How to Stay SOC 2 Compliant

For many small- and medium-businesses, getting to SOC compliance is the biggest challenge on their radar. But it’s important to keep the longview and consider how you’ll stay compliant even after you’ve gone through your first audit. 

Practical Assurance has years of experience getting organizations to SOC 2 compliance and helping them maintain their programs. Read on to find out what to expect for an ongoing SOC 2 compliance program.

The Yearly SOC 2 Compliance Cadence

Once you’ve gotten through the process of defining and implementing your SOC 2 compliance program, you’ll find that your program can fall into a particular rhythm, hitting milestones on your checklist throughout the year. Defining this cadence is an important way to ensure that your organization stays compliant and addresses risks year-round.

The timing of addressing these processes can be mapped to semi-annual, quarterly, monthly, and even weekly due dates. For instance, larger questions of systems and overarching process reviews should happen every six months to ensure your team is on track. Systems that are more integral to your business processes, like malware, software, and risk assessment systems, should be reviewed on a quarterly basis. 

Systems that need more regular upkeep or review will need more granular tasks assigned to their maintenance. Every month, your team should hold meetings, address vulnerabilities and patching, and review industry best practices and emerging threat trends. On a weekly basis, you should run vulnerability scans and ensure security policies are being enforced. These tasks and processes should be integrated into stakeholders’ regular work so that they aren’t felt as an added burden or missed by accident. 

How to Track Your Processes

Keeping track of these processes can appear overwhelming, especially if it’s your first year after an audit. In order to maintain compliance, these processes need to be addressed in a timely way that addresses your organization’s risk, but they also need to be documented. It can be tempting to assign tasks and hope they’ll get done, but the truth is that a commitment to compliance takes a lot more time and effort. 

It’s important to define your strategy and determine how you’ll complete it in an organized manner. Beyond having a calendar of due dates, you need to be able to track which individuals in your organization are responsible for each task. You also need documentation to prove whether or not tasks have been completed. Furthermore, you need instructions on completing tasks readily available and contingent next steps if an issue is identified.  

Finding A Solution That’s Better than Binders

While the original method of tracking compliance was shelves full of binders to track and maintain processes, there is a better solution. Practical Assurance has created an automated compliance tracking software system that can help you maintain compliance with automatic reminders and project management capabilities. You can assign tasks to stakeholders, set reminders, and document completion of tasks right inside the app.

We provide this application to organizations that have some compliance experience under their belts and want to improve their tracking and maintenance systems. We also provide advisory services to organizations that are just starting their compliance programs, which includes the app as well as regular consulting on how best to implement it.

For a more in-depth look at the annual SOC 2 compliance cadence, check out our recent webinar, How to Stay SOC 2 Compliant

What is a Due Diligence Questionnaire and What Should You Do About It?

Your company just received a due diligence questionnaire (DDQ) or due diligence checklist from a potential client. You may think it’s a threat or a challenge, but it’s actually a good sign: Sending a DDQ is usually the last step a company takes before choosing to buy a service or product from a company they’ve been considering. A potential client will use the DDQ to validate that your organization is compliant with required guidelines, especially in terms of security.

There are many different types of due diligence questionnaires, and they can vary depending on what sort of service you provide. But if you are a software developer or service provider responding to an RFP, you can expect to get a DDQ from potential clients that are serious about buying from you. 

What should you do if you receive a due diligence questionnaire? First of all, don’t panic. Next up, follow our advice below.

Get Strategic by Knowing What’s On a DDQ

You can prepare for responding to DDQs even if you haven’t received one yet. The best way to put a strategy in place for responding to a due diligence list is by knowing what questions they usually include.

Virtually all DDQs require that your company can show that you follow certain key processes, such as having an information security policy and that you conduct external penetration tests every year. Other requirements include being able to show that you have implemented strong technical controls in line with industry best practices, such as:

  • Multi-factor authentication
  • Firewalls
  • Intrusion detection
  • VPNs

You’ll also need to prove that key processes such as change management, new hires, terminations, are all documented and operate as written in your policy manuals. Finally, you’ll have to prove that you have a firm understanding of the customer data that you process and store, and understand the risks involved. 

