SOC2:Type 2: How to Get One?

SOC 2 Type 2 is a very common security audit for service organizations. The topic is often complicated to understand and if you don't have an in-house information security expert it can be a difficult audit to successfully complete. SOC 2 Type 1 is often required before Type 2.

SOC2:Type 2: How to Get One?
Nick Gibson
August 17, 2022
SOC 2

How to create a content plan

Lorem ipsum dolor sit amet consectetur adipiscing elit. Diam quis tellus ut sem ac malesuada ipsum tellus vitae odio nulla sociis mauris consectetur ac enim condimentum sagittis nulla sed volutpat imperdiet habitant aenean ut turpis lectus pulvinar mattis fames suscipit aliquet pellentesque enim massa vitae pharetra amet.

  1. Vitae et erat tincidunt sed orci eget egestas facilisis amet ornare
  2. Sollicitudin integer  velit aliquet viverra urna orci semper velit dolor sit amet
  3. Vitae quis ut  luctus lobortis urna adipiscing bibendum

What is a content plan and why it is so important?

Lorem ipsum dolor sit amet consectetur adipiscing elit eu vestibulum massa volutpat vitae blandit aliquet rhoncus tempor, nunc id aliquam quis eget lobortis massa non est aliquam vel gras proin urna nec metus faucibus turpis nunc tellus.

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

What are the best tools to create content plans easily?

Viverra in nulla natoque non ultrices eget neque rhoncus potenti ultrices lectus sit dis sed ornare nunc sociis et est arcu egestas dis non sit felis, praesent cras convallis egestas risus sed turpis lectus donec eu lectus maecenas quis odio quis ornare magna pulvinar commodo risus eget imperdiet senectus turpis iaculis maecenas velit sagittis neque tempor in volutpat  condimentum diam enim hendrerit ut.

3 tips to create a content plan that drives engagement and growth

Eu risus sed turpis lectus donec eu lectus maecenas quis odio quis ornare magna pulvinar commodo risus eget imperdiet senectus turpis iaculis maecenas velit sagittis neque tempor in volutpat, condimentum diam enim hendrerit ut.

  • Dolor duis lorem enim eu turpis potenti nulla semper velit sed
  • Lorem a eget blandit ac neque amet amet non dapibus pulvinar
  • Pellentesque non integer ac id imperdiet blandit sit bibendum
Eu risus sed turpis lectus donec eu lectus maecenas quis odio quis ornare magna pulvinar commodo risus eget imperdiet.
Identify the content that is performing best, and stick with it

Egestas orci purus sed at quisque lacus tempus cursus facilisi scelerisque tellus nunc scelerisque ornare id id nullam sit gravida habitant donec amet amet sit elementum cras tellus at elementum sit Id sit sagittis dolor nibh elit magna tortor accumsan consectetur sit fames amet aliquet amet nunc scelerisque nulla massa scelerisque gravida neque ultrices sed eu nulla diam sapien ac enim.

SOC2:Type 2: How to Get One?

There has been a huge increase in demand for companies to get their SOC 2 Type 2 attestation report.  How do we know? We’ve helped dozens of companies achieve compliance, and we’ve been inundated with requests for SOC 2 audit support in the past year.

This blog post covers the common questions we receive and discusses the biggest sticking points clients have run into during the auditing process.

What is SOC 2?

Supply chain risk is one of the greatest threats that larger organizations face in recent years. The vast majority of breaches that affect larger companies are caused by their smaller vendors, contractors, and software companies. One way to demonstrate maturity in your software or service is to obtain a Service Organization Control (SOC) audit. The audit (don’t call it a certification) is performed by an AICPA accredited firm with help from information technology experts. AICPA is the same body that certifies public accountants, which is a story for another day.

