As auditors, a common question we receive almost daily is “What is SOC 2 Compliance?” And naturally, with today’s growing regulatory compliance mandates being pushed onto thousands of businesses across North America, it’s a question that’ll keep being asked. So, “What is SOC 2 Compliance?” It’s a process whereby an organization (i.e., service organization) undertakes various measures for putting in place all necessary policies, procedures, processes and related internal controls in accordance with stated AICPA Trust Services Criteria (TSP).
Here's what you need to know when asking the question, “What is SOC 2 Compliance?”
- What is the Trust Services Criteria?
- What’s the Best Way to Prepare and Begin the SOC 2 Process?
- What Else Do I Need to Know About the SOC 2 Auditing Process?
- Why Choose NDNB for SOC 2 Audits?
So, what is the Trust Services Criteria? Good Question. It’s essentially a set of principles used in evaluating controls relevant to security, availability, processing integrity, confidentiality, or privacy of the system. And for a point of reference the “Trust Services Criteria” was previously called the “Trust Services Principles and Criteria”, yet even with the slight name change, they’ve kept the acronym the same – TSP.
Ok, got that? So next question is probably the following: “What is security, availability, processing integrity, confidentiality, or privacy of the system”?
If you’re new to the SOC 2 auditing framework, then the very first step any service organization should take is to perform a SOC 2 Scoping & Readiness Assessment. Why? Because you’ll need to understand important elements of the overall SOC 2 auditing process, such as the following:
Assessing Scope: Determining what business processes are to be included within the scope of a SOC 2 audit, along with personnel, physical locations to assess, relevant third-parties to include in terms of assessing controls, and more. Having this information clearly understood and identified will go a long way in ensuring the overall success of your SOC 2 audit.
Laying out a Roadmap: Once you’ve successfully completed the SOC 2 Scoping & Readiness Assessment, you’ll have a crystal-clear picture on business scope, controls requiring remediation, next steps, and final deliverables. Think about it, having clarity and a clear roadmap to follow is immensely important when it comes to SOC 2 compliance, no question about it.
Remediation is Essential: Every business undertaking a SOC 2 audit will have some type of remediation to perform, no question about it. Perhaps its authoring policies and procedures, or correcting security control weaknesses. Bottom line – expect some form of remediation.
Policies and Procedures are Critical: One of the more time-consuming and demanding measures of becoming SOC 2 compliant is developing all the required documentation needed. Specifically, information security policies and procedures are highly essential when it comes to being SOC 2 compliant. Here’s one thing you can definitely count on; your auditors will ask for your InfoSec policies, so be sure you have them, they’re complete, accurate, and truly represent your control environment.
Implement Necessary Operational Initiatives: SOC 2 compliance also requires that service organizations undertake an annual risk assessment program, a process which is much more than just having a policy document in place. To be clear, you need to actually perform a risk assessment of your in-scope environment, document the results, and provide such evidence to auditors. NDNB offers a complimentary risk management program to all of our SOC 2 clients.
Be Aware of What Auditors are Requesting in Terms of Evidence: Here’s what you can expect in terms of what a SOC 2 auditor will ask for regarding audit evidence:
- Screenshots of system settings
- Information security policies and procedures
- Evidence of a risk assessment performed
- Log reports
- Signed memos
- Physical inspection of a facility
Helpful Documentation: Information security policies and procedures are a big part of SOC 2 compliance, and NDNB offers complimentary policy templates for helping service organizations put in place all necessary documentation. Authoring InfoSec policies can be an incredibly demanding and time-consuming process, and it’s why NDNB provides our templates, along with policy writing services also.
Fixed-Fees: When we say fixed-fees for the auditing process, we mean it. No hidden costs, no out-of-pocket travel expenses, and no fees for additional report preparation and delivery. With NDNB, fixed-fees truly mean fixed-fees. We also offer fixed-fee services for all other regulatory compliance assessment procedures, such as SOC 1 SSAE 18, PCI DSS, HIPAA, GLBA, GDPR, FISMA reporting, and much more.
Continuous Monitoring: Becoming SOC 2 compliant is a big accomplishment, so congratulations, but there’s more to be done. You now have to monitor your controls and ensure they’re operating as designed. NDNB offers continuous monitoring services for service organizations all throughout North America.