How to Set Up a SOC 2 Compliance Program While Your Team is Working Remotely

Most startups and many small or medium businesses have turned to remote work while the quarantine for COVID-19 is in place. As we’ve said before, if you’re experiencing a lull in business, it’s an ideal time to define your SOC 2 compliance program. But how can you launch an SOC 2 compliance program while your team is working remotely?

As experts in helping companies prepare for SOC 2 compliance, Practical Assurance has devised some best practices to help guide you through SOC 2 preparation, even when your team is remote. 

Start with Basic Questions about SOC 2

Getting started with your SOC 2 compliance program while working remotely is the same as if your team is in-house. There are some basic questions you need to ask yourself that will help you determine how you’ll go about your SOC 2 compliance program. 

These questions include:

  • Why are we doing SOC 2?
  • What are the basic SOC 2 requirements?
  • Which services, products, business units, etc., are in scope for an audit?
  • What are our trust principles? 
  • Do we want to try Type I or Type II?
  • When do you want to aim for implementation? 

As an IT leader or founder, these questions should take you no longer than a day to answer. There’s really no excuse not to get started, regardless of where your workforce is.

Gather Documentation for an Initial Gap Test

Over the next week, take some time to get the momentum on your program going. This may be more difficult while working remote, but if your documentation is saved in the cloud, it won’t be as difficult as you may think.

You can start by gathering any existing documentation you have, such as policies and procedures from your HR and technical teams. You should also look out for maps of your system, network, data flow, and architecture diagrams that may explain your IT infrastructure. 

Take inventory of your data, servers, workstations, and software as well. If your IT department doesn’t have this information, you may need to survey your employees regarding what items they work on while they’re working from home. Make sure that you understand whether or not your employees are working on their personal computers from home, as that can have an impact on your compliance.

If you’ve engaged in penetration testing in the past, those reports will help inform your future security strategy. Previous due diligence questionnaires are also key to identifying how you will move forward. In the same vein, take some time to meet with your various teams and get clarity on what sensitive data you store on behalf of customers. This information may come from your sales and marketing teams, as well as any web forms and IT security. 

After getting all this information together, you can do your first SOC 2 gap assessment. Take a look at where your organization currently stands based on these documents and data, and compare it to where you want to be. 

Identify Your Team and Treat Compliance Like a Regular Project

The key to success in any SOC 2 program is structure. This includes identifying which team members will be responsible for which aspects of the program. Right now, your team members may not have as much work as they normally do, and you may be able to find more volunteers than you normally would. Make sure that you are clear on deadlines, responsibilities, and communication to ensure success, even while your teams are working from home. 

The top roles that you need to identify are:

  • Business Process Lead 
  • Technical Lead
  • InfoSec Lead
  • Compliance Manager

For the best possible outcome, your team leaders should include executives if possible. For instance, the business process lead can be your HR manager or chief operations officer, and your technical lead can be your VP of engineering. Their buy-in will make or break your compliance program, and having them lead teams is a great way to keep them in the loop.

After your team is in place, you’ll need to ensure that you structure your project like you would any other project. Include it in your regular project management programming so that team members understand what they’re assigned to do and when it’s due. This is particularly important when your team is working remotely, as they won’t be able to pop into each other’s offices when they have questions. If you treat compliance as though it’s as important as a customer project or software roll out, you’ll have a much better chance of success.

Run Your Business in a Compliant State and Measure Success

Once you’ve set your SOC 2 compliance program up, you’re ready to run your business in a compliant state. It should be relatively natural if you’ve set everything up properly.

There are a few easy metrics you can use to measure your success, such as asking yourself:

  • Why do we need to be compliant?
  • Is our leadership bought-in?
  • Are the right stakeholders involved?
  • Have we committed a budget?
  • Is there a plan and a roadmap?
  • Are we expecting the right amount of work from team members?
  • Is our timeline expectation reasonable?

If the answers to these questions exist, you’re doing a good job.

You don’t have to start a compliance project on your own. Practical Assurance was founded to help startups and small businesses institute compliance programs with tools and tips from experts. To get more details on how to set up a compliance program while your team is working remotely, Download a recording of our webinar

Doing SOC 2 Remote

Why is now the best time to start working on SOC 2? What does SOC 2 preparation look like remotely? What are the advantages and what do I need to know to be successful? What will an auditor have to say?

Topics in this webinar include:

  • How to get started
  • How to gain momentum
  • How to build your team
  • How to structure the project
  • How to accelerate the implementation

Download the webinar:

The webinar was recorded in April 2020 and we’ve made it available for download by filling out the form below.

Send me the webinar recording and slides:

Now is the Time to Start (or Perfect) Your SOC 2 Compliance Program

With most of the workforce either furloughed or working from home until the quarantine for COVID-19 can be lifted, many small and medium businesses are taking the opportunity to work on internal infrastructure projects. Security and compliance are two areas where organizations are turning their focus right now as part of their strategies to focus on these internal programs.

