How Long Does it Take to Prepare for SOC 2 Type II

A variety of factors impact how long it takes to prepare for a SOC 2 Type II audit. Company size, complexity, and the availability of resources can all influence the timeline. As we’ve said before: preparing for SOC 2 auditing and ongoing compliance is a heap. Knowing how long each phase of the process can help your company prepare. You may find it helpful to think of the process as a marathon rather than a sprint.

Setting up the SOC 2 Project Timeline

Companies generally take one of three approaches to SOC 2 readiness. The first of these is the slow-and-steady approach. In this approach, readiness unfolds over 18 to 24 months. This is generally best suited to start-ups that don’t have customers imposing strict deadlines and companies that want to minimize disruptions to their business later on by laying a solid foundation. The greatest benefit of this approach is that companies are able to slowly implement processes the correct way—they don’t take shortcuts that will show up later in the auditor’s assessment. However, companies that take this path can also risk losing focus and having trouble reaching the finish line.

In the second approach, a break-neck-speed tactic, companies achieve SOC 2 compliance in eight months. This timeline is best used in small, nimble companies that don’t have a lot of existing processes in place. In some ways, creating SOC 2 compliance processes from scratch can be quicker than overhauling prevailing policies. Companies that are motivated, focused, and have the resources to devote to this process may also choose this slightly shortened timeline. Going this pace is necessary in instances when customers are demanding immediate compliance. Not all companies can prepare this quickly. Sometimes speed leads to overlooking steps or cutting corners when it comes to compliance.

The Ideal SOC 2 Timeline

Practical Assurance recommends a Goldilocks approach that falls in the middle of these two timelines. We suggest taking a year to build to SOC 2 compliance. The 12-month timeframe fits most operations; it gives them enough time to prepare properly without losing momentum on the project. For some, this timeline may still seem fast. There’s a lot of work to do! Even for companies in which customers are eager to see SOC 2 compliance, we find that this is a reasonable timeframe to promise.

In broad terms, the timeline allows for six months of preparation and six months of application. The timeline begins with a period of readiness evaluation, gap analysis, and implementing improvements. The pre-audit gap analysis compares your existing environment and identifies where improvements need to be made to reach the SOC 2 requirements. From this, you’ll create a punch list of items that need to be remedied before SOC 2 auditing. Timing to resolve these issues can vary, but the punch list must be complete before moving on to the next phase.

This is followed by a six-month span in which the company operates under the new controls. This gives sufficient time to document and collect evidence that the auditors can verify during that phase. This is also the period in which you’ll select your auditing company. With sufficient data in hand, the audit begins. On average, the auditing process takes two months from when the auditor begins to when you have a report in hand.

With that extended timeline in mind, there’s no time like the present to get started. If you’re ready to begin designing your timeline, get in touch with Practical Assurance today.

Maximize SOC 2 Readiness with Project Management

SOC 2 compliance is a top and timely priority for many small- and medium-sized businesses. However, achieving compliance can be a great challenge. Practical Assurance has years of experience in guiding organizations, start-ups, and small and medium-sized businesses through the process. We’ve traveled the road, so we know all the milestones, waypoints, and tools to set you up for a smooth journey.

It all starts with the right approach. SOC 2 readiness is a major, company-wide project. Approaching it with this mindset helps set your organization up for success.

Strong executive-level support is critical for two reasons. First, SOC 2 readiness may take focus and attention away from other projects, so it’s important the project is given the appropriate level of priority and resources within the company. This is particularly true when it comes to budgeting; it’s essential the company assign a budget for tools and pentesting (ethical hacking designed to test the security of your system).

Second, achieving SOC 2 may require changes throughout the organization. C-level support is important to validate and implement these modifications before the SOC 2 audit. In the best case, you’ll prepare for SOC 2 before your customers clamor for it. This will give you plenty of time to prepare for and implement compliance.