Be Ready to Show Your Work

The best way to ensure you have strong responses to DDQ questions is to show that you have a plan in place for security. Start by developing a collection of key artifacts that most DDQs look for. Some examples include:

  • Information security policy
  • Disaster recovery plan
  • Recent penetration test reports
  • Network diagram

These documents and reports will allow you to show with confidence that you meet the requirements of the due diligence checklist. 

Another form of proof you should look into is an external audit. In the early stages of a company, it’s not always necessary to have an audit completed, but you need to make sure you know what your plan is and demonstrate your roadmap. It’s perfectly ok if you’re planning an audit in 12-18 months, maybe even longer, as long as you can show that you have something in the works.

Practical Assurance can help you build your roadmap and key artifacts to set you on the right footing to land bigger customers before you’re fully read for an audit.

Approach the Questionnaire Like a Final Interview

As noted above, a DDQ is usually the last step that a company uses to verify that a vendor is doing the right thing in terms of security and compliance. If they go to the trouble of sending you a DDQ, it means they’re heavily considering your product, but want to do one final sweep for reassurance that they know exactly what risks they may be facing by using your solution, and how you will mitigate those risks for their company.

The questionnaire acts like a window into the maturity of your company. If you have weak answers to the questions it poses, your prospects will assume you’re not ready to do business with them. As with a final job interview, you need to be prepared and project confidence. How you respond can truly make or break your ability to land a deal with a new client.

If you need help preparing responses to a DDQ, or want to be prepared for larger clients who will certainly send them your way, get in touch with Practical Assurance today. 

SOC 2 Communications

Why is there a whole criteria on communication? What are the three sub-criteria? What is considered “Relevant Information”? What are the key tactical things I must do, that many miss, to be compliant?

Topics in this webinar include:

  • Understand a foundational aspect of SOC 2
  • Conceptual understanding of the communication requirements
  • Key tasks that can’t be missed
  • Get inside your auditor head!

Download the webinar:

The webinar was recorded in June 2020 and we’ve made it available for download by filling out the form below.

Send me the webinar recording and slides:

Building a SOC 2 Cadence

What does SOC 2 look like on an ongoing basis? What’s the cadence? How do I set it up for success and get back to my “job”? What does my auditor expect to see after the fact?

Topics in this webinar include:

  • The key monthly, quarterly, semi-annual and annual activities
  • What a typical SOC 2 calendar looks like
  • Good evidence strategies
  • Get inside your auditor head!

Download the webinar:

The webinar was recorded in May 2020 and we’ve made it available for download by filling out the form below.

Send me the webinar recording and slides:

What You Get from Our Supercharged SOC 2 Checklist

You’ve decided that you want to start your SOC 2 compliance journey. Congratulations! But where do you begin? 

Becoming SOC 2 compliant can be a complex process, and there is a lot of information missing about what you have to do exactly to be SOC 2 compliant. Based on our extensive experience, Practical Assurance provides a clear, step-by-step checklist on precisely what it takes for each of our clients to achieve and maintain SOC 2 compliance. 

Read on to find out what your custom supercharged SOC 2 compliance checklist from Practical Assurance includes.

The Complexity of SOC 2 Compliance Decoded

It’s no secret that SOC 2 compliance requirements contain a lot of nuance. This means that they’re open to interpretation, which can be a headache when you’re trying to answer them. How do you know how to respond? And what if that’s not good enough for your auditor?

At Practical Assurance, we offer monthly webinars to help decode the complexity of SOC 2 compliance. With years of experience, we’ve developed a philosophy that can help organizations at any stage of maturity answer the requirements properly. Plus, we offer customized help to answer your specific questions on how to remain compliant.

Compliance Recommendation Tailored to Startups and SMBS

Over the years, we’ve learned that the companies with the fewest resources are the ones who have the most room for growth with SOC 2 compliance. We have fine-tuned our recommendations for startups and small- and medium-businesses, so that you won’t miss something because of a one-size-fits-all approach. 

At the same time, we give specific recommendations on what tools we’ve found to be the most useful in ensuring compliance. For instance, most of our customers are either on Amazon Web Services (AWS) or Microsoft Azure for cloud services. We focus our platform recommendations on those two, although our advice is agnostic enough to be applied to any platform. 

