How to Stay SOC 2 Compliant

For many small- and medium-businesses, getting to SOC compliance is the biggest challenge on their radar. But it’s important to keep the longview and consider how you’ll stay compliant even after you’ve gone through your first audit. 

Practical Assurance has years of experience getting organizations to SOC 2 compliance and helping them maintain their programs. Read on to find out what to expect for an ongoing SOC 2 compliance program.

The Yearly SOC 2 Compliance Cadence

Once you’ve gotten through the process of defining and implementing your SOC 2 compliance program, you’ll find that your program can fall into a particular rhythm, hitting milestones on your checklist throughout the year. Defining this cadence is an important way to ensure that your organization stays compliant and addresses risks year-round.

The timing of addressing these processes can be mapped to semi-annual, quarterly, monthly, and even weekly due dates. For instance, larger questions of systems and overarching process reviews should happen every six months to ensure your team is on track. Systems that are more integral to your business processes, like malware, software, and risk assessment systems, should be reviewed on a quarterly basis. 

Systems that need more regular upkeep or review will need more granular tasks assigned to their maintenance. Every month, your team should hold meetings, address vulnerabilities and patching, and review industry best practices and emerging threat trends. On a weekly basis, you should run vulnerability scans and ensure security policies are being enforced. These tasks and processes should be integrated into stakeholders’ regular work so that they aren’t felt as an added burden or missed by accident. 

How to Track Your Processes

Keeping track of these processes can appear overwhelming, especially if it’s your first year after an audit. In order to maintain compliance, these processes need to be addressed in a timely way that addresses your organization’s risk, but they also need to be documented. It can be tempting to assign tasks and hope they’ll get done, but the truth is that a commitment to compliance takes a lot more time and effort. 

It’s important to define your strategy and determine how you’ll complete it in an organized manner. Beyond having a calendar of due dates, you need to be able to track which individuals in your organization are responsible for each task. You also need documentation to prove whether or not tasks have been completed. Furthermore, you need instructions on completing tasks readily available and contingent next steps if an issue is identified.  

Finding A Solution That’s Better than Binders

While the original method of tracking compliance was shelves full of binders to track and maintain processes, there is a better solution. Practical Assurance has created an automated compliance tracking software system that can help you maintain compliance with automatic reminders and project management capabilities. You can assign tasks to stakeholders, set reminders, and document completion of tasks right inside the app.

We provide this application to organizations that have some compliance experience under their belts and want to improve their tracking and maintenance systems. We also provide advisory services to organizations that are just starting their compliance programs, which includes the app as well as regular consulting on how best to implement it.

For a more in-depth look at the annual SOC 2 compliance cadence, check out our recent webinar, How to Stay SOC 2 Compliant

What You Get from Our Supercharged SOC 2 Checklist

You’ve decided that you want to start your SOC 2 compliance journey. Congratulations! But where do you begin? 

Becoming SOC 2 compliant can be a complex process, and there is a lot of information missing about what you have to do exactly to be SOC 2 compliant. Based on our extensive experience, Practical Assurance provides a clear, step-by-step checklist on precisely what it takes for each of our clients to achieve and maintain SOC 2 compliance. 

Read on to find out what your custom supercharged SOC 2 compliance checklist from Practical Assurance includes.

The Complexity of SOC 2 Compliance Decoded

It’s no secret that SOC 2 compliance requirements contain a lot of nuance. This means that they’re open to interpretation, which can be a headache when you’re trying to answer them. How do you know how to respond? And what if that’s not good enough for your auditor?

At Practical Assurance, we offer monthly webinars to help decode the complexity of SOC 2 compliance. With years of experience, we’ve developed a philosophy that can help organizations at any stage of maturity answer the requirements properly. Plus, we offer customized help to answer your specific questions on how to remain compliant.

Compliance Recommendation Tailored to Startups and SMBS

Over the years, we’ve learned that the companies with the fewest resources are the ones who have the most room for growth with SOC 2 compliance. We have fine-tuned our recommendations for startups and small- and medium-businesses, so that you won’t miss something because of a one-size-fits-all approach. 