Planning for SOC 2 Success

All successful SCO 2 projects begin with establishing a clear plan with scope and schedule. Keeping the scope as small as possible will set the course to success. For example, you may choose to focus only on the security principle in the first year, and decide to implement additional principles, such as confidentiality and privacy, in subsequent years. The project plan should identify key milestones, due dates, and risks and mitigation tactics.

The next task for successful project management is assembling your team. Since SOC 2 readiness may call for changes to the company’s operations, we recommend building a team spanning multiple departments, from HR to tech. The team should then assign responsibilities based on project scope. Picking a project manager is essential. This person is responsible for keeping everything and everyone on task. Other key roles to assign include the business process lead, technical lead, InfoSec lead, and compliance manager.

Ideally, you’ll also assign someone with communication skills to report on what the team is doing. Clear internal communication about the status of the project, as well as what changes are required and why they are needed paves the way to easier implementation throughout the company. Auditors require not only that companies implement the required changes, but also that they understand why those protocols are in place. So, clear communication and company-wide understanding of the project can only serve you in the long run.

How Practical Assurance Helps with Project Management

The biggest project management hack available is working with Practical Assurance. We are security and compliance veterans with years of experience navigating the SOC 2 process. We specialize in tangible guidance. For example, we can lay out a clear set of tasks to achieve SOC 2 in our Readiness Module.

Practical Assurance’s software has helpful templates, examples, checklists and information that can drastically speed up the process. Using these tools, we can provide cost-effective compliance for start-ups and small- to medium-sized businesses. Finally, if needed, our expert consulting can provide clarity on how the SOC 2 requirements relate to the circumstances and operations of your unique business.

Once your company has achieved SOC 2 certification, you can easily add onto your project management model to address ongoing compliance.

If you need help getting started with SOC 2 project management, get in touch with Practical Assurance today.

SOC 2 – Ask Your Questions

What are the top questions about SOC 2? What are the question we get asked the most? What are you getting yourself into?  What is SOC 2, really? Get inside your customers’s head!

Topics in this webinar include:

  • Top misunderstood concepts about SOC 2
  • Remove the confusion around SOC 2
  • How to navigate misinformed conversations about SOC 2

Download the webinar:

The webinar was recorded in August 2020 and we’ve made it available for download by filling out the form below.

Send me the webinar recording and slides:

Hacking SOC 2

What are the common ways companies try to cheat SOC 2? Why doesn’t it work? What are the hacks you can deploy? What’s the difference? Get inside your auditors head!

Topics in this webinar include:

  • Less known SOC 2 hacks and workarounds
  • Common shortcut pitfalls
  • What makes an auditor nervous and what gives them confidence
  • Get inside your auditor head!

Download the webinar:

The webinar was recorded in July 2020 and we’ve made it available for download by filling out the form below.

Send me the webinar recording and slides:

How to Stay SOC 2 Compliant

For many small- and medium-businesses, getting to SOC compliance is the biggest challenge on their radar. But it’s important to keep the longview and consider how you’ll stay compliant even after you’ve gone through your first audit. 

Practical Assurance has years of experience getting organizations to SOC 2 compliance and helping them maintain their programs. Read on to find out what to expect for an ongoing SOC 2 compliance program.

The Yearly SOC 2 Compliance Cadence

Once you’ve gotten through the process of defining and implementing your SOC 2 compliance program, you’ll find that your program can fall into a particular rhythm, hitting milestones on your checklist throughout the year. Defining this cadence is an important way to ensure that your organization stays compliant and addresses risks year-round.

The timing of addressing these processes can be mapped to semi-annual, quarterly, monthly, and even weekly due dates. For instance, larger questions of systems and overarching process reviews should happen every six months to ensure your team is on track. Systems that are more integral to your business processes, like malware, software, and risk assessment systems, should be reviewed on a quarterly basis. 

