If you’re about to take on a SOC 2 engagement for the first time, you’ll quickly discover how flexible the compliance standard is. The framework is directional rather than prescriptive — in other words, it tells you what your destination is, but not how to get there. And as you’ll see, that can be a blessing and a curse.
The SOC 2 governing body is more concerned with the What than the How of security. As long as you can meet the criteria of SOC 2, you’re golden. But not having a roadmap to follow can create additional stress for many organizations:
- Is what we’ve done good enough?
- Are we covering all our bases?
- What haven’t we thought of?
- Will the Assessor be satisfied?
I’ve walked many clients through SOC 2 engagements. Along the way, I’ve picked up some best practices to set yourself up for a successful assessment that maintains your sanity and makes your Assessor happy.
Here are several considerations as you prepare for your first SOC 2 certification.
Hire the Right Assessor
To be officially compliant with SOC 2, you’ll need to engage with an Assessor. Some organizations want to find an Assessor as quickly as possible so they can make a decision and start moving forward. I don’t recommend that approach.
Assessors aren’t a commodity. Just as you wouldn’t hire an employee based on skills alone, you shouldn’t hire any ol’ Assessor to engage with your company. Your Assessor will dig into the inner workings of your organization and make evaluations that affect the way you run your company. It matters who you hire.
Some Assessors have a very black-and-white approach to SOC 2. They have a predefined blueprint for fulfilling the requirements. Follow the blueprint and you’re golden. If you take a different approach from that, it grinds their gears.
On the other end of the spectrum is the Assessor who is willing to be flexible about how to meet the requirements. There’s nothing wrong with either approach, but you need to think about what fits your organization best.
Selecting the right Assessor for your SOC 2 engagement is a big deal. Find someone who fits well with your company’s culture, values, and priorities — and look for an Assessor who understands your organization’s particular needs.
Consider Other Compliance Certifications
If you’re subject to one standard, you’re often subject to at least one other standard. If your company isn’t already going up against multiple certifications, you could be in the future. Before you go down the path of SOC 2, take stock of any other certifications you’ll need to achieve.
It’s a hell of a lot easier to structure your compliance program around all of your certifications at once. You don’t want to discover after you get certified that you need to make significant changes to accommodate an additional standard like PCI DSS.
The beauty of SOC 2 is that it’s flexible enough for you to build your compliance program around more prescriptive standards like PCI. If you’re compliant with PCI, the requirements that overlap will also fulfill controls to support your SOC 2 criteria.
Plan Your Attack
The more you plan ahead of time, the smoother your SOC 2 engagement will be. Because there’s no single roadmap for this compliance standard, you’ll need to create your own. If you want to get to New York, you don’t just start driving east.
Ask yourself some key questions:
- What are all the objectives you need to meet?
- What controls need to be in place to satisfy your Assessor?
- Which of those controls already exist, and which don’t?
- How will you satisfy each of the controls?
- How can you optimize the controls you have in order to satisfy SOC 2 criteria and other certifications?
Get that planning together so that you have a full list of all the controls that will cover your organization’s compliance landscape.
Next, plan out the testing steps you’ll take to validate that your controls are effective and in alignment with SOC 2. Your testing steps will need to validate the controls appropriately against the SOC 2 criteria.
Lean on a Consultant
As you’re going through the planning process, it’s absolutely critical that your compliance Consultant is right there in the thick of it to help you prepare for SOC 2 successfully.
Take advantage of their skills, knowledge, and capabilities. Your Consultant isn’t assessing you — they’re on your side. They aren’t restricted by the limitations that an Assessor would have. Consultants don’t need to maintain impartiality.
Once you believe you have your battle plan ready, get input from your Assessor, as well. They can tell you what they expect from you and can approve your planned approach.
Take Inventory of Your Tools
Look at your existing suite of vendors and solutions that perform a supporting role to the controls you have in place. Take a fresh look at the capabilities of each of your providers and tools and evaluate whether or not they make the grade. Also look for ways to get more value out of the tools you’re already using.
Streamline your suite of tools while you’re at it. You may have a tool that performs a single function that your other tools also provide. Now is a good time to trim the fat.
As long as you’re evaluating your tools, take a look at your service vendors and determine if there are additional improvements you can make as an organization.
Plan for Operational Mode
As you’re laying out the game plan for your controls and testing, consider how often each item needs to be done. For example, one of your controls might be a daily log review. Another one might be a quarterly user access review.
Capture that information now, while your brain is in that headspace. This exercise lays the groundwork for what TCT calls Operational Mode.
Operational Mode kicks in after you’ve achieved certification. It is at this point that you need to maintain it over time. It’s a lot easier to do that if you already know which items need to be maintained, and how often.
Operational Mode allows you to maintain compliance in bite size chunks throughout the annual compliance cycle. It also makes it a lot easier to identify and address any potential issues early within each compliance cycle and to prepare for your annual assessment.
SOC 2 Success!
It’s never easy to take on a compliance standard for the first time, but having a good set of best practices makes it a hell of a lot easier to do it right. That’s especially true when you’re dealing with a directional standard that has no specific roadmap to follow.
The more you can lean on experts, tools, and vendors you’re already familiar with, the smoother your experience will be. As you spin up your SOC 2 engagement, keep coming back to TCT for valuable insights.
Get equipped with insider expertise
Subscribe to the TCT blog