- Last Week As A vCISO
- Posts
- A Quick And Dirty Guide To Starting SOC2
A Quick And Dirty Guide To Starting SOC2
A 1-page doc I previously wrote for a client summarizing in plain English the various tactical approaches towards SOC 2. It's also to dispel the unfortunate myth that it can be done in 2 weeks.🧙🏼‍♂️
As we all know, SOC 2 has become a constant and growing request by customers. This is a brief one-pager to help bring everyone on the same page regarding SOC2.
It’s not a small project that can be done in 2 weeks, but it’s not impossible either.
(Btw: I used SOC 2 and SOC2 interchangeably for SEO purposes as people are searching for both. It’s “SOC 2”)
What IS SOC 2?
In plain English it’s a set of criteria for managing customer data developed by a bunch of CPA’s (the AICPA) for Service Organizations. So if you are a US Based B2B organization, providing a service, holding any sort of customer data, this is a very popular criteria clients/partners will judge you on. A more thorough explanation here.
SOC 2 Type I and Type II
SOC2 is broken down into two phases.
Type I is the initial phase and is a point in time assessment. This means that the auditor will come in, request screenshots or documents proving a particular control, then be on their way.
Type II means that these controls have been active and running for 6 months. For example, prove that you have logs for the past six months. So in this case, the auditor would come six months after achieving Type I.
Approaches Towards SOC 2
There are a few ways we can approach SOC 2. I want to list them here for your review.
They are not mutually exclusive.
In all cases we have to do the work towards meeting SOC 2 requirements. This will take people’s time. In any case, we need to understand where we are with regards to SOC2, so we can understand the level of effort required to remediate all the gaps.
DIY SOC 2
This approach means we just take a spreadsheet and manually go over all the SOC 2 requirements. Once we complete each item, it’s marked as complete. Screenshots and documents would have to be saved in Drive somewhere and shown to the auditor.
This is an extremely manual and laborious process.
DIY+ SOC 2 (Recommended)
We buy a tool to help us with the entire SOC 2 process. It will house the list of controls (instead of a spreadsheet), you can assign the various controls to various people responsible for fixing it. They can upload screenshots/evidence and when the auditor comes, we simply give them access. On top of that, there are various controls that can be automatically detected from cloud platforms (AWS, GCP, Github, etc) which saves engineering and IT time.
Pre-Audit Assessment
We have a professional company come in and perform a pre-assessment. Many times they include this for free when we purchase the SOC2 Audit. Of course, if you have nothing done, the pre-assessment will have a LOT of gaps.
Time to Complete
SOC 2 can average from 2 to 9 months to complete. The bulk of the work is remediating company processes and technology to meet requirements. The audit itself can take just 1-2 weeks to complete.
Scope
You can choose to narrow the scope to just the new version of your product to help move process along. This will save time and allow us to bake in security as the product is being built.
Maintaining SOC2
One thing to note is that once you attain SOC2, it will be important to maintain SOC2. This means sticking to documented processes for as long as you want to be SOC2 “compliant”1.
It’s a marathon, not a sprint.
References
Below is a curated collection of articles that go waay more in depth into SOC 2.
Reply