You probably have customers asking you all the time if you’re SOC 2 compliant. You’re not yet, but you know it’s important. So you do a little Googling. Where do you start? Who needs to be involved? What’s required?
Can you relate to this scenario? Lots of organizations can! That’s why we put together a four-part SOC 2 bootcamp series, covering everything you need to know about the SOC 2 process.
For this webinar series, we borrowed Bluth Company and Associates from Arrested Development. Monica works for Bluth Company and is in charge of getting their SaaS product, Banana Stand, SOC 2 compliant.
In part one, Gus Fosarolli, Tugboat Logic’s Customer Success Manager and special guest Ryan Goodbary, Director of Risk, Assurance and Advisory Services at Armanino LLP, guide Monica and Bluth Company through scoping and auditor selection, covering:
- Getting internal buy-in
- What to consider when selecting an auditor
- The auditor selection and onboarding process
- The 5 Trust Service Categories
- The scoping process
- Writing your Service Organization’s Description of Controls
Getting Internal Buy-in
Multiple members of your organization will contribute to the SOC 2 process, so internal buy-in is a critical step. Scoping, creating policies, setting controls, and collecting evidence all rely on this step. So getting your CEO, DevOps and the rest of the C-Suite on board will keep things flowing smoothly. Especially since they’ll all contribute evidence and input at various times. Spreading out the work and getting that internal buy-in will get you across the finish line faster.
The earlier you engage an auditor, the better!
There are four key factors to consider when selecting your auditor:
- Quality. Evaluate the background of the overall firm and check out their success rate.
- Experience. Does the auditor have experience in your industry, and what do their references have to say?
- Cost. Cost is a tough one because it ranges drastically from firm to firm, so think of it as the value they bring to you. From boutique to one of the Big Four accounting firms, a firm’s reputation is as vital as their monetary ask. Shop around, ask questions and look at referrals. You can learn more about the cost of SOC 2 here.
- Personality fit. After you become compliant, the reality is, you’re going to have to continue doing audits every year to stay compliant. Switching auditors every year is time-consuming. Hopefully, you’ll find an auditor that you click with and stay with. It makes everything simpler, long term.
Once you’ve narrowed down your auditor choices, based on evidence and your gut feeling, you can start getting into the nitty-gritty with your auditor.
This usually consists of:
- Scoping and discovery
- Formal agreement
- Kickoff call
- Discussing next steps to prepare for readiness assessment
The SOC 2 audit is complicated, and there’s a lot of nuance between each control and the different policies required. So a readiness assessment with your auditor is a great starting point. It’s a top-down overview of everything that’s needed for the audit and the company’s current security posture so they can figure out what they need. That allows for a smoother planning process. And arranging for check-ins on your way to the finish line ensures everything is properly in place for your audit.
It’s important to remember that management has to take responsibility for the policies, processes and controls that are implemented. The auditor shouldn’t be drafting any of that information. If you need someone to draft information, we’re happy to help. For more on how to select an auditor, check out our SOC 2 Survival Guide.
Trust Service Categories
The Trust Service Categories (TSC) are control criteria for use in attestation or consulting engagements to evaluate and report on controls over information and systems.
There are five TSC:
- Processing Integrity
Security is the only required TSC for SOC 2. The other TSCs may apply to you as well, and that’s where scoping becomes essential.
How to Decide TSCs
As you go through the TSCs, each one brings in different controls. It’s not recommended to pursue all five if you don’t have to. It’s a lot of work! Instead of biting off more than you can chew, check what’s outlined explicitly in your contractual obligations and go from there. You can add other TSCs as your company grows. Having an internal conversation with your C-Suite and auditor keeps everyone on the same page.
What Is the Scoping Process?
Within Tugboat Logic, there’s a scoping survey for SOC 2 (and four other frameworks!). It walks you through a series of questions. If you’re not using Tugboat Logic, you’ll have a conversation based on similar questions with your auditor.
A sample of the questions covered in Tugboat Logic and by auditors:
- Is your product hosted on the cloud? (Public or private cloud.)
- How do you forecast and monitor the capacity requirements of your systems?
- Will your physical offices be included in the scope of your audit?
- Does your organization maintain any external digital storage media that stores any client or sensitive data?
- Have you implemented a Mobile Device Management (MDM) solution?
- Have you implemented an Intrusion Detection or Prevention Systems (IDS/IPS)?
Each of these questions sets the stage for your audit. Let’s say your organization maintains external digital storage media that store any client or sensitive data. Maybe you use USBs for this purpose. Controls are required for eliminating/destroying USBs when they’re no longer needed. For web or cloud storage, there are other controls to implement.
The scoping survey with Tugboat Logic or an auditor helps determine timelines and what needs to be created, tweaked, or what you already have in place. But that’s for a deep dive in SOC 2 Bootcamp Part Two: Policies and Controls.
Writing the Service Organization’s Description of Controls
Writing the service organization’s description of controls is covered in section three of the audit report. This is the report’s base and the part you can share with your vendors and customers.
There are five areas to focus on:
- Control Environment
- Risk Assessment
- Information and Communication
- Control Activities
Management is responsible for putting this long piece of wordsmithing together but often requires input from several departments. Auditors and Tugboat Logic offer templates to assist in this step but it can still be a lot of work.
The first year is typically the most difficult, but the service organization’s description of controls should only require tweaks as your company grows. The earlier you can get started and incorporate your auditor, the less stressful the process will be.
To learn more, watch the entire SOC 2 Bootcamp Recap Part 1: Scoping video or schedule a walkthrough with Tugboat Logic!