The SOC 2 requirements for many businesses today include reporting on a large number of operational and information security policies, procedures, and processes within one's organization. Today's growing compliance mandates are forcing many technology oriented service organizations to become SOC 2 compliant on an annual basis. With that said, it's vitally important to learn about essential topics regarding SOC 2, such as the following five things every service organization needs to know:
1. Learn about the five (5) Trust Services Principles (TSP). What are the Trust Services Principles, they are a set of criteria based provisions that form the core of the SOC 2 requirements, and they consist of the following:
- Security: That the system is protected against unauthorized access, both physically and logically.
- Availability: That the system is available for operation and use as committed or agreed.
- Processing Integrity: That System processing is complete, accurate, timely, and authorized.
- Confidentiality: That the information held by an organization is securely protected.
- Privacy: That personal information is protected.
Simply stated, the TSP's require that organizations have in place documented information security and operational policies, procedures, and processes in place for ensuring compliance.
2. You'll need policies and procedures. As just stated, one of the biggest – often the very biggest – SOC 2 requirements for service organizations is having documented policies and procedures in place, specifically that of information security and operational specific policies. Developing such material can be time-consuming and laborious, and it's why NDNB recommends obtaining high-quality templates, which can be downloaded from myinformationsecuritypolicy.com.
3. Determine which of the TSP's to use. An important consideration for SOC 2 reporting is determining which of the five (5) Trust Services Principles to include within the audit scope – one, two, all of them? The best advice we can give is to communicate with the intended users of the report, asking them what specific security controls are they seeking to have examined. Additionally, talk to the CPA firm that you've hired to conduct the SOC 2 assessment, as they'll also provide expert advice on scope. With that said, based on current market demands, it's a good idea to include the two (2) most commonly – and widely recognized – TSP's into your audit scope, and that's "security" and "availability". Why, because these two (2) TSP's can essentially account for all the baseline security controls that interested parties are seeking to learn more about from your organization. If you need to add any of the other three (3) TSP's because of specific client demands, you can do it, but at least start off with "security" and "availability".
4. It's an annual requirement. Welcome to the world of regulatory compliance where undertaking an initial SOC 2 assessment is just the beginning. Why, because clients will come to expect and demand reporting once a year, which makes it critically important to work with a firm who's flexible in your reporting needs, and can over sensible pricing.
5. Obtain a Fixed Fee for SOC 2 Compliance. SOC 2 pricing can vary greatly between different CPA firms, therefor it's important to obtain a fixed fee for the entire engagement. It means getting a fee that details the exact cost of the engagement, from beginning to end, with no hidden costs associated.