Now is the perfect time for small and medium businesses or startups to begin or perfect their SOC 2 compliance programs. We’ve outlined a few of the reasons why below. 

SOC 2 Compliance Is Only Going to Get More Important

Startups and other firms are taking a long-term perspective and realizing that, no matter where the economy is in six months, security and compliance issues aren’t going anywhere. In fact, given their previous growth trajectories, they may be bigger and greater projects than they were before. Customers who were asking you about SOC 2 compliance before the quarantine are still going to be asking about it after.

As one example, a growing question during the COVID-19 outbreak is how organizations are managing personal data, especially when it comes to healthcare. Several organizations are trying to develop a way to track outbreaks and exposure to the virus through cell phone movement, for instance, but are having to prove that they can do so anonymously without endangering personal health information. This is particularly important in Europe, where the General Data Protection Regulation stipulates strict terms on the usage of personal data. 

By starting or perfecting your SOC 2 compliance plan now, you can help avoid security risks that could make you unattractive to customers once they’re ready to buy your service or product. 

A Business Slowdown is the Perfect Time to Work on SOC 2 Compliance

While your team may have been ready to work in a fully remote capacity before the pandemic, there’s a good chance that many of your customers weren’t quite as prepared. Business has slowed down in many sectors as less tech savvy teams are trying to figure out how to implement security while providing their teams with tools that can allow them to work from home effectively. At the same time, many organizations are waiting to make big software investments until after the economy has returned to normal. All this means that a good chunk of your workforce may be twiddling their thumbs, too, with no customers to work for.

This presents an ideal situation to hunker down and focus on your compliance program. Instead of having team members work on it when they have time, you can assign tasks with confidence to be addressed now. You can increase the number of employees who are well-versed in the program, and even have some time to determine who may be best to carry it out. You might be surprised at which members of your team show competence in compliance issues, now that they have the time and resources to fully focus on the program. 

Remote Work and All Its Trappings are the New Normal

Working from home can uncover a number of issues in your regular processes and workflows. For instance, internal communications may have hit a snag because individuals can’t have a quick chat while making coffee in the morning if everyone is making coffee in their own kitchens. Hopefully, your organization has found ways to adapt to these new issues, especially since remote work is going to be the new normal for a long time going forward. 

As your team settles into remote work even further, more of these issues are going to be brought to light. Imposing a compliance program like SOC 2 on them now can help you remediate the issues and outline a way to address them in the future. It’s a very practical way to get your program in place, while producing results that will make your workflows better now and in the future

At Practical Assurance, we are working with a number of small and medium businesses to take advantage of the current downtime to help set up compliance programs for a successful audit once the quarantine is over. In this way, teams can hit the ground running when the economy bursts back to life in a few months. Practical Assurance has software that can act as the road map to create a full SOC 2 program with a step-by-step guide. We can also offer ongoing services to help your team stay compliant year over year. And we offer consulting packages for organizations that may need hands-on guidance. 

If you’re ready to use the current situation to work on your SOC 2 compliance program, get in touch with us for a free demo today. 

How to prepare for your first SOC 2 audit

Security audits can be a real eye opener. As a company built on helping small and medium businesses prepare for their SOC 2 audits, we know from experience that many companies are completely blindsided by what an audit can bring out. This can happen not just during your first SOC 2 audit, but also if you change auditors. Luckily, you can prepare for these issues with a little foresight. Here are some tips for preparing for your first SOC 2 audit, or an SOC 2 audit with a new auditor. 

Understand the pre-audit timeline 

Your audit actually begins well before the auditor begins their onsite visit. Preparing for the SOC 2 audit means having implemented SOC 2 at your organization, obviously. Hopefully this will mean that you’ve outlined your controls and how you’re meeting SOC 2 criteria. In fact, having all of these lists in place should inform who you choose to perform the audit (see below). 

In preparing for an actual audit, you’ll need to assemble your internal SOC 2 project team, understand the scope of the project, and assign responsibilities, well before you determine which auditor you want to go with. You’ll also need to perform gap analysis and remediate any control deficiencies in preparation for the audit. All of this preparation has to take place well before the auditor steps foot on your premises. You may need a consultant to help with all of this, which is completely normal.  

Develop and identify your own controls based on the Points of Focus as early as possible

One way to be better prepared is to define your control list as soon as you possibly can. SOC 2 provides example controls, but the auditor will look to you and ask what your controls are in order to determine if you’re meeting the criteria. The auditor will work to guarantee that you meet any given criteria outlined in SOC2, and to do that, they’ll look at the Points of Focus. They’ll excuse irrelevant points of focus (for instance, remote companies may not need physical security), but anything else must be met with some type of control. 

