Sep 7, 2022

How do I implement my SOC2?

You got your SOC2 Type 1 or Type 2 and now you are the owner of a brand new, beautiful... piece of paper. Obtaining a SOC2 does not do much for your company if you do not implement the controls you have committed to into your organization.

How do I implement my SOC2?

How do I implement my SOC2?

You got your SOC2 Type 1 or Type 2 and now you are the owner of a brand new, beautiful... piece of paper. Obtaining a SOC2 does not do much for your company if you do not implement the controls you have committed to into your organization.  Worse, since it is an attestation of your cyber program to stakeholders, including customers, you can be out of legal compliance with your agreements if you implement your SOC2 incorrectly.

What is a SOC2?

A SOC2 report is an audit report given to companies by an accounting firm.  It seems odd that an accounting firm would be assigned the role of auditing cybersecurity, but it also makes sense. Throughout history, accounting firms have been trusted to audit one company on behalf of the other to, in the simplest terms, make sure that they are doing what they claim to do.  While many accountants are far from technical, SOC2 auditors are skilled at knowing what types of evidence they will need to collect specifically for the SOC2 report and have experience writing their findings in ways that cybersecurity professionals understand.

What is the process to get a SOC2?

SOC2 reports can be important to a company. Typically, they seek out a report because a specific customer has made the relationship contingent upon the report, or because it is required to compete in their industry. The marketplace offers a variety of ways to go about getting the report itself.  Some offer methods that cut corners. Others have long and detailed processes.

Our view on SOC2 is that it should be a document that summarizes the genuine cybersecurity that you have built, not a checklist that tells you how to build your cybersecurity program.

Nearly half of SOC2 requirements have little bearing on risk, threat or vulnerability at all, which can come as a shock to those who are new to cybersecurity.

SOC2 reports and the work effort to obtain them are expensive. For this reason, we always recommend to customers that they build real cybersecurity practices while they are at it.

Done correctly, a SOC2 Type 1should take you about a fiscal quarter. Of course, companies that have an existing cyber practice can obtain one much faster. Building a quality cyber program from the ground up in 2 weeks or less is not a real thing.

The process for obtaining a SOC2 includes:

  1. Selecting an auditor: it is important to choose someone who aligns with your brand.
  2. Selecting the controls that will be audited: there are over 200 controls.  No need to choose them all.
  3. Organizing the controls into a tracking tool: some prefer popular tools in the market, we use as a default.
  4. Perform a gap analysis of the evidence required: do you have it?
  5. Meet with your auditor, show them your evidence.
  6. Gain a report.

The truth is that it is very easy to obtain a SOC2 Type-1 report. One does not need to have a quality cybersecurity practice to do so.  That said, customers will ask for a cybersecurity questionnaire and may ask for live data in addition to your SOC2 Type 1. We find this is an area of frustration for businesses who attempt to sail through SOC2 without building a good cyber program.

A SOC2 Type 2 requires an extensive look back period to show that the company had followed the controls in the past. Unless your company has been following the controls you plan to test, it will be hard to obtain a SOC2-Type 2 quickly without setting up a plan and generating evidence.

Once I have a SOC2, what do I do?

A SOC2 is a fairly long document that, believe it or not, many never completely read internally or externally. That said, it is important to read your SOC2, know the controls that you have committed to, and determine how you will uphold the controls over time.

Some SOC2 controls are easy to manage, like implementing an employee handbook or having an onboarding checklist for new employees. These types of items can be tracked in your existing HR tools.

Some SOC2 controls are not easy to manage and can cover topics that are more technical in nature. The best way to go about implementing these controls are to look at the outcome that you would like to gain from a risk, vulnerability and threat perspective and align documenting your SOC2 controls to genuinely succeeding on those variables as well.

Our approach to implementing SOC2 is to catalog controls and map them to genuine cyber practices that a company must do to obtain cybersecurity results. We create policies and procedures that make sense for employees to follow, not templated answers that will be stored and never seen again. We also set desired outcomes to be achieved by controls.

Companies simplify the process of obtaining and implementing SOC2 because it can be overwhelming with a small team. Our approach outlines projects that comprise the body of work in the SOC2 alongside cyber and privacy projects and prioritize tasks to achieve them simultaneously. By seeing the total work effort, we can start with the most urgent work and then navigate through fundamentals.

What tools do I use to maintain my SOC2?

There are cybersecurity tools and there. are compliance tools. Cybersecurity tools help you maintain SOC2 because they help you to improve your risk, vulnerability, threat profile and to build a cybersecurity program.  These are the most valuable things you can do for your customers.

Compliance tools can make it easier to manage your SOC2 itself. Various tools deliver at various levels of their claims, but some can be helpful and save time.

Before investing in any SOC2 tools, it is best to figure out the audit firm that you would like to work with and how that brand is going to appear to your customers.  While many tool providers want you to talk to them first, we start with the audit firm, learn their process and see what they recommend. Many have a process that works best and they have best practices from doing audits for decades.

If you're going to DIY, is a great tool for SOC2. We will place a link to our board into this article when we will make our board publicly available later this fall.

To determine which cybersecurity tools will help you with your SOC2, talk to someone credible and create a strategy. Tools are expensive. A few hours of strategizing can save you more money in wasted tools than a little investment in consulting.

What are some things to avoid with SOC2?

  • Do not use templated policies and procedures.  Can you imagine being handed a canned document that talks about your project direction and then acting on it?  It makes no sense.  Policies need to fit your business and make sense to your team. Same with procedures. Canned answers are fast, but you cannot really use them in any way that makes sense.
  • Don't rush it. If you cut corners to get a SOC2, your customers will ask more questions and for more documentation later when you do not have a team of experts to help you answer. Do things right while you have the help (or bring on a VCISO like us and never worry about it).
  • Don't get one if it doesn't make sense for you.  If a customer doesn't mandate a SOC2, it may not be a requirement for you. Many of our customers get by on great cybersecurity and documentation.
  • You can usually provide a Type 1 report to a customer while you work up to a Type 2. SOC2 sounds serious and scary if you are a newbie, but it is just an attestation report. It is more flexible to work through the process of both Type 1 and Type 2 reports than one would think.
  • Don't lie. Most likely, you are going to get a SOC2 so that you. can close customer contracts. Nothing could be worse for a customer relationship than you lying about your security program.  Especially if you are a company that hosts your customers' data.
  • Keep it simple.  If you find yourself doing all available controls, you have made it too complicated.

Is SOC2 worth it?

While there is debatable security impact from obtaining a SOC2, becoming SOC2 compliant is a popular thing to do. Until there is a better way for companies to share cybersecurity information and trust each other, it is going to remain mainstream and many will seek it out.