Security assessments, such as SOC 2 reports, are increasingly becoming a requirement in modern business. Organizations often approach us needing a SOC 2 but need help knowing where to start.
So, let’s break down the significant steps in preparing for a SOC 2.
Step 1: Identify Your Commitments
The foundation of the SOC 2 lies in the commitments you make to your users and stakeholders. The criteria within the SOC 2 are the measuring stick you are adopting to determine if you have achieved your service commitments.
So, the first step is to identify and document what those commitments are. We often look in terms of service, master service agreements, or other external communication mechanisms to help our clients identify any promises they are making.
The commitments relevant to the SOC 2 are the baseline commitments you make to the broad base of your users and not any one-off negotiated items. These commitments are referred to as the Principal Service Commitments and are disclosed within your SOC 2 report, so it is vital to give them focused consideration.
Step 2: Choose the SOC 2 Categories Relevant to Your Commitments
The next step is determining which SOC 2 Categories should be incorporated into the scope. There are five categories, each with its own criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy). Sometimes, we see ambitious companies who want to shoot for the moon and tackle all five categories, but that isn’t necessarily the right approach.
The categories chosen should directly relate to the nature of your service and your commitments to your users. For example, if you are making explicit commitments regarding the uptime of an application or other service level metrics, then the Availability Category should be considered. Or if you are handling personally identifiable information (PII) and making commitments regarding the use of that information, then the Privacy Category may be pertinent. The Security Category contains criteria applicable to all other categories and is generally incorporated by default.
You should consider the additional categories only if you have commitments around availability, processing integrity, confidentiality, or privacy.
Step 3: Define Objectives and Perform a Risk Assessment
After your commitments are defined and you’ve adopted the appropriate categories, the next step is to determine the objectives for your program. Just like your company likely sets objectives or goals for other aspects of your business, the same is true for your security and compliance program.
Many of the criteria in SOC 2 actually reference your objectives. These should be the high-level operational, reporting, and compliance goals you have for your program and should be specific enough to allow you to assess the risks toward achieving them.
Here is a cheat code we often give our clients: Because you have adopted SOC 2 as your measurement criteria for achieving your commitments, it makes sense to leverage the SOC 2 criteria themselves as the objectives for your program. Whatever you claim your objectives to be, they should be formally documented in the policies and procedures for your program.
You should perform a risk assessment once your objectives are identified and documented. During the risk assessment, you consider the risks that may prevent your objectives from being achieved. If you’ve adopted the SOC 2 criteria as your objectives, you should assess and evaluate the risks associated with each criterion and document them within your risk assessment.
When conducting this exercise, getting input from multiple individuals in different subject areas throughout your organization is often a good idea.
Step 4: Risk Mitigation and Implementation of Controls
Next, you want to mitigate the identified risks for each objective (or criterion). You should respond to each identified risk with control activities that reduce the risk to acceptable levels.
You may already have many relevant controls in place, and it is just a matter of formally documenting them. If not, you should consider a mix of preventative, detective, and corrective activities to control that risk. If you leverage a GRC tool, they likely have a robust set of controls you may leverage that are relevant to mitigating your identified risks. It is crucial to start with a risk assessment when adopting controls. This will help ensure your program is risk-based and business-aligned.
After completing this exercise, you want to formally implement your control activities within your company’s policies and procedures. You may even need to create new policies and procedures.
The formal documentation and implementation of controls are both vital to creating accountabilities and operational requirements internally and are traits of a successful program. It is important that your policies and procedures accurately reflect your processes and the controls you have implemented. Avoid overly vague policies and procedures that create ambiguity–documenting the detailed who, what, when, where, and how will generate a ton of clarity as well as operational and audit efficiencies for you.
Step 5: Engage an Auditor and Start and Prepare for an Examination
At this point, you are ready to engage an auditor to evaluate your program. The auditor can typically perform a readiness evaluation or gap assessment to give you feedback before starting the formal examination. This can be a valuable step to help ensure a smooth assessment and reduce the likelihood of reporting issues.
Make sure you pick an auditor experienced in your industry with the technical knowledge to help guide you on your journey. Your auditor can advise you if a Type 1 (evaluation of the design and implementation of controls) or a Type 2 (evaluation of the design and operating effectiveness of controls over a period) SOC 2 is correct for your stage.
Your auditor should also help you establish a project plan and give you a clear idea of expectations moving forward.
Contact us today to get started.
Written By:
