as your measurement criteria for achieving your commitments, it makes sense to leverage the SOC 2 criteria themselves as the objectives for your program. Whatever you claim your objectives to be, they should be formally documented in the policies and procedures for your program.

You should perform a risk assessment once your objectives are identified and documented. During the risk assessment, you consider the risks that may prevent your objectives from being achieved. If you’ve adopted the SOC 2 criteria as your objectives, you should assess and evaluate the risks associated with each criterion and document them within your risk assessment.

When conducting this exercise, getting input from multiple individuals in different subject areas throughout your organization is often a good idea.

 

Step 4: Risk Mitigation and Implementation of Controls

Next, you want to mitigate the identified risks for each objective (or criterion). You should respond to each identified risk with control activities that reduce the risk to acceptable levels.

You may already have many relevant controls in place, and it is just a matter of formally documenting them. If not, you should consider a mix of preventative, detective, and corrective activities to control that risk. If you leverage a GRC tool, they likely have a robust set of controls you may leverage that are relevant to mitigating your identified risks. It is crucial to start with a risk assessment when adopting controls. This will help ensure your program is risk-based and business-aligned.

After completing this exercise, you want to formally implement your control activities within your company’s policies and procedures. You may even need to create new policies and procedures.

The formal documentation and implementation of controls are both vital to creating accountabilities and operational requirements internally and are traits of a successful program. It is important that your policies and procedures accurately reflect your processes and the controls you have implemented. Avoid overly vague policies and procedures that create ambiguity–documenting the detailed who, what, when, where, and how will generate a ton of clarity as well as operational and audit efficiencies for you.

 

Step 5: Engage an Auditor and Start and Prepare for an Examination

At this point, you are ready to engage an auditor to evaluate your program. The auditor can typically perform a readiness evaluation or gap assessment to give you feedback before starting the formal examination. This can be a valuable step to help ensure a smooth assessment and reduce the likelihood of reporting issues.

Make sure you pick an auditor experienced in your industry with the technical knowledge to help guide you on your journey. Your auditor can advise you if a Type 1 (evaluation of the design and implementation of controls) or a Type 2 (evaluation of the design and operating effectiveness of controls over a period) SOC 2 is correct for your stage.

Your auditor should also help you establish a project plan and give you a clear idea of expectations moving forward.

Contact us today to get started.

Written By:

Dale Crump

Dale Crump is the Founder and Managing Partner of Assurance Point, LLC. Dale oversees a variety of attestation and advisory engagements within the information security, privacy, risk management, and compliance sectors.

He has broad experience across an array of internal control and risk management frameworks and specializes in SOC reporting, having contributed to the issuance of over a thousand high-quality reports in his career.

Dale is a licensed CPA, and holds additional certifications including the CISSP, CISA, CIPP/US, CCSK, ISO 27001 Lead Auditor, and the Advanced SOC for Service Organizations credential. Dale is an active member of the AICPA, Georgia Society of CPAS, ISACA, and the IAPP, among others. In his spare time Dale is an avid outdoors enthusiast, Atlanta sports fan, and enjoys spending time with his two kids.

Why SOC Examinations Matter for C-Suite Executives

In today’s rapidly evolving digital landscape, the stakes for securing sensitive data are higher than ever. For C-suite executives such as CISOs, CTOs, CIOs the need for efficient and verifiable security practices is essential. System and Organization Controls...

What Are SOC Reports – The Basics 2

SOC 1 vs SOC 2: Choosing the Right Examination

System and Organization Controls 1 and 2 (SOC 1 and SOC 2) reports are both related tointernal controls within organizations, but they serve different purposes and audiences. Whichone is right for your organization? It will depend on the use case of the report and...

Security Events vs. Security Incidents

Security Events vs. Security Incidents

In the world of cybersecurity, a common misunderstanding often exists within organizations - the distinction between security events and security incidents. We audit a lot of organizations’ incident management protocols, and the lack of a distinction between event...

How to Evaluate Auditors 2

How to Evaluate Auditors

Selecting an audit firm can, and probably should, feel daunting. After all, you hopefully will work with this firm for many years to come, so it shouldn’t be a rushed decision. Many organizations make the mistake of letting cost be the primary driver of choosing an...

Factors That Create a Positive Compliance Experience

Factors That Create a Positive Compliance Experience

There is no doubt in my mind that I have seen vastly more audit horror stories and unsatisfied auditees on public forums and social media than I have seen people raving about a positive audit experience. Auditing is an extremely tough profession, and we auditors...