There is a relatively common path that all companies take when getting SOC 2 certified. This overview is meant to help you better understand the end-to-end process and how to tailor it for your own company. We’ll go step by step through five common stages:
1. Assessment of relevance/need
There are usually two reasons why a company decides to go for SOC 2 certification: (a) A customer/prospective customer requires SOC 2 certification of its vendors, or (b) The company sets SOC 2 as an internal compliance goal.
It is important to note that companies may decide to go for ISO 27001 instead of SOC 2 – the decision to go for ISO 27001 vs. SOC 2 largely depends on where the company and its customers are based geographically (e.g., US companies with US customers are more likely to get SOC 2, European companies with European customers are more likely to get ISO 27001). Our Quick InfoSec Advice quiz can help you figure out what is right for you. This post focuses on companies for which SOC 2 is relevant.
(a) For smaller or younger companies, the decision to get a SOC 2 certification is usually driven by a company’s customers. Many customers, including almost all at the Enterprise-level, won’t bring on vendors who are not SOC 2 compliant (assuming SOC 2 is relevant for them – if they are a cloud-based product or store customer data on the cloud). Customers’ internal compliance programs prohibit vendors who are not SOC 2 compliant because there is no audited review of the vendors’ Information Security practices and the customer’s data could go unprotected. Before an Enterprise customer signs a vendor or procurement agreement, they will usually do an Information Security review if cloud-based storage is involved. At this point, if not sooner, the prospective customer will note a need for SOC 2 certification. Some customers allow a grace period for vendors to attain the certification (e.g., 6-9 months), during which they don’t fully implement or leverage the vendor’s product or services. Other customers won’t even engage with relevant vendors who aren’t SOC 2 compliant. When a customer drives the need for SOC 2, the certification becomes urgent quickly.
(b) When customers are not the driving force behind SOC 2 certification, companies usually go through the process as part of an internal compliance roadmap. Their Board may request it, their executive team may want to check compliance for good practice, or they may have had a security scare that prompted action. These companies are often forward-looking and compliance-conscious.
Once a company gets SOC 2 certification, they maintain their certification through official annual audits.
As a reminder, SOC 2 is currently a voluntary compliance standard. It is not a government mandate (like GDPR is a government mandate).
2. Understanding the standard
Once a company decides they need a SOC 2 certification, they need to get their bearings. They do research to better understand what SOC 2 entails, how the process looks, who needs to get involved from their team, and if they should bring in external support. For younger/smaller companies, the overall SOC 2 responsibility often falls to an already overstretched C-suite executive (e.g., CEO, COO, CTO, CIO). For larger or more mature companies, there is often a Compliance or InfoSec team in place who has more context with SOC 2 and can fully own the process.
At this point, the norm used to be to hire external consultants to help bridge the knowledge gap, advise on controls to implement for your business, and prep you for the audit. Now, more companies are going with a tech solution that includes consulting support, like Complyance. The Complyance product lays out a tailored set of controls and tasks to execute for SOC 2 compliance, and our team (including our network of external, experienced consultants) further bridges any knowledge gap and gets you audit-ready and audit-confident. Tech products like Complyance should not claim to remove the need for consulting support – they simply pair the consulting with a tech product to offer a more complete solution than a consulting-only approach (e.g., tech can offer continuous monitoring via integrations) for true risk reduction and peace of mind.
To start understanding SOC 2, you can read Your 2-Minute Guide to SOC 2 and “SOC 2 Deep Dive”.
3. Gap assessment
Once you have a technology provider (and/or consultant) in place, they will perform a gap assessment to understand your current state against the SOC 2 criteria. A tech product will give you a precise score to reflect your current alignment with SOC 2 criteria (e.g., 73% compliant with SOC 2 today) based on source-of-truth integrations and an onboarding workshop. A consultant will offer a gap assessment based on workshops and their review of your data. Both methods tell you how far you are from SOC 2 compliance and lay out a roadmap of controls (rules) that you need to implement to achieve 100% compliance. For example, the Complyance product lays out a set of tasks tailored to your business that you can execute to achieve 100% Complyance.
4. Implementation of controls
The hardest part of the SOC 2 process can be the actual implementation of controls. Controls are the compliance rules or practices that a company commits to executing – they are the building blocks of a company’s compliance programs. Controls are mapped to the official criteria in a compliance framework – a company may have 100 controls to satisfy the SOC 2 criteria. A single control can be relevant to multiple different compliance standards. An example of a control is: The company has an InfoSec training program completed by all new hires within 1 week of start date and completed annually by all employees. This control or rule clearly lays out what the company is committing to. The implementation effort for this one control is significant – an InfoSec training has to be created, all employees have to sign off on their completion, and the training has to be introduced to the Onboarding program for all new hires within their first week. The company has to collect evidence (either manually themselves or automatically via a tech product like Complyance) to track their alignment with this control.
