Credit: Dreamstime
Organisations that want to prove to others – and to themselves – that they have a solid cybersecurity and data privacy program will undergo a SOC 2 audit. As such, a SOC 2 audit is a big deal, and it’s demanding, and it requires some serious preparation.
SOC audits were created by the American Institute of CPAs (AICPA) under several evaluation and reporting frameworks comprising the System and Organisation Controls headers SOC 1, SOC 2, and SOC 3.
Although each of those holds value, many organisations ask their vendors and business partners – and are themselves asked – specifically to provide the results of a SOC 2 Type 2 audit.
For that type, auditors evaluate organisations against the SOC 2 framework and the AICPA’s five Trust Service Criteria – security, availability, processing integrity, confidentiality, and privacy.
Organisations use SOC 2 audit reports as a trusted standard that informs others in detail about how well they’re protecting data in each of those five areas.
“It’s a demonstration that we’ve taken precautions, that we’ve done all this work so you can trust us,” says Kevin R. Powers, founder and director of the MS in Cybersecurity Policy & Governance Programs at Boston College.
Here are some talking points on what SOC 2 advance work should cover:
1. Choose which SOC 2 Trust Service Criteria to evaluate
Although all organisations are evaluated against the security criteria when undergoing this audit, they can choose which of the other four Trust Service Criteria will be included in their audit.
AJ Yawn, author of An Expert’s Guide to Reviewing SOC 2 Reports from the SANS Institute, advises companies to decide which principles to include based on what their customers consider important.
“You don’t want to make that decision based on what the auditors tell you. Think through everything you’re doing through the lens of the readers of the report and make sure you’re communicating what they care about,” says Yawn, who is also founder and CEO at ByteChek and a founding board member of the National Association of Black Compliance and Risk Management Professionals.
For example, a company providing applications that aren’t considered by its clients as mission critical, could opt out of being evaluated for availability and concentrate instead on other areas that mean more to its customers.
2. Go it alone or get help?
A SOC 2 audit costs tens of thousands of dollars, so it’s important for executives to consider whether they have employees with the skills and time to adequately prepare for the actual audit or whether they need to hire an external team to take on that work, says Powers, who is also an assistant professor in both the Boston College Law School and its Carroll School of Management.
Richard White, an adjunct professor and course chair for Cybersecurity Information Assurance at the University of Maryland, says it’s possible to go it alone “but it can be daunting, so hiring a vendor to support you through it – at least for the first time – is a recommended option.”
3. Review organisational policies
White notes that auditors review organisational policies as part of all SOC 2 examinations, so it’s best to get those policies squared away before the process starts. “Do you have the policies written down? The workflows written down? And there’s also the implementation – have you implemented them correctly? You have to look at all that because that could impact success.”
There’s a long list of policies for review, experts say, running from acceptable use and access control policies all the way through vendor management and workstation security policies.
They must be well documented and up to date – tasks that are challenging for many.
“Companies tend to write their controls down and never look at them again, so preparing for the audit is an appropriate time to look at and update them if they don’t reflect what you’re doing,” says Paul Perry, a member of the Emerging Trends Working Group with the governance group ISACA and the Security, Risk and Controls Practice Leader with accounting and advisory firm Warren Averett.
4. Confirm that operations match policies
Auditors want to see well-documented policies, but they also want to see them in action to verify that organisations are doing in day-to-day practice what those policies say they should be doing.
For example, software engineers may be testing code, but they need to do so in a manner that follows the process and documentation requirements outlined in the organisation’s policies. That’s the kind of action auditors will want to see, Yawn says.
5. Examine security and privacy controls
Review security and privacy controls to ensure they’re aligned with the organisation’s own security and privacy policies as well as regulatory requirements and industry best practices.
This means looking at everything from access controls to encryption to vulnerability scanning (on premise and in the cloud) as well as confirming that the enterprise controls align to SOC 2 criteria or, if they don’t, documenting the reasons for the divergence.
“Examine your controls – your access controls, encryption, your layered defense,” Powers says. “Before you bring in a SOC 2 auditor, you want to make sure you’re not setting yourself up for failure.”
6. Do a practice SOC 2 audit
A practice run is another key step to take before the actual audit, according to multiple SOC 2 authorities. “It’s one way to help ensure that you get a positive outcome,” says Jim Routh, former CISO of Mass Mutual.
This certainly applies to organisations scheduling an audit for the first time, as they generally have less insights on what and how auditors make their evaluations, Routh says.
But he notes that even those with mature security programs will benefit from a dry run. These self-audits, whether done by employees or consultants, could catch problems: controls that aren’t as effective as they should be, reporting tools that don’t generate needed data, misconfigured software that creates risk – any of which could jeopardise a positive outcome on the actual audit.
7. Prioritise which gaps to fix
That self-attestation is just the first step, says Routh, who’s currently a board member and advisor for multiple companies as well as a member of the advisory council at New York University’s Tandon School of Engineering. The next step is to address the identified gaps and deficits.
Yawn says he advises executives to carefully consider how they prioritise the identified shortcomings, as changes in one area often have a cascading impact.
For example, a gap analysis may have turned up issues in written policies as well as the technology infrastructure. And while it may be tempting to update policies to get that quick and easy win, Yawn says the larger, more complex issue – fixing the architecture – may affect how or even whether the policies need rewriting.
8. Gather evidence
Having a mature security and privacy program is not necessarily enough to succeed with a SOC 2 audit, according to experts.
Auditors want proof of that. The list of materials needed can be extensive and broad, ranging from administrative security policies and cloud infrastructure agreements to risk assessments and vendor contracts.
“A SOC 2 is very rigorous, so you have to have evidence to prove that you have the processes, you’re following processes, that you’re operating as expected,” White says, adding that this part of the prep work pulls together the various elements that go into having a well-run security and privacy operation.
“You look at your processes, policies, and procedures to make sure they’re aligned, well documented, and correct. And that they’re ready [to share]. You should know what the SOC auditor will ask so you’re ready to provide it.”
9. Avoid a checklist mentality
Although security leaders agree there’s significant value in having a SOC 2 audit, they say it’s important for each organisation to tailor their security and privacy programs to their own unique needs and not necessarily to the SOC 2 criteria.
“You need to step back and make sure you’re not getting boilerplate policies and procedures. Make sure everything is tailored to your organisation,” Powers says.
Routh agrees, noting as an example that the audit criteria doesn’t specifically call for organisations to implement the new anti-ransomware technology now on the market, yet it’s still worthwhile even though it won’t sway the result of an audit.
10. Remember that the goal is a better security and data privacy program
Enterprise security chiefs and their C-suite colleagues should aim to have a security and data privacy program that could be ready for an audit at any time.
They should aim for consistently up-to-date policies; policies and procedures that always meet regulatory requirements and best practices; and controls and operations that are perfectly aligned with their policies.
Security leaders stress that such work shouldn’t happen only in preparation for an audit, pointing out that in fact the SOC 2 Type 2 audit looks at whether an organisation is doing such work on an ongoing basis during the 12 months set for evaluation.
At the same time, they acknowledge that no security and privacy program will do all this perfectly – after all, there’s no such thing as perfection in security.
“The best companies prepare for the audit all year long because it’s part of their culture, and the management of risk is something that they do on a daily basis,” Perry says. “Those companies don’t have to have someone come on the job for two weeks or two months to prepare for the audit because they’re always prepared.”