3 types of SOC audits but only one matters…

SOC 2 Type 2 is the only audit we’ve seen clients requested to provide. This leads me to SOC 2 Type 1 vs. SOC 2 Type 2. SOC 2 Type 1 has the same controls as the Type2, but they are only validated on paper, and no evidence or proof that your company is using them is obtained. If you design a strong information security management system with the required controls and demonstrate that to the auditors, you will pass a SOC 2 Type 1 audit. Type 2 goes a step further and validates that the controls are functioning and you are USING them. A type 2 audit usually goes something like this: show me all the controls and prove that those controls, policies, and procedures were followed for the past year. Unfortunately, you have to pass a SOC 2 Type1 audit before you can attempt the Type 2.

How much does all of this cost?

The answer is: it varies wildly! Drop us a line, and we can help you ballpark pricing an auditing firm will charge and the work required before the audit begins. Factors such as company size, current security controls (if any), trust service criteria selected, and company resources dedicated to the project have a huge impact on pricing. Companies from 1 employee to over 100,000 employees have completed SOC 2 Type 2 audits successfully. Nobody is too small or too big to successfully obtain an audit.

There are five “Trust Service Criteria” that you can elect to include in your audit. These are often dictated by clients requesting your SOC 2 type 2 report, and it’s not uncommon to receive a request for SOC 2 Type 2 with all five Trust Service Criteria included.

Scoping/Trust Service Criteria

  • Security - How well are your systems protected? Firewalls, incident response plans, network segregation, web application firewalls, vulnerability assessments of applications. Generally, this control covers the protection of sensitive information.
  • Availability - How do you ensure system uptime and access? Heavier focus on disaster recovery, business continuity planning, and SLA monitoring.
  • Processing Integrity - How do you ensure the system provides valid, complete, timely, and unmodified data to authorized users?
  • Confidentiality - Evaluates where the information in protected classes is well secured from abuse. Think of GDPR, California standards, and HIPAA
  • Privacy - Evaluates how you collect, use, disclose and discard personal data. Privacy policies, California privacy standards, GDPR.

Preparing for the SOC 2 Audit

If you haven’t been through a SOC 2 Type 2 audit before, you’ll need some help. It’s a very involved process that touches every aspect of your organization from Human Resources, Development, Information Technology, Executive Management, Financial Departments, and even Sales and Marketing. We’ve worked with clients that tried to obtain an audit for five years internally without success before obtaining outside help.

One consideration that commonly comes up is Timing. The first time you go through SOC 2 Type 2, keep in mind that it can take anywhere from several weeks to several months for the auditors to complete their work and provide you with a final report. SOC audits and tight deadlines don’t go well!

Gap Assessment

When clients come to us in need of SOC 2 help, our first task is to complete a gap assessment. We’ll walk you through all the questions an auditor will ask and identify the areas that need remediation. The identified deficiencies can then be assigned to our team or yours to correct before your audit begins. This process can be eye-opening if your organization has never gone through information security audits before and should never be skipped. Once the SOC 2 audit begins, there is very little time or ability to remediate against major issues that the auditors identify.

Project Management

The value of project management cannot be stressed enough during these audits and audit prep activities. If you don’t have a project manager, we will assign one from our team to help track the progress and make sure our team’s cadence is sufficient to meet the audit deadlines you have set. We typically capture all the Gap Assessment items and evidence in our project management tool, saving a TON of time when the actual audit begins.

Audit Support

Auditing processes vary by auditing firm, but they typically go something like this. Several weeks or months of weekly phone calls with requests for evidence that your security program meets the requirements of the Trust Service Criteria you’ve selected in your audit, followed by a couple of days to a week onsite at the end of the process to validate physical items like access control, video surveillance, and secure areas. This process can be time-consuming and stressful if you don’t have information security staff in-house, and we often take over this role for clients, which leads to better outcomes. Having information security professionals work with information security auditors is always a win-win!

Summary

Getting a SOC 2 Type 2 is a huge amount of work! Use the information above to help guide you on your journey or give us a call to help you successfully plan for and execute your SOC 2 Type 2 program and audit. We have resources on the East and West Coast for our client’s convenience.If you would like help with your cybersecurity strategy or goals, give Security Ideals a call for a complimentary consultation. We can be reached at 302-433-6222 or by email at info@securityideals.com.