SOC 2 Audit Checklist for Amazon AWS Environments
Use our SOC 2 audit checklist if you’re using Amazon’s AWS cloud services and need to become SOC 2 compliant each year. With the migration to the cloud happening at record pace, tens of thousands of businesses are now being required to become SOC 2 compliant each year, and NDNB offers a proven process that’s efficient and comprehensive. Here’s what you need to know – and what you need to do – for ensuring your SOC 2 audit is a success.
1. Begin with a SOC 2 Scoping & Readiness Assessment: Understanding scope and the what business processes are to be included within your SOC 2 audit is essential, and also for mitigating any type of scope creep issues. Because you’re hosting your services (i.e., your production environment) in AWS, it luckily means there are a number of benefits to be had with your SOC 2 audit. First, a large number of the physical security controls are covered by AWS themselves as their private data centers store your virtual server instances.
Second, AWS has a fair number of audit & compliance, and control tools & solutions that are easy to “spin up” in any environment, further helping alleviate compliance reporting requirements (more on this in point #3 below!)
2. Leverage AWS’ SOC Reports for Scope Reduction: For the CPA firm you hired to perform your SOC 2 audit, they’ll ask for you to obtain a copy of AWS’ most current SOC 2 report, and for a very obvious reason – scope reduction. A large number of the controls you’ll need for SOC 2 compliance are actually covered by AWS’ report. From physical and environmental controls – and more – leveraging AWS’ SOC 2 report is a must. Scope reduction = price reduction, something a well-versed SOC 2 auditor can explain to you. To learn more, contact CPA Christopher Nickell at 1-800-277-5415, ext. 706 today.
3. Identity and Utilize AWS’s Security and Compliance Tools: Familiar with CloudWatch and CloudTrail? CloudWatch logs reports on application logs, while CloudTrail Logs details on specific information on what occurred in your AWS account. These are just a few examples of the many tools that AWS has available for your growing security, governance, and regulatory compliance needs.
Visit https://aws.amazon.com/products/security/ and you’ll find a laundry list of tools and solutions for helping meet growing regulatory compliance needs for not only SOC 2, but HIPAA, HITRUST, GDPR, PCI DSS, FISMA, and much more. Here is a sneak peek at the many tools available for from AWS in helping with growing regulatory compliance needs:
- AWS Artifact. The AWS Artifact portal provides on-demand access to AWS' security and compliance documents, also known as audit artifacts.
- AWS Certificate Manager. AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.
- AWS CloudHSM. The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud.
- Amazon Cognito. Amazon Cognito lets you add user sign-up/sign-in and access control to your web and mobile apps quickly and easily.
- AWS Identity and Access Management (IAM). Use AWS Identity and Access Management (IAM) to control users' access to AWS services. Create and manage users and groups, and grant or deny access.
There are many more tools available from AWS when it comes to security & compliance, so use them as needed. They’ll make life in the cloud a more efficient process, and they’ll make your SOC 2 audit much easier. To learn more about SOC 2 services for AWS users (and also Microsoft Azure and Google GCP), contact CPA Christopher Nickell at 1-800-277-5415, ext. 706 today.
4. Implement the Tools! Sounds straightforward, but we’ll have to politely remind you that just knowing that such tools are available is not enough, you need to put them to good use as auditors will want to see evidence of such. If you’re not familiar with AWS in terms of their toolsets and offerings for regulatory compliance, then it’s important to find an expert who truly knows AWS security & compliance inside and out. We do, so contact us today to learn more about our AWS services.
5. Develop AWS Information Security Policies and Procedures: One of the most demanding and time-consuming aspects of becoming SOC 2 complaint is developing all the required information security policies and procedures. Specifically, SOC 2 is heavy on documentation, and you’ll need to put in place robust, well-written InfoSec policies. But more important, these policies need to be written specifically for your environment within AWS.
That can take time, but NDNB has policy templates that can save you hundreds of hours and thousands of dollars. Here’s just a small sample of policy documents you’ll need for becoming SOC 2 compliant: Access control, data backup, incident response, data retention and disposal, security and patch management – and many more.
We have literally hundreds of pages of industry leading policies and procedures for helping customers save thousands of dollars and hundreds of hours on AWS policy development. It’s just another reason why companies turn to NDNB when in need of a SOC 2 audit report for their cloud environment. After all, who wants to spend endless hours authoring policies and procedures – surely, not you – so use our industry leading InfoSec templates today.
6. Perform Essential Operational Initiatives: Four (4) key operational initiatives that you MUST perform for SOC 2 compliance consist of the following: (1). Perform an annual risk assessment. (2). Test your incident response plan annually. (3). Implement security awareness training. (4). Conduct regularly scheduled vulnerability scans. These are much more than policy documents – rather – these measures must be put in place and enacted upon. NDNB offers comprehensive documentation for meeting the needs of businesses using AWS, so contact CPA Christopher Nickell at 1-800-277-5415, ext. 706 today.
7. Obtain a Multi-Year, Fixed-Fee: Key to a long and successful marriage in the world of regulatory compliance is to find and work with a CPA firm that has years of experience with AWS and offers fixed-fee pricing for their work. That’s NDNB, so contact CPA Christopher Nickell at 1-800-277-5415, ext. 706 today.
8. Let the Audit Begin: Auditors have a special way of doing things, it’s how they’re wired! So, keep some things in mind when beginning the official phases of the audit. First, auditors will be asking for a large number of deliverables. Specifically, they’ll be requesting documentation (i.e., policies and procedures), evidence of various system settings (this will come in the form of screenshots), evidence of operational measures undertaken, such as security awareness training, risk assessments, and more. It’s therefor critical to provide them with any and all requests that come your way. In short, be transparent with your auditors.
NDNB. SOC 2 Experts for Users of Amazon AWS
The great cloud rush is on. Businesses are migrating to Amazon AWS in massive numbers as they seek all the benefits of cloud computing. Yet they’re also facing growing security and compliance reporting – such as SOC 2, PCI DSS, and much more. NDNB has years of proven expertise in helping businesses become SOC 2 compliant. We know AWS inside and out, which means you’ll have an efficient and productive audit process from day one. To learn more about NDNB’s SOC 2 services for users of AWS’ platform, contact CPA Christopher Nickell at 1-800-277-5415, ext. 706 today.