SOC 2 Type 2 is a very common security audit for service organizations. The topic is often complicated to understand and if you don't have an in-house information security expert it can be a difficult audit to successfully complete. SOC 2 Type 1 is often required before Type 2.
There has been a huge increase in demand for companies to get their SOC 2 Type 2 attestation report. How do we know? We’ve helped dozens of companies achieve compliance, and we’ve been inundated with requests for SOC 2 audit support in the past year.
This blog post covers the common questions we receive and discusses the biggest sticking points clients have run into during the auditing process.
Supply chain risk is one of the greatest threats that larger organizations face in recent years. The vast majority of breaches that affect larger companies are caused by their smaller vendors, contractors, and software companies. One way to demonstrate maturity in your software or service is to obtain a Service Organization Control (SOC) audit. The audit (don’t call it a certification) is performed by an AICPA accredited firm with help from information technology experts. AICPA is the same body that certifies public accountants, which is a story for another day.
SOC 2 Type 2 is the only audit we’ve seen clients requested to provide. This leads me to SOC 2 Type 1 vs. SOC 2 Type 2. SOC 2 Type 1 has the same controls as the Type2, but they are only validated on paper, and no evidence or proof that your company is using them is obtained. If you design a strong information security management system with the required controls and demonstrate that to the auditors, you will pass a SOC 2 Type 1 audit. Type 2 goes a step further and validates that the controls are functioning and you are USING them. A type 2 audit usually goes something like this: show me all the controls and prove that those controls, policies, and procedures were followed for the past year. Unfortunately, you have to pass a SOC 2 Type1 audit before you can attempt the Type 2.
The answer is: it varies wildly! Drop us a line, and we can help you ballpark pricing an auditing firm will charge and the work required before the audit begins. Factors such as company size, current security controls (if any), trust service criteria selected, and company resources dedicated to the project have a huge impact on pricing. Companies from 1 employee to over 100,000 employees have completed SOC 2 Type 2 audits successfully. Nobody is too small or too big to successfully obtain an audit.
There are five “Trust Service Criteria” that you can elect to include in your audit. These are often dictated by clients requesting your SOC 2 type 2 report, and it’s not uncommon to receive a request for SOC 2 Type 2 with all five Trust Service Criteria included.
Scoping/Trust Service Criteria
If you haven’t been through a SOC 2 Type 2 audit before, you’ll need some help. It’s a very involved process that touches every aspect of your organization from Human Resources, Development, Information Technology, Executive Management, Financial Departments, and even Sales and Marketing. We’ve worked with clients that tried to obtain an audit for five years internally without success before obtaining outside help.
One consideration that commonly comes up is Timing. The first time you go through SOC 2 Type 2, keep in mind that it can take anywhere from several weeks to several months for the auditors to complete their work and provide you with a final report. SOC audits and tight deadlines don’t go well!
When clients come to us in need of SOC 2 help, our first task is to complete a gap assessment. We’ll walk you through all the questions an auditor will ask and identify the areas that need remediation. The identified deficiencies can then be assigned to our team or yours to correct before your audit begins. This process can be eye-opening if your organization has never gone through information security audits before and should never be skipped. Once the SOC 2 audit begins, there is very little time or ability to remediate against major issues that the auditors identify.
The value of project management cannot be stressed enough during these audits and audit prep activities. If you don’t have a project manager, we will assign one from our team to help track the progress and make sure our team’s cadence is sufficient to meet the audit deadlines you have set. We typically capture all the Gap Assessment items and evidence in our project management tool, saving a TON of time when the actual audit begins.
Auditing processes vary by auditing firm, but they typically go something like this. Several weeks or months of weekly phone calls with requests for evidence that your security program meets the requirements of the Trust Service Criteria you’ve selected in your audit, followed by a couple of days to a week onsite at the end of the process to validate physical items like access control, video surveillance, and secure areas. This process can be time-consuming and stressful if you don’t have information security staff in-house, and we often take over this role for clients, which leads to better outcomes. Having information security professionals work with information security auditors is always a win-win!
Getting a SOC 2 Type 2 is a huge amount of work! Use the information above to help guide you on your journey or give us a call to help you successfully plan for and execute your SOC 2 Type 2 program and audit. We have resources on the East and West Coast for our client’s convenience.If you would like help with your cybersecurity strategy or goals, give Security Ideals a call for a complimentary consultation. We can be reached at 302-433-6222 or by email at firstname.lastname@example.org.
In today’s business world, nearly all companies rely on some form of technology. From using email to communicate with clients to storing sensitive data in the cloud, technology is a necessary part of day-to-day operations. However, with this reliance on technology comes an increased risk of cyberattacks and data breaches. That’s why it’s so important for companies to conduct regular IT risk assessments. Here are four reasons your company needs an IT risk assessment.