This came up as a question from a few customers, so we figured we'd ask our CISO Jose Costa, head of the Tugboat Labs Team (dedicated to helping customers know everything about compliance) and former partner at PwC, and our audit partners for their take. Here are the top 3 things that will hold you back from passing SOC 2:
#1: Risk assessments This is the leading cause of companies not getting SOC 2 certified on time – no surprise if you think about it. From a fundamentals / best practices standpoint, risk assessments are the cheatsheet to passing SOC 2: they tell your org how to become more secure AND are a forcing-function for taking stock of all potential risks your org faces.
And, risk assessments are a security control you need to implement as part of SOC 2 (and other security certifications such as ISO 27001). Regardless of whenever you plan on getting your SOC 2, get half the battle done by completing your risk assessment.
#2: Penetration tests Similar to risk assessments, you need to start pentests early in order to complete SOC 2 on time. For SOC 2, pentest scopes are typically based on the Trust Services Criteria (TSC) relevant to your org. Note that the Security TSC accounts for 80% of a SOC 2 audit and applies to everyone needing a SOC 2, so you'll need to factor in the time it takes to vet either freelance pentesters and or pentest providers like Cobalt (full disclosure: we're a customer and they're a partner), White Hat Security, or NetSpi – all of whom we've vetted thoroughly based on quality of work, fit, track record, and cost.
#3: Internal security audits
Internal audits are a great baseline for measuring the robustness of your org's security posture in preparation for a SOC 2 audit. They take inventory of both the security processes and physical assets in your company (which more or less is what SOC 2 audits cover on a larger, more comprehensive scale) and provide the roadmap to improving your security program.
And best of all, the work you're doing for internal audits overlaps and complements the risk assessment you need to do for SOC 2. The findings you get from your internal audit will aka a dry run of a SOC 2 audit will help you get a head start on implementing the security controls your company needs in order to be secure and compliant.