Systems that need more regular upkeep or review will need more granular tasks assigned to their maintenance. Every month, your team should hold meetings, address vulnerabilities and patching, and review industry best practices and emerging threat trends. On a weekly basis, you should run vulnerability scans and ensure security policies are being enforced. These tasks and processes should be integrated into stakeholders’ regular work so that they aren’t felt as an added burden or missed by accident. 

How to Track Your Processes

Keeping track of these processes can appear overwhelming, especially if it’s your first year after an audit. In order to maintain compliance, these processes need to be addressed in a timely way that addresses your organization’s risk, but they also need to be documented. It can be tempting to assign tasks and hope they’ll get done, but the truth is that a commitment to compliance takes a lot more time and effort. 

It’s important to define your strategy and determine how you’ll complete it in an organized manner. Beyond having a calendar of due dates, you need to be able to track which individuals in your organization are responsible for each task. You also need documentation to prove whether or not tasks have been completed. Furthermore, you need instructions on completing tasks readily available and contingent next steps if an issue is identified.  

Finding A Solution That’s Better than Binders

While the original method of tracking compliance was shelves full of binders to track and maintain processes, there is a better solution. Practical Assurance has created an automated compliance tracking software system that can help you maintain compliance with automatic reminders and project management capabilities. You can assign tasks to stakeholders, set reminders, and document completion of tasks right inside the app.

We provide this application to organizations that have some compliance experience under their belts and want to improve their tracking and maintenance systems. We also provide advisory services to organizations that are just starting their compliance programs, which includes the app as well as regular consulting on how best to implement it.

For a more in-depth look at the annual SOC 2 compliance cadence, check out our recent webinar, How to Stay SOC 2 Compliant

What is a Due Diligence Questionnaire and What Should You Do About It?

Your company just received a due diligence questionnaire (DDQ) or due diligence checklist from a potential client. You may think it’s a threat or a challenge, but it’s actually a good sign: Sending a DDQ is usually the last step a company takes before choosing to buy a service or product from a company they’ve been considering. A potential client will use the DDQ to validate that your organization is compliant with required guidelines, especially in terms of security.

There are many different types of due diligence questionnaires, and they can vary depending on what sort of service you provide. But if you are a software developer or service provider responding to an RFP, you can expect to get a DDQ from potential clients that are serious about buying from you. 

What should you do if you receive a due diligence questionnaire? First of all, don’t panic. Next up, follow our advice below.

Get Strategic by Knowing What’s On a DDQ

You can prepare for responding to DDQs even if you haven’t received one yet. The best way to put a strategy in place for responding to a due diligence list is by knowing what questions they usually include.

Virtually all DDQs require that your company can show that you follow certain key processes, such as having an information security policy and that you conduct external penetration tests every year. Other requirements include being able to show that you have implemented strong technical controls in line with industry best practices, such as:

  • Multi-factor authentication
  • Firewalls
  • Intrusion detection
  • VPNs

You’ll also need to prove that key processes such as change management, new hires, terminations, are all documented and operate as written in your policy manuals. Finally, you’ll have to prove that you have a firm understanding of the customer data that you process and store, and understand the risks involved. 

Be Ready to Show Your Work

The best way to ensure you have strong responses to DDQ questions is to show that you have a plan in place for security. Start by developing a collection of key artifacts that most DDQs look for. Some examples include:

  • Information security policy
  • Disaster recovery plan
  • Recent penetration test reports
  • Network diagram

These documents and reports will allow you to show with confidence that you meet the requirements of the due diligence checklist. 

Another form of proof you should look into is an external audit. In the early stages of a company, it’s not always necessary to have an audit completed, but you need to make sure you know what your plan is and demonstrate your roadmap. It’s perfectly ok if you’re planning an audit in 12-18 months, maybe even longer, as long as you can show that you have something in the works.

Practical Assurance can help you build your roadmap and key artifacts to set you on the right footing to land bigger customers before you’re fully read for an audit.

