[author: Jim Tierney]
SOC 2 is a security compliance standard developed by the American Institute of CPAs (AICPA) to mitigate information-related risk. The standard focuses on a core set of criteria centered on managing customer data based on these 5 Trust Service Principles:
- Processing Integrity
SOC 2 is data agnostic and most commonly utilized by service providers in the United States. For any business or organization, a SOC 2 certification is a powerful way to show your customers and prospects that you’re committed to protecting their data and have the procedures in place to do so effectively. Obtaining SOC 2 certification is typically a lengthy process that will require detailed planning, large amounts of documentation, and an organization-wide commitment.
There are some common SOC 2 mistakes organizations make that can delay or derail certification. Here are some of those mistakes and steps you can take to avoid them:
Going for All 5 Trust Service Categories
Of the 5 Trust Service Principles, Security is the only one required for SOC 2 certification. The others can be applied on an as-needed basis. Your business should assess what type of data it is handling, and how the data is stored, transmitted, backed up, etc., when settling on a scope. Typically, organizations operating under a business-to-business model will find the Security, Availability, and Confidentiality categories most relevant.
Be confident in the scope you’ve chosen before the project begins, making adjustments after the project is underway will likely cause delays.
Additionally, you’ll want to be sure to put the right controls in place. Controls are processes, policies, systems, etc. you will implement to meet SOC 2 criteria. Your SOC 2 audit will consist of a number of controls, between 80-100 in many cases. Businesses have the flexibility to implement security controls that make sense for their operations and objectives. Do not overburden your organization with controls that aren’t relevant to its data usage.
Skipping the Readiness Assessment
Do not go into your SOC 2 audit blind. Executing a readiness assessment beforehand will give your organization a good understanding of the controls it is failing to meet and the remediation that may be required. A readiness assessment will also identify controls that are lacking the proper documentation. To Reduce the chances of surprise control gaps being found during the actual audit, a readiness assessment needs to be in your SOC 2 plan.
Not Designating a SOC 2 Project Manager
You will need to designate a SOC 2 Project Manager that can keep all the tasks associated with your certification moving forward and work closely with the external auditor. This person can be responsible for organizing teams and calendars, collecting info and documentation throughout your organization, addressing issues that arise, and more. If you don’t have the right person in-house, consider bringing in a consultant with SOC 2 experience to fill this role.
Underestimating the Resources and Time Required
Your Project Manager and security team cannot get your organization to SOC 2 compliance on their own. Having an overburdened Project Manager can result in delays and having to repeat tasks, which will increase project costs. Certification will take considerable effort organization-wide to complete. Communicate to your employees how SOC 2 will impact them and provide them with clear descriptions of their responsibilities. Focus on giving them supportable and repeatable processes that can increase efficiency. It can be helpful to explain to your staff what SOC 2 is, why it’s important, and how it will benefit the business.
Know going into your certification process that it will not be wrapped up quickly. For most organizations, completion takes between six months and one year. Rushing the process will only lead to mistakes and delays, so establish a realistic timeline and be patient.
Working with the Wrong CPA
You need a licensed CPA to conduct your SOC 2 assessment. A firm that has experience conducting assessments can make the entire process easier for your organization, so commit to finding a firm you’re comfortable with early in the process. A security consulting company will have established relationships with reputable CPA firms and be able to help connect you with one that is a good match for your needs.
Thinking Certification is One and Done
Once your organization has received its SOC 2 certification, the work is not over. In fact, it never ends. You will be audited again in a year’s time. The initial effort can make future audits more predictable, but you need to follow through with the policies and procedures put in place, continue to assess your controls and update them as necessary, and regularly test your security via penetration testing, breach readiness assessments, etc.
Protecting your data and your customers’ data requires consistency and a commitment to security that needs to be ingrained into your organization’s daily workflows.