Some companies apply controls more lightly than others. For example, another control may be to maintain a risk register documenting all potential risks and relevant response plans. One company may list just a few risks and not keep this document updated until an annual audit comes around. Another company may use the risk register during quarterly executive meetings to quickly check on their risk mitigation strategies and flag any new risks senior management. For true risk reduction, implementation of controls should be comprehensive – this requires some change management and training across the organization.
Complyance helps you automate the implementation of controls. As former consultants ourselves, we also advise you on change management practices and training you can do across your organization. Our network of external, experienced consultants can provide even more support if you need it.
5. Audit
The first SOC 2 audit for a company is broken down into two parts: SOC 2 Type 1 and SOC 2 Type 2. You can think of SOC 2 Type 1 as a temporary certification to confirm that you have the appropriate controls in place to meet the SOC 2 criteria. SOC 2 Type 1 is only relevant the first time a company goes through the SOC 2 process. SOC 2 Type 2 is an annual certification to validate that your company is actually implementing those policies and controls. More details on each below.
If a company is very confident in the implementation of their SOC 2 controls, they can go through SOC 2 Type 1 and SOC 2 Type 2 at the same time. More commonly, a company will use SOC 2 Type 1 as a ‘trial run’ or preliminary check for their SOC 2 Type 2 certification. They use the same auditors for both audits, which allows the auditor to flag any issues during the Type 1 audit for the company to remediate before their Type 2 audit.
SOC 2 Type 1: You can think of SOC 2 Type 1 as a ‘point in time’ audit because it measures the design of your security program on a specific date, without measuring the effectiveness or implementation of its controls over time. It only checks if the controls exist and are sufficient, if implemented, to meet the SOC 2 criteria and its goals. Samples chosen by the company are presented to demonstrate compliance.
Once a company completes their SOC 1 Type 1 audit, they have x months to start their SOC 2 Type 2 audit. Sometimes, a customer will be happy to proceed with implementation with a vendor who has achieved SOC 2 Type 1 certification, often as long as they achieve SOC 2 Type 2 certification within 6-12 months.
SOC 2 Type 2: Meanwhile, SOC 2 Type 2 is actually measuring the operation of your controls. The audit requires evidence of the controls being executed. An audit typically requires evidence from the preceding 6-12 months (can be 3 months depending on the auditor). A company has to be SOC 2 compliant for this time in order to meet the evidence requests.
A typical SOC 2 Type 2 audit involves:
Company gets audit-ready by sharing with their auditor a list of their relevant controls (ideally mapped to SOC 2 criteria) and initial evidence of the implementation of those controls
Auditors review the material offline
Auditors conduct interviews with various leaders in the organization to validate the implementation of controls
Auditors ask for further evidence of the controls in action (these request are called samples, and they usually require the documentation around a specific event – e.g., the onboarding of employee Jane Smith or the implementation of Client Alpha or response to vulnerability X)
Auditors assess if you have passed or failed the audit
Assuming you pass the audit, the auditors then write up a report that includes exceptions (observations of non-compliance) that you can share internally and with your clients
Complyance will help you across your company’s end-to-end SOC 2 certification process:
Assessment of relevance/need: We help you assess the relevance of SOC 2 for your organization with our “Quick InfoSec Advice Quiz”.
Understanding the standard: Not only do our resources and team support knowledge building and tailored advice, but our product lays out customized steps that you need to take to achieve SOC 2 compliance.
Gap assessment: Leveraging source-of-truth integrations with your tech stack alongside an onboarding workshop with data inputs from you, we can give you a precise compliance score to measure your current state alignment with the SOC 2 criteria.
Implementation of controls: Using your customized task list, you can implement controls inside the Complyance system through our automation features (e.g., policy generator). You can also manage and track the execution of all tasks and controls directly in the platform.
Audit: Complyance gets you audit-ready through all of the steps above. We can match you with an auditor from our network. Then, our team (including our extended team of consultants) will be there with you until you feel confident walking into your audit interviews. You can add auditors directly to your Complyance platform (they’ll have a restricted view) so they can review your evidence directly in the product, saving you time and manual work.
For more information on how we can help you, please Request a Complyance Consultation or email hello@complyance.com.