SOC 2 is a voluntary compliance standard that companies should meet when managing customer data. Based on a set of trust service criteria, SOC 2 outlines the minimum requirements needed to maintain the security of your customers.
Below, we cover the major steps in scoping and selecting a SOC 2 auditor:
- Determine your trust services criteria
- Get internal buy-in
- Select an external auditor
- Perform a readiness assessment
- Build a SOC report
Determine your trust services criteria
The Trust Services Criteria (TSC) was developed by the ASEC Trust Integrity Task Force used to evaluate and report on the information and system controls in attestation or consulting engagements. The five main criteria are:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
Out of the five criteria, the only one required to meet SOC 2 compliance is security. If the other criteria are relevant to a company’s services, a company can opt to include them in its audit.
Discuss the criteria and any contractual obligations with internal stakeholders and verify compliance with your auditor to determine the best approach.
Get internal buy-in
When embarking on any type of audit, it’s necessary to get internal buy-in from key stakeholders. Multiple individuals in an organization will contribute throughout the SOC 2 audit, from scoping to collecting evidence, which makes it critical for everyone to be on the same page.
Streamline your SOC 2 compliance by informing internal stakeholders about what’s needed from them and at what stages they will be involved.
Define the audit scope
SOC 2 audits are tailored to a company’s specific needs. For example, an audit can be performed on the entire company level or a specific area of operations.
An audit scope also outlines the period covered by the audit and any existing security controls and systems. Use the following questions to set the stage for your audit:
- Will physical offices be included in the audit?
- Where is your client’s collected data hosted (i.e., public or private cloud)?
- How are system capacity requirements monitored?
- Do you maintain external digital storage media that stores client data?
- Where do you maintain system backups and records?
- Are there any intrusion detection or prevention systems (IDS/IPS)?
Select an external auditor
Once your company is aligned on the upcoming SOC 2 compliance audit, the next step is to select an external auditor to facilitate the process. There are four key factors to consider when deciding on the right auditor:
- Quality: Evaluate the auditor’s background, as well as any client testimonials
- Experience: Look for an auditor with experience in your industry and with similar companies
- Cost: While cost depends on the company size and scope, establish a baseline by getting quotes from a few providers
- Personality fit: Find an auditor that aligns with your company and workflow, and makes it easier to perform routine audits in the following years
Perform a readiness assessment
Auditors will start by guiding your company through a readiness assessment, which provides a top-down overview of audit requirements and collects details about your current security process.
The readiness assessment also reveals any gaps or other information that should be prepared for your final SOC 2 audit report.
Note that companies, not auditors, are responsible for the policies, processes, and controls implemented throughout the audit process.
Build a SOC report
At the end of an audit, which can take as long as several months, your company will receive a detailed SOC 2 report. The report typically comprises five main parts:
- Control environment
- Risk assessment
- Information and communication
- Monitoring
- Control activities
A company’s SOC 2 compliance report may be required by potential vendors or customers. For this reason, it’s recommended to schedule a SOC 2 audit once a year to include any significant security changes.
This ensures your compliance reports are aligned with your current operations and helps increase trust between your company and the target market.
To request a demo for OneTrust’s Certification Automation tool, go here.