The auditors will use your control list to make their request list, and will usually ask for your list about a month before the end of the audit. However, it’s a good idea to share your company’s control list with your auditor before the audit begins to ask if it throws off any red flags for them so you can prepare for those questions when they come. In fact, you may even use your control list and the auditor’s reaction to it as a way to determine the flexibility of possible external auditors so you can select an auditor who will be a good fit for your company. 

Recognize that you’re going to have disagreements with auditors

Because SOC 2 is less prescriptive than other security standards like PCI or ISO 27001, some of the requirements can be subject to opinion rather than hard and fast benchmarks. While there are common ways to ensure compliance, your methods may be different because of how your organization works. What it all comes down to is understanding your organization’s risks, and being able to explain in full how the controls you’ve put in place mitigate those risks. If you understand the criteria and the Point of Focus as laid out in the SOC 2, you’ll be in a better place to explain to an auditor why you’re doing something differently from industry best practices, or be prepared if an auditor asks you for something you don’t have. 

In fact, if you know that your organization has controls in place that are very different from what an auditor might normally expect, you might be better off bringing that up early on in the audit. Even though SOC 2 is extremely flexible, the auditors are probably going to expect that the sample controls set forth in SOC 2 will be in place at your organization. It’s a good idea to ask your auditor for a list of sample illustrative controls that they look for and see if they’re applicable to your company or not, too, so you can be prepared with a response when the time comes.

Recognizing that you’re going to have disagreements can also help you remember that you want to set your tone to be more cooperative than defensive or challenging. Challenging the standard doesn’t usually go well, because it’s the auditor’s job to show that you’re meeting it, whether you agree that it’s necessary or not. Instead, be prepared to explain why the controls you have in place meet the criteria in a different way. Don’t be defensive about your particular controls; instead, be collaborative, and the audit will go much better for everyone. 

While an SOC 2 audit can be eye opening, it doesn’t have to be a disaster. Practical Assurance has created a self-service readiness tool available that lays out a number of the expected controls and samples of what an auditor will be looking for. You can get started today for free at

For more tips on getting through an SOC 2 audit, check out our webinar, Overcoming SOC 2 Roadblocks here

How to Stay SOC 2 Compliant While Your Team is Working Remotely

The world is in flux right now due to COVID-19, and the global pandemic has changed the lay of the land for almost every organization. It’s likely that more people are working from home this week than at any time since technology has made it possible to do so. This has caused strain on IT departments who weren’t prepared for the new set up, while forcing companies of all sizes to adapt to a new normal. 

However, SOC 2 requirements don’t go away just because the IT department is stressed, or just because employees are working from home. No matter how large or small your organization is, you can adapt your processes to ensure you stay compliant with SOC 2, even if your entire workforce is now remote. 

Identifying the Key Controls to Help Maintain SOC 2 Compliance

Unlike other standard protocols like PCI or ISO 27001, the guidelines in SOC 2 aren’t hard-and-fast rules. This means SOC 2 can actually be relatively easy to adapt for non-traditional security ecosystems. In fact, many start-ups and mostly remote organizations have chosen to implement SOC 2 standards for years for this very reason. As always, you will need to identify the risks that may threaten your business processes, and put policies in place to address them. 

The security challenges posed by a fully remote workforce are often different from those of an in-house team working from an office building. These include both cybersecurity and physical security issues, and some are less obvious than others. Human error or carelessness  is often the biggest risk any company faces when it comes to computer and technology assets, and that can get more complicated when you don’t have your employees under one roof. Luckily, working on SOC 2 compliance can help mitigate these risks, even if you’ve never had a mostly remote workforce before. 

Ensuring Physical Security for SOC 2 Compliance

One major security issue presented by a remote working situation is that you can’t offer guaranteed physical security to company hardware or systems, such as laptops or other workstations, that are now operating from the living rooms and home offices of your team members. But you can institute policies for your employees to minimize the risk of theft or physical damage to assets. 

Make sure employees know best practices for minimizing this risk, such as:

  • Never leave company assets in a vehicle, especially overnight 
  • If an asset must be stored in a vehicle, it must be locked in the trunk
  • Store laptops and other assets in a locked cabinet when not in use
  • Do not leave assets unattended or unlocked
  • Be cautious when entering company passwords
  • Never lend a company computer to anyone, including spouses, roommates, children, or other family members

Another aspect of physical security is keeping important data out of the reach of individuals who are not privy to it, including spouses and children of employees. While employees should never lend their laptops to family or household members for any reason, this also includes the printing of sensitive material. This type of material should never be printed or stored at home. You may need to create a printing policy so that documents that must be printed for whatever reason can be held until employees are allowed to return to the office. Of course, you can allow employees to connect to internal printers if they must print something, but they may not be able to access the documents until the office re-opens. 