An In-Depth Consideration of Risk

SOC 2 compliance centers around risks, and those change from organization to organization. Our checklist takes this differing risk into account. We know that the risks faced by small technology startups are often much different from those in large public companies. Our checklists help you focus on the risks that really matter to you.

As an example, infrastructure tends to be much less complex in a small company than an enterprise organization. Your HR onboarding and offboarding processes are probably more straightforward, and you have fewer people involved in your processes overall. This means your company can communicate more easily and adapt to changes more quickly. All of this changes how you approach compliance. 

Additional Resources to Guide You to Compliance

On top of the supercharged checklist, Practical Assurance has developed templates and examples for each of our recommendations. This way, you can get up and running even faster because you don’t have to reinvent the wheel.

Practical Assurance also partners with a number of different auditor organizations that we have worked with in the past and that we trust we can recommend to you. Since we’ve worked with all of them in the past, we can also anticipate any sticking points they may have and help you address them before the audit gets underway. 
At Practical Assurance, we know we offer the lowest cost way to get started with SOC 2 compliance. For as little as $249/month, you can get started with our checklist and process and begin working towards compliance, whether you have an audit scheduled or not. Get in touch today to get started.

What is CCPA and What Does It Mean for Your Business?

The California Consumer Privacy Act of 2018 (CCPA) requires U.S. companies who do business with California to implement privacy initiatives to protect the data privacy of California residents. So what is the CCPA and what does it mean for your business? Let’s take a look.

What is the CCPA?

As stated above, the CCPA is a privacy law that went into effect January 1, 2020, meant to protect consumers in California. Its basic premise is to ensure that businesses who have access to the data of California’s citizens implement basic protections to individual privacy. It’s the strictest data privacy law in the U.S., but it looks a lot like the General Data Protection Regulation (GDPR) law that went into effect in the European Union in 2018. Unlike the GDPR, though, the CCPA is an opt-out system as opposed to an opt-in system. Also, the CCPA covers households and devices as well as consumers, whereas the GDPR only covers “natural persons”.  

The CCPA gives California consumers a slew of new rights to privacy, including:

  • Transparency about data collection
  • Right to be forgotten
  • Right to op out of having their data sold
  • Opt-in right to have data sold for minors 

In order to ensure these rights are met, businesses must provide consumers with disclosures regarding how personal information is collected and why. Companies must also comply if a consumer asks them to disclose the categories and exactly what types of personal information the business collects about them. Consumers can also ask that their data not be sold, and that a business can’t discriminate against a consumer for demanding this. And finally, consumers can demand that their personal information be deleted. 

Which businesses need to implement CCPA guidelines?

Any business that collects and sells consumer personal information or discloses personal data for a business purpose with consumers in California must comply with the CCPA. The law applies to any for-profit legal entity that sells goods or services to California residents, even if the business isn’t physically located in the state. This includes businesses that operate outside of the United States. 

However, there are some caveats, and the bar for compliance is actually set pretty high. To be subject to the CCPA, a business must also meet one of the three following criteria:

  • Have $25 million or more in annual revenue
  • Possess the personal data of more than 50,000 consumers (including households and devices)
  • Earn more than half its annual revenue selling consumers’ personal data

This means that the CCPA applies mostly to bigger companies or those that deal in quite a bit of data. Still, even if your organization doesn’t meet at least one of the above criteria, it’s probably a good idea to start looking at implementing CCPA compliance anyway, for a number of reasons.

What’s the benefit of being CCPA compliant?

First of all, if you meet the criteria as listed above, being CCPA compliant keeps you from breaking the law. That’s hugely important. But even if you don’t meet the criteria, it’s a good idea to implement the guidelines anyway, because customers are more and more concerned about data privacy. The CCPA guidelines are straightforward and implementing them gives your customers a reason to trust you. Simply put, it’s the right thing to do.

If you approach CCPA compliance as part of a holistic strategy to privacy protections compliance, you’ll be in a better position to meet regulatory requirements that are certainly going to arise in the future. Creating an overarching privacy policy that encompasses the overlapping requirements of data policies like CCPA, GDPR, and HIPAA will set you up for future compliance. 