At the same time, we give specific recommendations on what tools we’ve found to be the most useful in ensuring compliance. For instance, most of our customers are either on Amazon Web Services (AWS) or Microsoft Azure for cloud services. We focus our platform recommendations on those two, although our advice is agnostic enough to be applied to any platform. 

An In-Depth Consideration of Risk

SOC 2 compliance centers around risks, and those change from organization to organization. Our checklist takes this differing risk into account. We know that the risks faced by small technology startups are often much different from those in large public companies. Our checklists help you focus on the risks that really matter to you.

As an example, infrastructure tends to be much less complex in a small company than an enterprise organization. Your HR onboarding and offboarding processes are probably more straightforward, and you have fewer people involved in your processes overall. This means your company can communicate more easily and adapt to changes more quickly. All of this changes how you approach compliance. 

Additional Resources to Guide You to Compliance

On top of the supercharged checklist, Practical Assurance has developed templates and examples for each of our recommendations. This way, you can get up and running even faster because you don’t have to reinvent the wheel.

Practical Assurance also partners with a number of different auditor organizations that we have worked with in the past and that we trust we can recommend to you. Since we’ve worked with all of them in the past, we can also anticipate any sticking points they may have and help you address them before the audit gets underway. 
At Practical Assurance, we know we offer the lowest cost way to get started with SOC 2 compliance. For as little as $249/month, you can get started with our checklist and process and begin working towards compliance, whether you have an audit scheduled or not. Get in touch today to get started.

How to Set Up a SOC 2 Compliance Program While Your Team is Working Remotely

Most startups and many small or medium businesses have turned to remote work while the quarantine for COVID-19 is in place. As we’ve said before, if you’re experiencing a lull in business, it’s an ideal time to define your SOC 2 compliance program. But how can you launch an SOC 2 compliance program while your team is working remotely?

As experts in helping companies prepare for SOC 2 compliance, Practical Assurance has devised some best practices to help guide you through SOC 2 preparation, even when your team is remote. 

Start with Basic Questions about SOC 2

Getting started with your SOC 2 compliance program while working remotely is the same as if your team is in-house. There are some basic questions you need to ask yourself that will help you determine how you’ll go about your SOC 2 compliance program. 

These questions include:

  • Why are we doing SOC 2?
  • What are the basic SOC 2 requirements?
  • Which services, products, business units, etc., are in scope for an audit?
  • What are our trust principles? 
  • Do we want to try Type I or Type II?
  • When do you want to aim for implementation? 

As an IT leader or founder, these questions should take you no longer than a day to answer. There’s really no excuse not to get started, regardless of where your workforce is.

Gather Documentation for an Initial Gap Test

Over the next week, take some time to get the momentum on your program going. This may be more difficult while working remote, but if your documentation is saved in the cloud, it won’t be as difficult as you may think.

You can start by gathering any existing documentation you have, such as policies and procedures from your HR and technical teams. You should also look out for maps of your system, network, data flow, and architecture diagrams that may explain your IT infrastructure. 

Take inventory of your data, servers, workstations, and software as well. If your IT department doesn’t have this information, you may need to survey your employees regarding what items they work on while they’re working from home. Make sure that you understand whether or not your employees are working on their personal computers from home, as that can have an impact on your compliance.

If you’ve engaged in penetration testing in the past, those reports will help inform your future security strategy. Previous due diligence questionnaires are also key to identifying how you will move forward. In the same vein, take some time to meet with your various teams and get clarity on what sensitive data you store on behalf of customers. This information may come from your sales and marketing teams, as well as any web forms and IT security. 


After getting all this information together, you can do your first SOC 2 gap assessment. Take a look at where your organization currently stands based on these documents and data, and compare it to where you want to be. 

