If your company is using an IaaS (Infrastructure as a Service) provider such as AWS (Amazon Web Services), you’re probably impressed with number of certifications they have collected. A SOC 2 Type II from an IaaS provider will often cover most of the physical security requirements. Depending on how your system is configured, it may cover backup & recovery, and disaster recovery portions. A SOC 2 Type II from your cloud provider will not cover your application, your internal policies, etc. Using cloud services are helpful, but will not give you 100% coverage.
On average, going from zero to SOC 2 Type II will take from 8 months to a year. Smaller companies that don’t have many systems can often complete the process faster. To further expedite the process, it is advisable to not create all policies and procedures from scratch. Many security & compliance consultants have built vast libraries of policies and procedures that can be customized for your business and make your life easier.
Having good security practices in place is certainly a good start, but often not sufficient for compliance. Security does not equal compliance, and vice versa. Preparing for SOC 2 may include Security (logical & physical), Availability, Integrity, Confidentiality, and Privacy. Newer/smaller companies often prepare for a SOC 2 by creating many of these policies for the first time. The creation of new policy will often lead to the implementation of new preventative and detective controls.
Large organizations typically appoint a Chief Security or Chief Compliance Officer to manage audits from beginning to end. Smaller companies tend to outsource expertise and form a team to prepare for compliance. It is best implemented as a team effort because policies changes will impact everyone in your company. As with any major project, executive buy-in is key. The value of compliance isn’t always apparent and having the right people on board will help immensely.
SOC 2 preparation usually happens in a few stages. First, your company should identify all “key systems” and perform a gap analysis against all requirements documented in the Trust Services Principles and Criteria. Next, existing security controls should be identified and policies and procedures should be written to meet all requirements. This can take anywhere from a few weeks to up to 6 months, depending on the size and maturity of your company. At this point you are ready for the SOC 1 Type I audit. A SOC 2 Type II audit is typically performed 6 months later.
A SOC 2 Type I audit is an audit reporting on the policies and procedures a company has established at a particular point in time. It is generally the first step taken and is often referred to as “test of design.” It will answer the question, “are the controls properly in place?” A SOC 2 Type II audit is a “test of effectiveness” over a period of time. The “period of time” is generally no less than 6 months and no more than a year. It will answer, “is your company following it’s own policies?”
When the industry replaced SAS-70 reports with SOC 1 and SOC 2 reports as the new standard, there was initially a lot of confusion. SOC 1 reports are often referred as “SSAE 16.” These reports typically only cover the controls that support financial reporting. SOC 2 on the other hand is an audit against the Trust Services Principles and Criteria. SOC 2 reports are generally best for technology service providers that extend beyond financial services. SOC 2 is the best choice for most businesses.
If you’re selling services to mid-market and enterprise companies you may be asked, “Do you have a SOC 2 Type II report?” If the answer is “no” your company may find it more and more difficult to make these sales. With almost daily headlines of companies being breached, the need for information security and compliance (with laws and industry standards) continues to increase. A SOC 2 report will help your company sell to bigger and bigger customers.
A SOC 2 report will help your customers trust that you follow security best practices. SOC 2 reports are generally carried out by businesses performing information systems processing or technical services to other business. The SOC 2 report provides third party assurance that an adequate baseline of Information Security controls have been put in place. Businesses of all sizes can have a SOC 2 audit, however, it is most beneficial for businesses looking to sell in the enterprise market.