Privacy laws are only increasing over time, and customers will definitely ask you what your policies are. It’s better to show leadership by implementing these policies before you technically have to, so that it’s easier to be compliant when you do get to the point where you have to be. Plus, it’s quite likely that future laws will look pretty similar, so getting the hard work out of the way now will make compliance much easier down the line.

Practical Assurance has vast experience with privacy law compliance, and can help your company start or manage a compliance program you can be proud to tell your customers about. Get in touch to discuss your options. 

How to Set Up a SOC 2 Compliance Program While Your Team is Working Remotely

Most startups and many small or medium businesses have turned to remote work while the quarantine for COVID-19 is in place. As we’ve said before, if you’re experiencing a lull in business, it’s an ideal time to define your SOC 2 compliance program. But how can you launch an SOC 2 compliance program while your team is working remotely?

As experts in helping companies prepare for SOC 2 compliance, Practical Assurance has devised some best practices to help guide you through SOC 2 preparation, even when your team is remote. 

Start with Basic Questions about SOC 2

Getting started with your SOC 2 compliance program while working remotely is the same as if your team is in-house. There are some basic questions you need to ask yourself that will help you determine how you’ll go about your SOC 2 compliance program. 

These questions include:

  • Why are we doing SOC 2?
  • What are the basic SOC 2 requirements?
  • Which services, products, business units, etc., are in scope for an audit?
  • What are our trust principles? 
  • Do we want to try Type I or Type II?
  • When do you want to aim for implementation? 

As an IT leader or founder, these questions should take you no longer than a day to answer. There’s really no excuse not to get started, regardless of where your workforce is.

Gather Documentation for an Initial Gap Test

Over the next week, take some time to get the momentum on your program going. This may be more difficult while working remote, but if your documentation is saved in the cloud, it won’t be as difficult as you may think.

You can start by gathering any existing documentation you have, such as policies and procedures from your HR and technical teams. You should also look out for maps of your system, network, data flow, and architecture diagrams that may explain your IT infrastructure. 

Take inventory of your data, servers, workstations, and software as well. If your IT department doesn’t have this information, you may need to survey your employees regarding what items they work on while they’re working from home. Make sure that you understand whether or not your employees are working on their personal computers from home, as that can have an impact on your compliance.

If you’ve engaged in penetration testing in the past, those reports will help inform your future security strategy. Previous due diligence questionnaires are also key to identifying how you will move forward. In the same vein, take some time to meet with your various teams and get clarity on what sensitive data you store on behalf of customers. This information may come from your sales and marketing teams, as well as any web forms and IT security. 


After getting all this information together, you can do your first SOC 2 gap assessment. Take a look at where your organization currently stands based on these documents and data, and compare it to where you want to be. 

Identify Your Team and Treat Compliance Like a Regular Project

The key to success in any SOC 2 program is structure. This includes identifying which team members will be responsible for which aspects of the program. Right now, your team members may not have as much work as they normally do, and you may be able to find more volunteers than you normally would. Make sure that you are clear on deadlines, responsibilities, and communication to ensure success, even while your teams are working from home. 

The top roles that you need to identify are:

  • Business Process Lead 
  • Technical Lead
  • InfoSec Lead
  • Compliance Manager

For the best possible outcome, your team leaders should include executives if possible. For instance, the business process lead can be your HR manager or chief operations officer, and your technical lead can be your VP of engineering. Their buy-in will make or break your compliance program, and having them lead teams is a great way to keep them in the loop.

After your team is in place, you’ll need to ensure that you structure your project like you would any other project. Include it in your regular project management programming so that team members understand what they’re assigned to do and when it’s due. This is particularly important when your team is working remotely, as they won’t be able to pop into each other’s offices when they have questions. If you treat compliance as though it’s as important as a customer project or software roll out, you’ll have a much better chance of success.

Run Your Business in a Compliant State and Measure Success

Once you’ve set your SOC 2 compliance program up, you’re ready to run your business in a compliant state. It should be relatively natural if you’ve set everything up properly.