Identify Your Team and Treat Compliance Like a Regular Project

The key to success in any SOC 2 program is structure. This includes identifying which team members will be responsible for which aspects of the program. Right now, your team members may not have as much work as they normally do, and you may be able to find more volunteers than you normally would. Make sure that you are clear on deadlines, responsibilities, and communication to ensure success, even while your teams are working from home. 

The top roles that you need to identify are:

  • Business Process Lead 
  • Technical Lead
  • InfoSec Lead
  • Compliance Manager

For the best possible outcome, your team leaders should include executives if possible. For instance, the business process lead can be your HR manager or chief operations officer, and your technical lead can be your VP of engineering. Their buy-in will make or break your compliance program, and having them lead teams is a great way to keep them in the loop.

After your team is in place, you’ll need to ensure that you structure your project like you would any other project. Include it in your regular project management programming so that team members understand what they’re assigned to do and when it’s due. This is particularly important when your team is working remotely, as they won’t be able to pop into each other’s offices when they have questions. If you treat compliance as though it’s as important as a customer project or software roll out, you’ll have a much better chance of success.

Run Your Business in a Compliant State and Measure Success

Once you’ve set your SOC 2 compliance program up, you’re ready to run your business in a compliant state. It should be relatively natural if you’ve set everything up properly.


There are a few easy metrics you can use to measure your success, such as asking yourself:

  • Why do we need to be compliant?
  • Is our leadership bought-in?
  • Are the right stakeholders involved?
  • Have we committed a budget?
  • Is there a plan and a roadmap?
  • Are we expecting the right amount of work from team members?
  • Is our timeline expectation reasonable?

If the answers to these questions exist, you’re doing a good job.

You don’t have to start a compliance project on your own. Practical Assurance was founded to help startups and small businesses institute compliance programs with tools and tips from experts. To get more details on how to set up a compliance program while your team is working remotely, Download a recording of our webinar

Now is the Time to Start (or Perfect) Your SOC 2 Compliance Program

With most of the workforce either furloughed or working from home until the quarantine for COVID-19 can be lifted, many small and medium businesses are taking the opportunity to work on internal infrastructure projects. Security and compliance are two areas where organizations are turning their focus right now as part of their strategies to focus on these internal programs.

Now is the perfect time for small and medium businesses or startups to begin or perfect their SOC 2 compliance programs. We’ve outlined a few of the reasons why below. 

SOC 2 Compliance Is Only Going to Get More Important

Startups and other firms are taking a long-term perspective and realizing that, no matter where the economy is in six months, security and compliance issues aren’t going anywhere. In fact, given their previous growth trajectories, they may be bigger and greater projects than they were before. Customers who were asking you about SOC 2 compliance before the quarantine are still going to be asking about it after.

As one example, a growing question during the COVID-19 outbreak is how organizations are managing personal data, especially when it comes to healthcare. Several organizations are trying to develop a way to track outbreaks and exposure to the virus through cell phone movement, for instance, but are having to prove that they can do so anonymously without endangering personal health information. This is particularly important in Europe, where the General Data Protection Regulation stipulates strict terms on the usage of personal data. 

By starting or perfecting your SOC 2 compliance plan now, you can help avoid security risks that could make you unattractive to customers once they’re ready to buy your service or product. 

A Business Slowdown is the Perfect Time to Work on SOC 2 Compliance

While your team may have been ready to work in a fully remote capacity before the pandemic, there’s a good chance that many of your customers weren’t quite as prepared. Business has slowed down in many sectors as less tech savvy teams are trying to figure out how to implement security while providing their teams with tools that can allow them to work from home effectively. At the same time, many organizations are waiting to make big software investments until after the economy has returned to normal. All this means that a good chunk of your workforce may be twiddling their thumbs, too, with no customers to work for.

This presents an ideal situation to hunker down and focus on your compliance program. Instead of having team members work on it when they have time, you can assign tasks with confidence to be addressed now. You can increase the number of employees who are well-versed in the program, and even have some time to determine who may be best to carry it out. You might be surprised at which members of your team show competence in compliance issues, now that they have the time and resources to fully focus on the program. 

