You got your SOC2 Type 1 or Type 2 and now you are the owner of a brand new, beautiful... piece of paper. Obtaining a SOC2 does not do much for your company if you do not implement the controls you have committed to into your organization. Worse, since it is an attestation of your cyber program to stakeholders, including customers, you can be out of legal compliance with your agreements if you implement your SOC2 incorrectly.
A SOC2 report is an audit report given to companies by an accounting firm. It seems odd that an accounting firm would be assigned the role of auditing cybersecurity, but it also makes sense. Throughout history, accounting firms have been trusted to audit one company on behalf of the other to, in the simplest terms, make sure that they are doing what they claim to do. While many accountants are far from technical, SOC2 auditors are skilled at knowing what types of evidence they will need to collect specifically for the SOC2 report and have experience writing their findings in ways that cybersecurity professionals understand.
SOC2 reports can be important to a company. Typically, they seek out a report because a specific customer has made the relationship contingent upon the report, or because it is required to compete in their industry. The marketplace offers a variety of ways to go about getting the report itself. Some offer methods that cut corners. Others have long and detailed processes.
Our view on SOC2 is that it should be a document that summarizes the genuine cybersecurity that you have built, not a checklist that tells you how to build your cybersecurity program.
Nearly half of SOC2 requirements have little bearing on risk, threat or vulnerability at all, which can come as a shock to those who are new to cybersecurity.
SOC2 reports and the work effort to obtain them are expensive. For this reason, we always recommend to customers that they build real cybersecurity practices while they are at it.
Done correctly, a SOC2 Type 1should take you about a fiscal quarter. Of course, companies that have an existing cyber practice can obtain one much faster. Building a quality cyber program from the ground up in 2 weeks or less is not a real thing.
The process for obtaining a SOC2 includes:
The truth is that it is very easy to obtain a SOC2 Type-1 report. One does not need to have a quality cybersecurity practice to do so. That said, customers will ask for a cybersecurity questionnaire and may ask for live data in addition to your SOC2 Type 1. We find this is an area of frustration for businesses who attempt to sail through SOC2 without building a good cyber program.
A SOC2 Type 2 requires an extensive look back period to show that the company had followed the controls in the past. Unless your company has been following the controls you plan to test, it will be hard to obtain a SOC2-Type 2 quickly without setting up a plan and generating evidence.
A SOC2 is a fairly long document that, believe it or not, many never completely read internally or externally. That said, it is important to read your SOC2, know the controls that you have committed to, and determine how you will uphold the controls over time.
Some SOC2 controls are easy to manage, like implementing an employee handbook or having an onboarding checklist for new employees. These types of items can be tracked in your existing HR tools.
Some SOC2 controls are not easy to manage and can cover topics that are more technical in nature. The best way to go about implementing these controls are to look at the outcome that you would like to gain from a risk, vulnerability and threat perspective and align documenting your SOC2 controls to genuinely succeeding on those variables as well.
Our approach to implementing SOC2 is to catalog controls and map them to genuine cyber practices that a company must do to obtain cybersecurity results. We create policies and procedures that make sense for employees to follow, not templated answers that will be stored and never seen again. We also set desired outcomes to be achieved by controls.
Companies simplify the process of obtaining and implementing SOC2 because it can be overwhelming with a small team. Our approach outlines projects that comprise the body of work in the SOC2 alongside cyber and privacy projects and prioritize tasks to achieve them simultaneously. By seeing the total work effort, we can start with the most urgent work and then navigate through fundamentals.
There are cybersecurity tools and there. are compliance tools. Cybersecurity tools help you maintain SOC2 because they help you to improve your risk, vulnerability, threat profile and to build a cybersecurity program. These are the most valuable things you can do for your customers.
Compliance tools can make it easier to manage your SOC2 itself. Various tools deliver at various levels of their claims, but some can be helpful and save time.
Before investing in any SOC2 tools, it is best to figure out the audit firm that you would like to work with and how that brand is going to appear to your customers. While many tool providers want you to talk to them first, we start with the audit firm, learn their process and see what they recommend. Many have a process that works best and they have best practices from doing audits for decades.
If you're going to DIY, Monday.com is a great tool for SOC2. We will place a link to our Monday.com board into this article when we will make our board publicly available later this fall.
To determine which cybersecurity tools will help you with your SOC2, talk to someone credible and create a strategy. Tools are expensive. A few hours of strategizing can save you more money in wasted tools than a little investment in consulting.
While there is debatable security impact from obtaining a SOC2, becoming SOC2 compliant is a popular thing to do. Until there is a better way for companies to share cybersecurity information and trust each other, it is going to remain mainstream and many will seek it out.