There are a few easy metrics you can use to measure your success, such as asking yourself:

  • Why do we need to be compliant?
  • Is our leadership bought-in?
  • Are the right stakeholders involved?
  • Have we committed a budget?
  • Is there a plan and a roadmap?
  • Are we expecting the right amount of work from team members?
  • Is our timeline expectation reasonable?

If the answers to these questions exist, you’re doing a good job.

You don’t have to start a compliance project on your own. Practical Assurance was founded to help startups and small businesses institute compliance programs with tools and tips from experts. To get more details on how to set up a compliance program while your team is working remotely, Download a recording of our webinar

Doing SOC 2 Remote

Why is now the best time to start working on SOC 2? What does SOC 2 preparation look like remotely? What are the advantages and what do I need to know to be successful? What will an auditor have to say?

Topics in this webinar include:

  • How to get started
  • How to gain momentum
  • How to build your team
  • How to structure the project
  • How to accelerate the implementation

Download the webinar:

The webinar was recorded in April 2020 and we’ve made it available for download by filling out the form below.

Send me the webinar recording and slides:

Now is the Time to Start (or Perfect) Your SOC 2 Compliance Program

With most of the workforce either furloughed or working from home until the quarantine for COVID-19 can be lifted, many small and medium businesses are taking the opportunity to work on internal infrastructure projects. Security and compliance are two areas where organizations are turning their focus right now as part of their strategies to focus on these internal programs.

Now is the perfect time for small and medium businesses or startups to begin or perfect their SOC 2 compliance programs. We’ve outlined a few of the reasons why below. 

SOC 2 Compliance Is Only Going to Get More Important

Startups and other firms are taking a long-term perspective and realizing that, no matter where the economy is in six months, security and compliance issues aren’t going anywhere. In fact, given their previous growth trajectories, they may be bigger and greater projects than they were before. Customers who were asking you about SOC 2 compliance before the quarantine are still going to be asking about it after.

As one example, a growing question during the COVID-19 outbreak is how organizations are managing personal data, especially when it comes to healthcare. Several organizations are trying to develop a way to track outbreaks and exposure to the virus through cell phone movement, for instance, but are having to prove that they can do so anonymously without endangering personal health information. This is particularly important in Europe, where the General Data Protection Regulation stipulates strict terms on the usage of personal data. 

By starting or perfecting your SOC 2 compliance plan now, you can help avoid security risks that could make you unattractive to customers once they’re ready to buy your service or product. 

A Business Slowdown is the Perfect Time to Work on SOC 2 Compliance

While your team may have been ready to work in a fully remote capacity before the pandemic, there’s a good chance that many of your customers weren’t quite as prepared. Business has slowed down in many sectors as less tech savvy teams are trying to figure out how to implement security while providing their teams with tools that can allow them to work from home effectively. At the same time, many organizations are waiting to make big software investments until after the economy has returned to normal. All this means that a good chunk of your workforce may be twiddling their thumbs, too, with no customers to work for.

This presents an ideal situation to hunker down and focus on your compliance program. Instead of having team members work on it when they have time, you can assign tasks with confidence to be addressed now. You can increase the number of employees who are well-versed in the program, and even have some time to determine who may be best to carry it out. You might be surprised at which members of your team show competence in compliance issues, now that they have the time and resources to fully focus on the program. 

Remote Work and All Its Trappings are the New Normal

Working from home can uncover a number of issues in your regular processes and workflows. For instance, internal communications may have hit a snag because individuals can’t have a quick chat while making coffee in the morning if everyone is making coffee in their own kitchens. Hopefully, your organization has found ways to adapt to these new issues, especially since remote work is going to be the new normal for a long time going forward. 

As your team settles into remote work even further, more of these issues are going to be brought to light. Imposing a compliance program like SOC 2 on them now can help you remediate the issues and outline a way to address them in the future. It’s a very practical way to get your program in place, while producing results that will make your workflows better now and in the future

At Practical Assurance, we are working with a number of small and medium businesses to take advantage of the current downtime to help set up compliance programs for a successful audit once the quarantine is over. In this way, teams can hit the ground running when the economy bursts back to life in a few months. Practical Assurance has software that can act as the road map to create a full SOC 2 program with a step-by-step guide. We can also offer ongoing services to help your team stay compliant year over year. And we offer consulting packages for organizations that may need hands-on guidance. 

