Where to Start with SOC 2 Compliance

by Trava, Cyber Risk Management

Do you know what it actually takes to get your business SOC 2 certified?

SOC 2 Compliance Launchpad

Chances are, you have a basic understanding of SOC 2 compliance and what it can do for your company to be certified. But do you know what it actually takes to get your business certified? Customers love to see that you are doing everything you can to ensure their information is secure. This is exactly why it isn’t an easy task to get your business up to the standards needed for the certification.

A step-by-step checklist for getting your business operations in compliance with SOC 2 standards is tough to trust. Many businesses have to take different steps to get there, so a checklist often gives the impression that SOC 2 audits will be the same for everyone. While they are usually similar, SOC 2 audits are tailored to your business and your specific security needs. Because of that, a standardized checklist is bound to give people the wrong impression of how to prepare themselves for an audit.

Instead, this article will cover the things you can do to build your own customized checklist to help ensure you prepare for everything under the SOC 2 sun.

SOC 2 Scope and Objectives

The first thing you’ll need to do when it comes to SOC 2 preparation is understanding what the audit is going to look into. SOC 2 audits look at five key categories:

  • Infrastructure
  • Data
  • People
  • Software
  • Risk Management Policies

As you can probably already see, these will change the audit experience for every company, so there is no guarantee that what worked for someone else will work for you. You must decide exactly who and what will be subject to the audit.

Deciding your scope is based on what “Type” of audit you are trying for. Type I audits only evaluate your security based on one day, so they are not as reputable and much easier to pass. Type II audits are earned over an extended period of time. The auditor will look at data over a set timeframe and how your established security controls work in real-time.

Type II certifications are what your customers really want to see, so it is recommended that you go for one of those

Trust Services Criteria

Once you’ve determined which of the certifications you are going for, you need to understand the Trust Services Criteria (TSC). The auditor will run your controls against these TSC and that will ultimately determine whether you get your certification or not. The AICPA (American Institute of Certified Public Accountants) set these criteria and will be the organization in charge of your audit. The five trust service criteria are defined as follows:

  • Security: Protecting information and systems from threats and mishandling
  • Availability: Information and systems are available for operation and meet service agreements.
  • Processing Integrity: Systems operate efficiently and effectively while meeting organizational objectives.
  • Privacy: Personal information is collected, used, and disposed of properly.
  • Confidentiality: Non-personal data is collected, handled, and disposed of properly.

Luckily for you, security is the only criteria required for a SOC 2 certification. The audit will increase in scope and price as you add more criteria to test alongside your security. If you can go for all five, more power to you, just be prepared for a longer and more expensive audit.

If you are working with a limited budget, select a criteria or two that function most closely to security within your specific industry and business. Each company handles data differently to meet their needs. Your audit should focus on those to most accurately show customers that you are certified for what matters most.


Readiness and Gap Assessments

Before you ever try to go all-in for the audit, there are other assessments available to help make sure you aren’t wasting your time and money to fail an audit. Start with an initial readiness assessment to determine how close you are to compliance, and where exactly you are falling short. These assessments are relatively inexpensive and provide you with the data you’ll need to close security gaps.

A gap analysis comes next. Once you know where you are lacking, a gap analysis will tell you how large each gap is and how to close that gap. Things like employee security training and updating softwares will be among the suggested actions to take. Once you’ve worked to close the gaps, another readiness assessment should be done to make sure every relevant gap has been filled.

Both readiness and gap analyses can (and should) be outsourced to organizations that specialize in them to better ensure the data you are getting is thorough and accurate.

Once you’ve gone through and done everything listed above, you can start to look at a SOC 2 audit. Again, this isn’t a definitive checklist. SOC 2 compliance is coveted because it is different for every business and it tests what is most important to each. Consider this article a launchpad for SOC 2 success. You still have the whole journey ahead, but this will make sure you at least get off to a good start. Contact Trava today to learn more on how to prepare your business for SOC 2 success.