Approach the Questionnaire Like a Final Interview

As noted above, a DDQ is usually the last step that a company uses to verify that a vendor is doing the right thing in terms of security and compliance. If they go to the trouble of sending you a DDQ, it means they’re heavily considering your product, but want to do one final sweep for reassurance that they know exactly what risks they may be facing by using your solution, and how you will mitigate those risks for their company.

The questionnaire acts like a window into the maturity of your company. If you have weak answers to the questions it poses, your prospects will assume you’re not ready to do business with them. As with a final job interview, you need to be prepared and project confidence. How you respond can truly make or break your ability to land a deal with a new client.

If you need help preparing responses to a DDQ, or want to be prepared for larger clients who will certainly send them your way, get in touch with Practical Assurance today. 

SOC 2 Communications

Why is there a whole criteria on communication? What are the three sub-criteria? What is considered “Relevant Information”? What are the key tactical things I must do, that many miss, to be compliant?

Topics in this webinar include:

  • Understand a foundational aspect of SOC 2
  • Conceptual understanding of the communication requirements
  • Key tasks that can’t be missed
  • Get inside your auditor head!

Download the webinar:

The webinar was recorded in June 2020 and we’ve made it available for download by filling out the form below.

Send me the webinar recording and slides:

Building a SOC 2 Cadence

What does SOC 2 look like on an ongoing basis? What’s the cadence? How do I set it up for success and get back to my “job”? What does my auditor expect to see after the fact?

Topics in this webinar include:

  • The key monthly, quarterly, semi-annual and annual activities
  • What a typical SOC 2 calendar looks like
  • Good evidence strategies
  • Get inside your auditor head!

Download the webinar:

The webinar was recorded in May 2020 and we’ve made it available for download by filling out the form below.

Send me the webinar recording and slides:

What You Get from Our Supercharged SOC 2 Checklist

You’ve decided that you want to start your SOC 2 compliance journey. Congratulations! But where do you begin? 

Becoming SOC 2 compliant can be a complex process, and there is a lot of information missing about what you have to do exactly to be SOC 2 compliant. Based on our extensive experience, Practical Assurance provides a clear, step-by-step checklist on precisely what it takes for each of our clients to achieve and maintain SOC 2 compliance. 

Read on to find out what your custom supercharged SOC 2 compliance checklist from Practical Assurance includes.

The Complexity of SOC 2 Compliance Decoded

It’s no secret that SOC 2 compliance requirements contain a lot of nuance. This means that they’re open to interpretation, which can be a headache when you’re trying to answer them. How do you know how to respond? And what if that’s not good enough for your auditor?

At Practical Assurance, we offer monthly webinars to help decode the complexity of SOC 2 compliance. With years of experience, we’ve developed a philosophy that can help organizations at any stage of maturity answer the requirements properly. Plus, we offer customized help to answer your specific questions on how to remain compliant.

Compliance Recommendation Tailored to Startups and SMBS

Over the years, we’ve learned that the companies with the fewest resources are the ones who have the most room for growth with SOC 2 compliance. We have fine-tuned our recommendations for startups and small- and medium-businesses, so that you won’t miss something because of a one-size-fits-all approach. 

At the same time, we give specific recommendations on what tools we’ve found to be the most useful in ensuring compliance. For instance, most of our customers are either on Amazon Web Services (AWS) or Microsoft Azure for cloud services. We focus our platform recommendations on those two, although our advice is agnostic enough to be applied to any platform. 

An In-Depth Consideration of Risk

SOC 2 compliance centers around risks, and those change from organization to organization. Our checklist takes this differing risk into account. We know that the risks faced by small technology startups are often much different from those in large public companies. Our checklists help you focus on the risks that really matter to you.

As an example, infrastructure tends to be much less complex in a small company than an enterprise organization. Your HR onboarding and offboarding processes are probably more straightforward, and you have fewer people involved in your processes overall. This means your company can communicate more easily and adapt to changes more quickly. All of this changes how you approach compliance. 

Additional Resources to Guide You to Compliance

On top of the supercharged checklist, Practical Assurance has developed templates and examples for each of our recommendations. This way, you can get up and running even faster because you don’t have to reinvent the wheel.

