Businesses operating in the cloud are increasingly being asked to perform annual SOC 2 audits, and other regulatory compliance assessments. As cloud adoption increases and the traditional client-server model decreases, it’s important to understand the technical and operational aspects of compliance in the cloud, particularly with SOC 2 assessments. Today’s business arena is highly complex, fiercely competitive, thus entities seeking to meet growing compliance mandates while also implementing market differentiating advantages are therefore undertaking SOC 2 audits. NDNB, one of North America’s leading providers of regulatory compliance services and solutions, offers the following critical subject matter and best practices regarding SOC 2 compliance for cloud businesses.
SOC 2 Compliance for Cloud Businesses – Important Points You Need to Know
Know What You’re Up Against: A SOC 2 assessment is officially an audit, which means businesses will need to gather evidence and provide information (i.e., screenshots, memos, system setting files, etc.) to the auditors, assign personnel roles and responsibilities during the overall audit process, and other related activities. Audits take time, they can be demanding and challenging, so it’s important to be realistic with one’s expectations on time and costs. It’s also important to know that regulatory compliance is here to stay, the “new norm” if you will, so expect annual SOC 2 reporting to be mandatory for businesses operating in the cloud.
Begin with a Scoping & Readiness Assessment: Ensuring a SOC 2 audit for businesses operating in the cloud is completed on time and within budget begins by performing a highly efficient SOC 2 scoping & readiness assessment. When properly performed, such an engagement identifies and confirms critical scoping parameters, such as the actual audit boundaries, business processes to be assessed, internal personnel involved, and so much more. A SOC 2 scoping & readiness assessment also identifies areas of remediation and steps to take for correcting control deficiencies, along with agreeing on milestones for completion of such tasks.
Additionally, a scoping & readiness assessment also helps in identifying which of the five (5) Trust Services Principles (TSP) are to be included within the scope of the SOC 2 audit. The five TSP’s are as follows: 1. Security. 2. Availability. 3. Confidentiality. 4. Processing Integrity, and 5. Privacy. All five of the TSP’s and their corresponding Common Criteria (CC) are similar in they assess a specific set of controls, yet there also fundamentally different in regards to the subject matter being assessed. A good rule of thumb for which TSP’s to assess against for businesses operating the cloud is to include the Security and Availability as a starting point. Simply stated, if you’re seeking to create efficiencies and a successful SOC 2 audit, then it’s imperative to begin with a scoping & readiness assessment.
Remediate Technical Issues: If you look at the actual content of a SOC 2 audit, it consists of a healthy mix of operational, technical and security requirements for an information system. Together, the Trust Services Principles (TSP) and related Common Criteria (CC) test a wide-range of internal controls within a service organization, with many of these controls requiring remediation prior to the commencement of the actual audit.
Leverage Cloud Service Provider (CSP) Compliance Reporting: Many of today’s noted cloud service providers – such as Amazon AWS and Microsoft Azure – have undertaken massive compliance reporting projects that include a dizzying array of reports. From SOC 1 to SOC 2, PCI DSS compliance – and more – there’s no shortage of documentation that can be leveraged to help assist with your organization’s own compliance needs.
Are you a cloud computing, SaaS, PaaS or IaaS provider and need to perform annual SOC 2 compliance audits & assessments for your clients for ensuring security best practices are being met and adhered to? If so, then take note of the following SOC 2 checklist for compliance for cloud computing & SaaS providers and vendors, courtesy of NDNB Accountants & Consultants, LLP (NDNB), North America’s leading provider of SSAE 16 SOC 1, SOC 2, HIPAA, and PCI DSS assessments:
1. Understand What SOC 2 is and what it isn’t. SOC 2 is NOT an ISO 27000 series audit, nor is it an ITIL assessment, or some other misconceived notion. Rather, the SOC 2 assessment consists of the Trust Services Principles (TSP) framework for evaluating a service organization’s internal controls against the prescribed set of “Common Criteria” found within the actual TSP’s. Thus, SOC 2 assessments cover a wide-range of controls when being assessed, such as operational, technical, and information security controls. Because of this, the SOC 2 framework also allows for a high degrees of customization, even to the point of including other frameworks to be assessed on (more on this in points 3 and 4).
2. Know the differences between SSAE 16 SOC 1 and SOC 2. Cloud computing & SaaS providers and vendors should generally not be performing SSAE 16 SOC 1 assessments as such reporting is restricted to service organizations performing services that could impact their clients’ financials. The SOC 2 standard is highly geared towards technology companies, and also allows for the incorporation of other frameworks into the SOC 2 report itself. While we still see many technology companies performing annual SSAE 16 SOC 1 compliance – the likes of data centers, managed services vendors, and others – this is changing, with more and more businesses opting for SOC 2 compliance, and rightfully so.