So, you’ve decided to get a SOC 2 Report (SOC 2 Attestation). However, you aren’t sure where to begin. This article details what you need to know before you start, who needs to be involved at your company, and how to choose a vendor to perform your attestation.
What is SOC 2?
Let’s discuss a little bit about SOC 2 first. SOC stands for System and Organization Controls and is governed by the AICPA. SOC 2 has five trust services principles, TSP – security, availability, confidentiality, processing integrity, and privacy – each principle has its unique criteria that must be met. To meet these criteria, you create controls, which are activities you agree to follow. Since you create your controls, they are flexible based on your business model, needs, and processes. An Audit firm that understands SOC 2 can help you determine how to design your controls to meet these criteria. Security is the only one that is required to be in your report. You can add the other TSP based on what is essential to your clients. Generally, you’ll go through a gap assessment, either internally, with the partner you choose, or with a separate vendor. Based on these results, you’ll go through a remediation phase to fix any processes that may not meet the criteria. Typically, a SOC 2 Type 1 is issued first, attesting that your controls are in place, allowing you to get something in front of clients and understand what evidence you’ll need to provide in the future. Then, after giving you time to allow your controls to operate, a SOC 2 Type 2 is issued, attesting to the operational effectiveness of your controls. Now that you understand some SOC 2 basics, you’re ready to begin the process.
1. Get Organized for SOC 2
Before searching for a vendor, you should know why you want a SOC 2, your total budget, and when you want your SOC 2 completed. Your driving factor for obtaining a SOC 2 report is essential for determining what your SOC 2 efforts should cover and what information is important. Due to SOC 2’s flexible control set, customizable language, and optional TSP, your reason for pursuing it is helpful information for your vendor. Your time and budget are important for the SOC 2 attestation and remediating gaps in your program. When you get started, you’ll need to understand where your gaps may lie and how much it may take to remediate those. These remediations need to occur before a SOC 2 Type 1 report can be issued. When you want to receive your SOC 2 attestation will influence your efforts and will be necessary for your vendor to know. You’ll need to ask yourself if you and other departments can put time into remediation efforts and work with your vendor. Once you have your reason, a timeline, and the capacity through budget and time, you’re ready to begin prepping your team.
2. Identify and Gather Your SOC 2 Team
SOC 2 will be a tool for showing customers and vendors that their information is safe with you. However, that doesn’t mean that SOC 2 only focuses on what technical controls you have in place. So, while you might assume that you need someone from the Information Technology, Engineering, and Security departments, you may be surprised to find out that you also will require members of HR, Legal, Procurement, Finance, Product, Marketing, and Executive team to be involved. Some of these departments may be grouped, so don’t worry if you don’t have a dedicated team for each of these. As each of your team members will need time to meet with the audit team, invest time in remediation of gaps found, and provide evidence, you should ensure that they are aware of this ahead of time and can prepare for the SOC 2 efforts. Ideally, the person chosen in each department has access to anything you may need and is informed on processes and policies. Now that your team is prepped for these efforts, you can begin searching for a vendor.
3. Pick Your SOC 2 Partner
When searching for a vendor to perform your SOC 2 attestation, you should know that you’ll be showing them a lot of information from across your organization so that they can attest to you following through on your controls. You’ll also want their expertise in your industry so that they understand what evidence should look like and can accurately assess your environment. It would be best if you asked what they have in place to protect your information and what their process will be like. You should know what tools, such as an evidence collection platform, you will need to use when working with them, whether they will hold virtual meetings or come on-site, how long they expect the engagement to take, and what customer support they offer during this. You may also want to investigate whether this vendor can support other attestations or certifications as your business scales, as a single vendor can combine efforts for those processes to streamline the evidence collection efforts for your teams.
Now that you understand why you want to pursue SOC 2, have chosen your team, and selected a vendor, you can begin with confidence. The process for readying yourself is complete, and you can meet with your vendor with the information they will need to help you succeed.