Remote Work and All Its Trappings are the New Normal

Working from home can uncover a number of issues in your regular processes and workflows. For instance, internal communications may have hit a snag because individuals can’t have a quick chat while making coffee in the morning if everyone is making coffee in their own kitchens. Hopefully, your organization has found ways to adapt to these new issues, especially since remote work is going to be the new normal for a long time going forward. 

As your team settles into remote work even further, more of these issues are going to be brought to light. Imposing a compliance program like SOC 2 on them now can help you remediate the issues and outline a way to address them in the future. It’s a very practical way to get your program in place, while producing results that will make your workflows better now and in the future

At Practical Assurance, we are working with a number of small and medium businesses to take advantage of the current downtime to help set up compliance programs for a successful audit once the quarantine is over. In this way, teams can hit the ground running when the economy bursts back to life in a few months. Practical Assurance has software that can act as the road map to create a full SOC 2 program with a step-by-step guide. We can also offer ongoing services to help your team stay compliant year over year. And we offer consulting packages for organizations that may need hands-on guidance. 

If you’re ready to use the current situation to work on your SOC 2 compliance program, get in touch with us for a free demo today. 

How to prepare for your first SOC 2 audit

Security audits can be a real eye opener. As a company built on helping small and medium businesses prepare for their SOC 2 audits, we know from experience that many companies are completely blindsided by what an audit can bring out. This can happen not just during your first SOC 2 audit, but also if you change auditors. Luckily, you can prepare for these issues with a little foresight. Here are some tips for preparing for your first SOC 2 audit, or an SOC 2 audit with a new auditor. 

Understand the pre-audit timeline 

Your audit actually begins well before the auditor begins their onsite visit. Preparing for the SOC 2 audit means having implemented SOC 2 at your organization, obviously. Hopefully this will mean that you’ve outlined your controls and how you’re meeting SOC 2 criteria. In fact, having all of these lists in place should inform who you choose to perform the audit (see below). 

In preparing for an actual audit, you’ll need to assemble your internal SOC 2 project team, understand the scope of the project, and assign responsibilities, well before you determine which auditor you want to go with. You’ll also need to perform gap analysis and remediate any control deficiencies in preparation for the audit. All of this preparation has to take place well before the auditor steps foot on your premises. You may need a consultant to help with all of this, which is completely normal.  

Develop and identify your own controls based on the Points of Focus as early as possible

One way to be better prepared is to define your control list as soon as you possibly can. SOC 2 provides example controls, but the auditor will look to you and ask what your controls are in order to determine if you’re meeting the criteria. The auditor will work to guarantee that you meet any given criteria outlined in SOC2, and to do that, they’ll look at the Points of Focus. They’ll excuse irrelevant points of focus (for instance, remote companies may not need physical security), but anything else must be met with some type of control. 

The auditors will use your control list to make their request list, and will usually ask for your list about a month before the end of the audit. However, it’s a good idea to share your company’s control list with your auditor before the audit begins to ask if it throws off any red flags for them so you can prepare for those questions when they come. In fact, you may even use your control list and the auditor’s reaction to it as a way to determine the flexibility of possible external auditors so you can select an auditor who will be a good fit for your company. 

Recognize that you’re going to have disagreements with auditors

Because SOC 2 is less prescriptive than other security standards like PCI or ISO 27001, some of the requirements can be subject to opinion rather than hard and fast benchmarks. While there are common ways to ensure compliance, your methods may be different because of how your organization works. What it all comes down to is understanding your organization’s risks, and being able to explain in full how the controls you’ve put in place mitigate those risks. If you understand the criteria and the Point of Focus as laid out in the SOC 2, you’ll be in a better place to explain to an auditor why you’re doing something differently from industry best practices, or be prepared if an auditor asks you for something you don’t have. 

In fact, if you know that your organization has controls in place that are very different from what an auditor might normally expect, you might be better off bringing that up early on in the audit. Even though SOC 2 is extremely flexible, the auditors are probably going to expect that the sample controls set forth in SOC 2 will be in place at your organization. It’s a good idea to ask your auditor for a list of sample illustrative controls that they look for and see if they’re applicable to your company or not, too, so you can be prepared with a response when the time comes.

