How can you ensure success for your company’s SOC 2 initiative? Here are 5 Steps to SOC 2 success – best practices and lessons learned from the field!
I have yet to see a client follow these five steps and not be wildly successful in their SOC 2 program buildout, maintenance, and reporting. In fact, most issues that arise with SOC 2 compliance programs can be traced back to an organization not following one or more of these five steps.
1. Get Management Buy-in
One of the biggest impediments to the successful implementation and maintenance of a SOC 2 compliance program is lack of management buy-in.
SOC 2 requires organizational change, buy-in, and support to be successful, which starts from the top. Whatever the reasons an organization may have for obtaining a SOC 2 report, e.g. third-party security assurance, client/partner requirements, sales enablement, if the context and ‘why’ for obtaining the report is not circulated among the management team, gaining traction and support to build and maintain the program will be difficult.
To address this concern, it is important that the SOC 2 buyer or person(s) owning the SOC 2 project meet with management to level-set on the following items:
- SOC 2 Overview & ‘why’ the organization is pursuing it (for example, ROI & the problem it solves)
- Scope of the SOC 2 Report
- Level of effort needed to build and maintain SOC 2 compliance
- Designing & implementing SOC 2 controls
- Who is involved/affected
- Cost and estimated timeline
- Support needed from the business functions, business units, and product teams
- Identify and communicate the Executive Sponsor
This meeting will set the stage for building and maintaining a SOC 2 program and is important for getting everyone on board and rowing in the same direction.
2. Communicate to the Team
Once management is bought into the project, it is important to communicate the SOC 2 initiative to the entire team so they understand the direction the business is taking and how they may be involved or needed to help support the initiative.
The SOC 2 process, timeline, relevant SOC 2 controls, audit requirements, and the difference between Type I and Type II reporting are all worthwhile topics to cover. If convening a meeting to communicate these details is infeasible, these items could be communicated through an email.
The bottom line is that they MUST be communicated!
At its best, SOC 2 is much more than a compliance exercise – it is an opportunity, and sometimes a mandate, for the organization to mature its processes and security posture to help support the business through its next stage of growth. If SOC 2 relevance is not communicated to team members, then a lack of awareness and understanding can hold up the SOC 2 process or result in a control failure, negatively impacting the company’s SOC 2 report.
3. Design and Own Your SOC 2 Controls
As mentioned above, at its best, SOC 2 is an opportunity to implement security governance and security best practices in an organization.
This begins with understanding how to design and implement your SOC 2 control environment. The AICPA owns and publishes the SOC 2 Criteria (aka Trust Services Criteria), and companies should design their own unique SOC 2 controls to meet the static SOC 2 criteria. Practically, a company’s audit firm, the CPA firm that is conducting the company’s SOC 2 examination and issuing the SOC 2 report, is the most well-suited to advise the company in its Design of Controls to meet the SOC 2 criteria.
These SOC 2 controls should be completely customized and right-sized to meet the company’s business & security objectives and leverage current processes where possible. To that end, it is a best practice for the various business functions and product owners to be involved in that process, which is led by the audit firm, since they will be responsible for owning and operating those controls on a go-forward basis.
This point is often overlooked in implementing SOC 2, sometimes because the company may be in a rush to implement SOC 2 or because the company’s audit firm does not take the time to do this correctly and may instead simply tell the company that it must implement a generic set of controls (not advisable).
Be mindful of that last point. If you do not get the SOC 2 Design of Controls right from the beginning, including stakeholder buy-in, then the foundation is not properly set from which to build a successful SOC 2 program. Work with your audit firm (risk3sixty) to design your SOC 2 controls or begin with a SOC 2 Gap Assessment to see where you currently stand related to the SOC 2 criteria.
4. Assign Responsibility and Accountability
Once you 1) have management buy-in, 2) have communicated the SOC 2 initiative to the team, and 3) have included stakeholders in the SOC 2 Design of Controls process, the next step 4) is assigning responsibility and accountability for the SOC 2 controls.
Since the various controls will be practically designed, owned and operated by different persons and functions within the business (e.g. HR may be responsible for background checks and information security training), it is important that each control be assigned to an owner(s).
These control owners will not just be operating the controls, but will also likely be the ones submitting the requisite audit evidence needed for the SOC 2 examination each year (e.g. evidence of completed user access reviews).
If your company has a GRC tool, such as Phalanx GRC, that can be used by the company to distribute the collection of audit evidence by control owner, this will enforce responsibility for operating controls and reduce the audit burdenfrom being unevenly focused on just one or two people in the organization, who would otherwise need to spend time coordinating the collection of evidence among all departments and control owners.
5. Manage the Program – Don’t Expect What You Don’t Inspect
Lastly, someone on the team needs to ‘own’ and take responsibility for the success of the company’s SOC 2 program. While they may not be operating all the controls, they can help ensure SOC 2 success by managing the program and periodically spot-checking controls to make sure that control owners are operating the controls effectively and that any security and compliance issues are being identified and addressed in a timely manner.
By following these 5 Simple Steps, your organization will be well-prepared for ongoing SOC 2 success! If you would like help with your SOC 2 efforts, reach out to the risk3sixty team We take pride in helping our clients understand their environment, design a right-sized set of SOC 2 controls, and obtain their SOC 2 report to move business forward!