real time web analytics

Demystifying SOC 2 Certification (It's not so scary!)

Ingrum Putz, CTO & Co-Founder
2019-02-125 min read

The exciting and dreaded phrase for an organization like yours to hear from a big prospect:

“We like your solution and would like to purchase..." YES! "...but, we need you to pass a SOC 2 audit.” NOOOOOoooooooo…….!

(cue scary music - fade to black)

After you regain consciousness, you realize that you need to do something soon. You Google “What is SOC 2?” You wonder “What do I need to do?” You scream “Help!”

What is SOC 2?

“SOC” stands for “system and organization controls.” The “controls” are a series of standards designed to help secure a service organization and how it conducts and regulates protection of customer information.  SOC 2 specifically relates to service providers that store customer data in the cloud. That’s it.

What do you need to do?

The Steps to SOC 2 Certification
    1. Security Program - Start with the Tugboat Logic Virtual CISO to create and manage your security program. Tugboat Logic can then help you and your auditor with most of the steps below to quickly get you SOC 2 certification.
    2. Define the Scope - What services, products or specific customers do you need the SOC 2 report for? Use Tugboat Logic to identify the policies and controls relevant to your service(s) and tag them.
    3. Choose a Report - Start with a SOC 2 Type 1 report, an introduction to the process that will be a snapshot of your security readiness and the foundation for an ongoing SOC 2 Type 2 report.
    4. Choose a SOC 2 Auditor - Get a 3rd party to audit your security program. A SOC 2 certification requires that a CPA firm attests to your compliance and can’t be the same as the company that prepares you for a SOC 2 assessment. Find the right one for you.  Some just check checkboxes and some are partners who work closely with you. Tugboat Logic has SOC 2 auditor partners who we can recommend and who use Tugboat Logic with their customers.
    5. Assessment Readiness - Determine how close you are to completing all the security controls needed to pass a SOC 2 audit. Find and fill the gaps. Use the Tugboat Logic Certification Deck and we will list the policies and controls that you will need to publish and implement to get ready for a SOC 2 Assessment. As you implement controls, you can add evidence for each one within Tugboat Logic.
    6. The SOC 2 Assessment - You provide requested evidence to your auditor that you implemented these controls, your auditor reviews the evidence, your auditor tests your people and processes, your auditor identifies gaps, and your auditor provides you with your report. During the SOC 2 assessment, you and your auditor will use Tugboat Logic to share and verify evidence, schedule tests, note gaps and address them quickly.
    7. Post Assessment - Most clients will require you obtain a SOC 2 Type 2 certification, which proves you maintained the level of security you outlined in your Type 1 for a period of 3-6 months. Because the most common request is a SOC 2 Type 2 report requiring your ability to continually prove compliance. Tugboat Logic acts as your system of record to ensure that you have a central location to log events, run tests, and update policies and controls throughout the year.

Tugboat Logic is here to help

Now that SOC 2 certification is no longer a mystery, get started with the Tugboat Logic Virtual CISO Platform. Tugboat Logic can not only help you build a security program with turnkey policies and controls to get you secure and ready for a SOC 2 audit, it can also help automate responses to RFPs and security questionnaires and can help assess your vendor risk and choose the right one.