Q: How to be SOC 2 Compliant?

Answer: Need to be SOC 2 compliant? Here is what you need to know about the growing need for businesses all throughout North America seeking to become SOC 2 compliant, courtesy of NDB, one of the country’s leading providers of SOC 1 and SOC 2 audit & assessment reports.

6 Easy Steps in Becoming SOC 2 Compliant

1. Choose an Experienced CPA Firm. There are a number of well-qualified CPA firms all throughout the country that specialize in SOC 2 compliance, so you should not have any problem obtaining multiple proposals from experienced firms. Note: If your production environment is in the cloud with Amazon AWS, Microsoft Azure, or even Google GCP, then it’s important to choose a firm with cloud auditing expertise.

2. Understand the Basics of SOC 2 Compliance. So, what is SOC 2? Is it an audit? A certification? A process? There’s quite a bit of miscommunication regarding what SOC 2 is and what it isn’t. With that said, let’s clear the air and give you the basics of SOC 2. Here’s what you need to know: (1). SOC 2 is a control framework developed by the American Institute of Certified Public Accountants. (2). Achieving SOC 2 compliance does not result in a certificate being issue. (3). SOC 2 is generally an annual requirement.

3. Begin with a SOC 2 Scoping & Readiness Assessment. One of the most fundamentally important measures any organization can undertake for SOC 2 compliance is to begin the process with a much-needed SOC 2 Scoping & Readiness Assessment. When performed by an experienced, seasoned auditors, the benefits of such an assessment are meaningful.

Specifically, a SOC 2 Scoping & Readiness Assessment helps determine the actual scope of the audit, controls requiring remediation, expectations of personnel involved in the overall audit process, and much more. To learn more, contact CPA Christopher Nickell at This email address is being protected from spambots. You need JavaScript enabled to view it. or at 1-800-277-5415, ext. 706 today.

4. Remediate all Gaps & Deficiencies. Every service organization undertaking SOC 2 compliance will have gaps and areas to remediate, no question about it, and that’s because no one really has a picture perfect control environment (and that’s ok!). From a remediation perspective, two important measures come into mind. First and foremost, remediating missing documentation is often the most time time-consuming gap to correct.

More specifically, we’re talking about missing information security policies and procedures, which is a big part of SOC 2 compliance. NDB can help on this front as we offer all of our valued clients a complimentary SOC 2 Policy Packet containing dozens of templates and hundreds of pages of well-written InfoSec templates. It’s just another reason why clients choose NDB.

The next area that often requires remediation are controls relating to technical/security issues. For example, perhaps password complexity rules are not strong enough, servers are not hardened in accordance with industry standards, or firewall rule sets are not written correctly. This often requires internal personnel to make such changes, but NDB can assist also.

Lastly, there are operational remediation items, such as performing a risk assessment, conducting security awareness training, testing one’s incident response plan, along with other measures. NDB can assist with these requirements also.

5. Do an Audit “Dry Run”. Prior to the auditors performing the actual SOC 2 audit, it’s essential that businesses do a “dry run” audit. This helps ensure that no gaps or areas of remediation still need to be addressed. You want to have controls functioning properly prior to the auditors coming onsite.

6. Understand the Types of Audit Evidence you Need to Provide. Keep in mind that auditors have to collect audit evidence – after all – that’s why it’s called an audit! With that said, the following types of evidence are what auditors will be looking for: (1). Documentation – policies and procedures. (2). System Settings Screenshots – password rules, firewall configuration rules, log data, etc. (3). Signed memorandums – if something cannot be provided via a document or a system setting, then auditors generally ask for a signed memorandum from management.

NDB. North America’s SOC 2 Leaders. Fixed Fees

NDB has issued over 1,000 SOC 1 and SOC 2 reports over the last decade. We know the AICPA SOC framework inside and out. Contact CPA Christopher Nickell at This email address is being protected from spambots. You need JavaScript enabled to view it. or at 1-800-277-5415, ext. 706 today.