These may seem like common-sense policies, but it’s important that you write them out explicitly and train employees on them so that employees understand them. A written policy will also help you to prove you were following SOC 2 compliance guidelines when you undergo an audit. 

Cybersecurity Considerations for SOC 2 Compliance

Beyond the physical safety of assets that employees are using at home, you need to maintain security of your network. With employees working from their own Wi-Fi connections, there are several policies you will need to implement to ensure SOC 2 compliance.

The first is to establish a company virtual private network (VPN) that your employees can use to connect to servers and internal systems. Using a free VPN is not a good idea, because you cannot guarantee that the connection will be encrypted and that the server will protect private information. Some third-party VPNs are safe for use, as long as they have a secure and encrypted connection and don’t log users’ activity. Your IT security team should also ensure all workstation and laptop hard drives are encrypted before they go out into the world, in case the physical security policies outlined above fail.

Reducing the risk of human error in cybersecurity is your next task. Your team should establish a way to induce automatic updates or draft guidelines for employees to follow to ensure that patching is up to date on all workstations and laptops. The workstation firewall should always be enabled to prevent attacks to the network. Implementing two-factor authentication (2FA) may be a pain for some workers, but it helps to ensure that the person logging into an asset is who they say they are. 2FA is especially important for internal systems and SaaS tools, such as internal email accounts, project management tools, and file sharing. 

Reports have shown that laptops and home computers used for remote work are increasingly attractive to hackers, thanks to the high level of security that organizations have applied to their corporate networks. With so many people working from home, cyber criminals are increasing their attacks on employees who may be working in a less secure environment. These hackers also know that your IT team is overwhelmed and less likely to be able to respond as quickly as you’d like. You should ensure your policies on preventing phishing are up to date and that all employees are aware of how to spot spam and prevent scams from infiltrating. 

Remind your staff not to use the laptop or workstation for personal items, such as online shopping or video streaming. The work laptop or workstation should be reserved for work only, to help minimize threats from hackers. 

Finally, make sure each individual in your organization understands to report security issues to IT staff immediately, and that they know how to do so. You may need to create a phone hotline or dedicated email account for reporting security issues, if you haven’t already, so that employees can be upfront about attacks before they make it to your corporate network. 

Overall, the challenges presented by a remote workforce can help you nail down your cybersecurity policies better, and provide you an opportunity to find any holes in your current SOC 2 compliance policies. While uncertainty around COVID-19 remains, SOC 2 compliance can be one less question mark for your organization.

If you would like further information about SOC 2 compliance, check out our overview of SOC 2.

The SOC 2 Mindset

What is SOC 2 preparation and compliance really like? Is it a set of configurations and security tools? Is it a bunch of documentation we haven’t created yet? Is it something we do? What if the most important thing about SOC 2 isn’t those at all?

Topics in this webinar include:

  • How to keep the main thing the main thing
  • Set yourself up for success
  • How to communicate with ALL stake holders
  • Get inside your auditor head!

Download the webinar:

Continue reading The SOC 2 Mindset

Breaking SOC 2 Roadblocks

How do you deal with the inevitable “impossible” requirement for your organization? What are some common pain points and ways to get around them? How can a risk perspective rescue the conversation? What will be your auditors perspective?

Topics in this webinar include:

  • The good and poor way to approach compliance disagreement
  • Using risk assessment to make your argument
  • Top compensating control strategies
  • Get inside your auditor head!

Download the webinar:

Continue reading Breaking SOC 2 Roadblocks

Making SOC 2 Hindsight in 2020

What is best practice prioritization for SOC 2 preparation? What are the top lessons learned from 2019? What are the “gotchas” to avoid? Which criteria require implementation and additional budget? What kind of total budget will I need?

Topics in this webinar include:

  • Prioritized approach for SOC 2 readiness
  • The top 4 audit deficiencies
  • List of common technology expenses
  • Get inside your auditor head!

Download the webinar:

Continue reading Making SOC 2 Hindsight in 2020

SOC 2 System Description

What are the Descriptive Criteria for SOC 2? Why do I have to write the description?  What are the minimum requirements? What else can I include? What will an auditor expect to see?

Topics in this webinar include:

  • Understand the 2018 SOC 2 Description Criteria
  • Know the minimum requirements
  • Take advantage of the marketing opportunity
  • Don’t be caught off guard, this will take time!

Download the webinar:

Continue reading SOC 2 System Description

SOC 2 Subservice Organizations

What is a Subservice Organization? A vendor that provides services and controls directly relevant to the service undergoing an audit. Usually a key-component of the service you provide; Processes customer data; Stores customer data; Most relied-upon vendors

Topics in this webinar include:

  • How to identify subservice organizations
  • How to monitor and evaluate
  • What to expect during a SOC 2 audit

Download the webinar:

Continue reading SOC 2 Subservice Organizations