Recognizing that you’re going to have disagreements can also help you remember that you want to set your tone to be more cooperative than defensive or challenging. Challenging the standard doesn’t usually go well, because it’s the auditor’s job to show that you’re meeting it, whether you agree that it’s necessary or not. Instead, be prepared to explain why the controls you have in place meet the criteria in a different way. Don’t be defensive about your particular controls; instead, be collaborative, and the audit will go much better for everyone. 

While an SOC 2 audit can be eye opening, it doesn’t have to be a disaster. Practical Assurance has created a self-service readiness tool available that lays out a number of the expected controls and samples of what an auditor will be looking for. You can get started today for free at https://app.practicalassurance.com/signup.

For more tips on getting through an SOC 2 audit, check out our webinar, Overcoming SOC 2 Roadblocks here

How to Stay SOC 2 Compliant While Your Team is Working Remotely

The world is in flux right now due to COVID-19, and the global pandemic has changed the lay of the land for almost every organization. It’s likely that more people are working from home this week than at any time since technology has made it possible to do so. This has caused strain on IT departments who weren’t prepared for the new set up, while forcing companies of all sizes to adapt to a new normal. 

However, SOC 2 requirements don’t go away just because the IT department is stressed, or just because employees are working from home. No matter how large or small your organization is, you can adapt your processes to ensure you stay compliant with SOC 2, even if your entire workforce is now remote. 

Identifying the Key Controls to Help Maintain SOC 2 Compliance

Unlike other standard protocols like PCI or ISO 27001, the guidelines in SOC 2 aren’t hard-and-fast rules. This means SOC 2 can actually be relatively easy to adapt for non-traditional security ecosystems. In fact, many start-ups and mostly remote organizations have chosen to implement SOC 2 standards for years for this very reason. As always, you will need to identify the risks that may threaten your business processes, and put policies in place to address them. 

The security challenges posed by a fully remote workforce are often different from those of an in-house team working from an office building. These include both cybersecurity and physical security issues, and some are less obvious than others. Human error or carelessness  is often the biggest risk any company faces when it comes to computer and technology assets, and that can get more complicated when you don’t have your employees under one roof. Luckily, working on SOC 2 compliance can help mitigate these risks, even if you’ve never had a mostly remote workforce before. 

Ensuring Physical Security for SOC 2 Compliance

One major security issue presented by a remote working situation is that you can’t offer guaranteed physical security to company hardware or systems, such as laptops or other workstations, that are now operating from the living rooms and home offices of your team members. But you can institute policies for your employees to minimize the risk of theft or physical damage to assets. 

Make sure employees know best practices for minimizing this risk, such as:

  • Never leave company assets in a vehicle, especially overnight 
  • If an asset must be stored in a vehicle, it must be locked in the trunk
  • Store laptops and other assets in a locked cabinet when not in use
  • Do not leave assets unattended or unlocked
  • Be cautious when entering company passwords
  • Never lend a company computer to anyone, including spouses, roommates, children, or other family members

Another aspect of physical security is keeping important data out of the reach of individuals who are not privy to it, including spouses and children of employees. While employees should never lend their laptops to family or household members for any reason, this also includes the printing of sensitive material. This type of material should never be printed or stored at home. You may need to create a printing policy so that documents that must be printed for whatever reason can be held until employees are allowed to return to the office. Of course, you can allow employees to connect to internal printers if they must print something, but they may not be able to access the documents until the office re-opens. 

These may seem like common-sense policies, but it’s important that you write them out explicitly and train employees on them so that employees understand them. A written policy will also help you to prove you were following SOC 2 compliance guidelines when you undergo an audit. 

Cybersecurity Considerations for SOC 2 Compliance

Beyond the physical safety of assets that employees are using at home, you need to maintain security of your network. With employees working from their own Wi-Fi connections, there are several policies you will need to implement to ensure SOC 2 compliance.