Practical Assurance also partners with a number of different auditor organizations that we have worked with in the past and that we trust we can recommend to you. Since we’ve worked with all of them in the past, we can also anticipate any sticking points they may have and help you address them before the audit gets underway. 
At Practical Assurance, we know we offer the lowest cost way to get started with SOC 2 compliance. For as little as $249/month, you can get started with our checklist and process and begin working towards compliance, whether you have an audit scheduled or not. Get in touch today to get started.

What is CCPA and What Does It Mean for Your Business?

The California Consumer Privacy Act of 2018 (CCPA) requires U.S. companies who do business with California to implement privacy initiatives to protect the data privacy of California residents. So what is the CCPA and what does it mean for your business? Let’s take a look.

What is the CCPA?

As stated above, the CCPA is a privacy law that went into effect January 1, 2020, meant to protect consumers in California. Its basic premise is to ensure that businesses who have access to the data of California’s citizens implement basic protections to individual privacy. It’s the strictest data privacy law in the U.S., but it looks a lot like the General Data Protection Regulation (GDPR) law that went into effect in the European Union in 2018. Unlike the GDPR, though, the CCPA is an opt-out system as opposed to an opt-in system. Also, the CCPA covers households and devices as well as consumers, whereas the GDPR only covers “natural persons”.  

The CCPA gives California consumers a slew of new rights to privacy, including:

  • Transparency about data collection
  • Right to be forgotten
  • Right to op out of having their data sold
  • Opt-in right to have data sold for minors 

In order to ensure these rights are met, businesses must provide consumers with disclosures regarding how personal information is collected and why. Companies must also comply if a consumer asks them to disclose the categories and exactly what types of personal information the business collects about them. Consumers can also ask that their data not be sold, and that a business can’t discriminate against a consumer for demanding this. And finally, consumers can demand that their personal information be deleted. 

Which businesses need to implement CCPA guidelines?

Any business that collects and sells consumer personal information or discloses personal data for a business purpose with consumers in California must comply with the CCPA. The law applies to any for-profit legal entity that sells goods or services to California residents, even if the business isn’t physically located in the state. This includes businesses that operate outside of the United States. 

However, there are some caveats, and the bar for compliance is actually set pretty high. To be subject to the CCPA, a business must also meet one of the three following criteria:

  • Have $25 million or more in annual revenue
  • Possess the personal data of more than 50,000 consumers (including households and devices)
  • Earn more than half its annual revenue selling consumers’ personal data

This means that the CCPA applies mostly to bigger companies or those that deal in quite a bit of data. Still, even if your organization doesn’t meet at least one of the above criteria, it’s probably a good idea to start looking at implementing CCPA compliance anyway, for a number of reasons.

What’s the benefit of being CCPA compliant?

First of all, if you meet the criteria as listed above, being CCPA compliant keeps you from breaking the law. That’s hugely important. But even if you don’t meet the criteria, it’s a good idea to implement the guidelines anyway, because customers are more and more concerned about data privacy. The CCPA guidelines are straightforward and implementing them gives your customers a reason to trust you. Simply put, it’s the right thing to do.

If you approach CCPA compliance as part of a holistic strategy to privacy protections compliance, you’ll be in a better position to meet regulatory requirements that are certainly going to arise in the future. Creating an overarching privacy policy that encompasses the overlapping requirements of data policies like CCPA, GDPR, and HIPAA will set you up for future compliance. 

Privacy laws are only increasing over time, and customers will definitely ask you what your policies are. It’s better to show leadership by implementing these policies before you technically have to, so that it’s easier to be compliant when you do get to the point where you have to be. Plus, it’s quite likely that future laws will look pretty similar, so getting the hard work out of the way now will make compliance much easier down the line.

Practical Assurance has vast experience with privacy law compliance, and can help your company start or manage a compliance program you can be proud to tell your customers about. Get in touch to discuss your options.