If you’re ready to use the current situation to work on your SOC 2 compliance program, get in touch with us for a free demo today. 

How to prepare for your first SOC 2 audit

Security audits can be a real eye opener. As a company built on helping small and medium businesses prepare for their SOC 2 audits, we know from experience that many companies are completely blindsided by what an audit can bring out. This can happen not just during your first SOC 2 audit, but also if you change auditors. Luckily, you can prepare for these issues with a little foresight. Here are some tips for preparing for your first SOC 2 audit, or an SOC 2 audit with a new auditor. 

Understand the pre-audit timeline 

Your audit actually begins well before the auditor begins their onsite visit. Preparing for the SOC 2 audit means having implemented SOC 2 at your organization, obviously. Hopefully this will mean that you’ve outlined your controls and how you’re meeting SOC 2 criteria. In fact, having all of these lists in place should inform who you choose to perform the audit (see below). 

In preparing for an actual audit, you’ll need to assemble your internal SOC 2 project team, understand the scope of the project, and assign responsibilities, well before you determine which auditor you want to go with. You’ll also need to perform gap analysis and remediate any control deficiencies in preparation for the audit. All of this preparation has to take place well before the auditor steps foot on your premises. You may need a consultant to help with all of this, which is completely normal.  

Develop and identify your own controls based on the Points of Focus as early as possible

One way to be better prepared is to define your control list as soon as you possibly can. SOC 2 provides example controls, but the auditor will look to you and ask what your controls are in order to determine if you’re meeting the criteria. The auditor will work to guarantee that you meet any given criteria outlined in SOC2, and to do that, they’ll look at the Points of Focus. They’ll excuse irrelevant points of focus (for instance, remote companies may not need physical security), but anything else must be met with some type of control. 

The auditors will use your control list to make their request list, and will usually ask for your list about a month before the end of the audit. However, it’s a good idea to share your company’s control list with your auditor before the audit begins to ask if it throws off any red flags for them so you can prepare for those questions when they come. In fact, you may even use your control list and the auditor’s reaction to it as a way to determine the flexibility of possible external auditors so you can select an auditor who will be a good fit for your company. 

Recognize that you’re going to have disagreements with auditors

Because SOC 2 is less prescriptive than other security standards like PCI or ISO 27001, some of the requirements can be subject to opinion rather than hard and fast benchmarks. While there are common ways to ensure compliance, your methods may be different because of how your organization works. What it all comes down to is understanding your organization’s risks, and being able to explain in full how the controls you’ve put in place mitigate those risks. If you understand the criteria and the Point of Focus as laid out in the SOC 2, you’ll be in a better place to explain to an auditor why you’re doing something differently from industry best practices, or be prepared if an auditor asks you for something you don’t have. 

In fact, if you know that your organization has controls in place that are very different from what an auditor might normally expect, you might be better off bringing that up early on in the audit. Even though SOC 2 is extremely flexible, the auditors are probably going to expect that the sample controls set forth in SOC 2 will be in place at your organization. It’s a good idea to ask your auditor for a list of sample illustrative controls that they look for and see if they’re applicable to your company or not, too, so you can be prepared with a response when the time comes.

Recognizing that you’re going to have disagreements can also help you remember that you want to set your tone to be more cooperative than defensive or challenging. Challenging the standard doesn’t usually go well, because it’s the auditor’s job to show that you’re meeting it, whether you agree that it’s necessary or not. Instead, be prepared to explain why the controls you have in place meet the criteria in a different way. Don’t be defensive about your particular controls; instead, be collaborative, and the audit will go much better for everyone. 

While an SOC 2 audit can be eye opening, it doesn’t have to be a disaster. Practical Assurance has created a self-service readiness tool available that lays out a number of the expected controls and samples of what an auditor will be looking for. You can get started today for free at https://app.practicalassurance.com/signup.

For more tips on getting through an SOC 2 audit, check out our webinar, Overcoming SOC 2 Roadblocks here