The first is to establish a company virtual private network (VPN) that your employees can use to connect to servers and internal systems. Using a free VPN is not a good idea, because you cannot guarantee that the connection will be encrypted and that the server will protect private information. Some third-party VPNs are safe for use, as long as they have a secure and encrypted connection and don’t log users’ activity. Your IT security team should also ensure all workstation and laptop hard drives are encrypted before they go out into the world, in case the physical security policies outlined above fail.

Reducing the risk of human error in cybersecurity is your next task. Your team should establish a way to induce automatic updates or draft guidelines for employees to follow to ensure that patching is up to date on all workstations and laptops. The workstation firewall should always be enabled to prevent attacks to the network. Implementing two-factor authentication (2FA) may be a pain for some workers, but it helps to ensure that the person logging into an asset is who they say they are. 2FA is especially important for internal systems and SaaS tools, such as internal email accounts, project management tools, and file sharing. 

Reports have shown that laptops and home computers used for remote work are increasingly attractive to hackers, thanks to the high level of security that organizations have applied to their corporate networks. With so many people working from home, cyber criminals are increasing their attacks on employees who may be working in a less secure environment. These hackers also know that your IT team is overwhelmed and less likely to be able to respond as quickly as you’d like. You should ensure your policies on preventing phishing are up to date and that all employees are aware of how to spot spam and prevent scams from infiltrating. 

Remind your staff not to use the laptop or workstation for personal items, such as online shopping or video streaming. The work laptop or workstation should be reserved for work only, to help minimize threats from hackers. 

Finally, make sure each individual in your organization understands to report security issues to IT staff immediately, and that they know how to do so. You may need to create a phone hotline or dedicated email account for reporting security issues, if you haven’t already, so that employees can be upfront about attacks before they make it to your corporate network. 

Overall, the challenges presented by a remote workforce can help you nail down your cybersecurity policies better, and provide you an opportunity to find any holes in your current SOC 2 compliance policies. While uncertainty around COVID-19 remains, SOC 2 compliance can be one less question mark for your organization.

If you would like further information about SOC 2 compliance, check out our overview of SOC 2.

SOC 2 Checklist – Week by Week

What does a weekly project plan and checklist look like for SOC 2 readiness? How do you prioritize practically? What are the key tasks I need to accomplish each week? 

Topics in this webinar include:

  • SOC 2 Checklist
  • 12-week readiness project plan
  • Key tasks prioritized weekly
  • Visual overview of the readiness process
  • Healthy readiness expectations

Download the webinar:

Continue reading SOC 2 Checklist – Week by Week

SOC 2 – Incident Response

What are the SOC 2 expectations for incident response? What do auditors look for? How does incident response interact with change control and risk management? What are some examples?

Topics in this webinar include:

  • The core components of compliant incident response
  • The critical ties to change control and risk management
  • Real world examples
  • Get inside your auditor’s head

Download the webinar:

Continue reading SOC 2 – Incident Response

SOC 2 : A Tactical Approach Webinar

So you have been working on readiness; now what? How do I know I am ready for an audit? What kind of evidence do I need? What, exactly, will an auditor be asking for?  

Topics in this webinar include:

  • What evidence do you need to collect in advance
  • Who in your organization needs to ready
  • What effective compliance management looks like
  • Get inside your auditor’s head

Download the webinar:

Continue reading SOC 2 : A Tactical Approach Webinar

SOC 2 – Human Resources Management

What do I need to know before the auditor shows up? Why does SOC 2 care about HR policy and practices and what are the relevant HR requirements? How do I incorporate the requirements over external parties and communications? Even more germane, how do I properly document for the audit?

Topics in this webinar include:

  • The relevant SOC 2 criteria impacting human resource management
  • The HR requirements that apply to customers, vendors, and communications
  • How to create auditable evidence
  • Get inside the head of a SOC 2 auditor

Download the webinar:
Continue reading SOC 2 – Human Resources Management