Blog

Video | 11 Steps to Achieve SOC 2 Compliance

July 22, 2020

Are you looking to start your SOC 2 Audit for this year? Here is a video that will guide you through your first SOC 2 audit using 11 steps. 

Overview

Your customers have probably asked for your SOC 2 report, or it may be required to seal the deal on a new customer or contract. If you spend a lot of time answering security related questionnaires, not having a SOC 2 audit report is costing you money. Chances are if you don’t have a SOC 2 report you are going to be leaving some money on the table at one time or another.

SOC 2, or "Systems and Organization Controls" (formerly "Service Organization Controls"), reports on information systems and organizational governance controls related to security and one of more of the following categories, availability, processing integrity, confidentiality, or privacy. Compliance with SOC 2 is NOT a pass/fail exam. It simply means that you have gone through an audit and published a report on compliance with the Trust Services Criteria, which is the American Institute of Certified Public Accountants (AICPA) SOC 2 requirements standard. The SOC 2 audit is conducted by an AICPA certified audit firm and it comes in two types: Type 1, a point in time, and Type 2, which is assessed over a period of time. You start with a SOC 2 Type 1 audit and then progress to SOC 2 Type 2.

The audit is the easy part. The challenge is understanding and articulating your security controls and governance program in a way that maintains security and continuously improves its rigor year over year, but most importantly, convincing the auditor you do that.

It is highly advisable that you engage with a company like Truvantis as a trusted advisor to get you ready for your audit. In fact, most of the AICPA auditors worth their salt will recommend that you partner with a third-party security advisory firm. You’re busy with the business of running your business, so you just don’t have the time. More importantly the auditor cannot help you prepare otherwise they would be grading their own homework, which is not allowed.

There are 11 steps to get through your first SOC 2 audit:

  1. Select a trusted security advisor like Truvantis who can work with you to achieve SOC 2 audit readiness and get you a favorable report
  2. Choose an AICPA auditor. We have associates who we work with and are guaranteed to be high quality, cost-effective solution partners 
  3. Define your SOC 2 scope and select reporting categories
  4. Perform a Gap Analysis – The Truvantis advisor will determine and understand the delta from your current state to where you need to be on audit day.
  5. Build (or rebuild) your security program governance documents, including procedures
  6. Conduct an Information Security Risk Assessment
  7. Define and implement controls for any control gaps
  8. Write a narrative description of all the controls relative to your security program
  9. Train staff and prepare for the audit by holding mock audit
  10. Manage the auditor on audit day. Monitor their process and challenge the controls they ask about
  11. Dispute unfavorable report language. Don’t just accept what they give you the first time. Discuss the language with them for them to cast you in the best light possible.

The output and work products of the SOC 2 audit from the AICPA auditor are two things, a SOC 2 Type 1 report expressing the auditor’s opinion on the architecture and implementation of the required controls, and a letter to management that details any remaining deficiencies you have. The goals in the project engagement for you and Truvantis are to end up with a favorable SOC 2 report and a minimal letter to management.

It takes LOTS of work to build a security governance program, and that’s time that you don’t have. Don’t you want to do it once and do it right the first time?

Truvantis speaks the language of the auditor and knows how to get the very best results and a favorable SOC 2 audit report. 

SOC 2 can accelerate growth by removing security as a blocker in the sales cycle so you can get back to talking about value. It can take a long time if you do it internally, but an advisor can accelerate the process to get your sales team back to selling and your R&D team back to doing what you hired them for - developing an awesome solution.

 

To save you some time and do it right on your first time, speak to Truvantis senior professionals who have been through hundreds of SOC 2 engagements. If you’re interested in learning more about SOC 2 check out the rest of our SOC 2 related blogs below.

Related Articles By Topic

SOC2 CISO vCISO Security Program

Contact Us
Schedule a Free consultation to discuss your road-map to SOC2 Compliance
Schedule a call
Contact Us

Recent Articles

Truvantis - Cybersecurity Maturity - One Size Does Not Fit All
PCI DSS, CIS Controls, Security Program, Privacy, ISO27001
Cybersecurity Maturity - One Size Does Not Fit All – Rick Folkerts

It's common knowledge that enterprise organizations need effective security, privacy and compliance programs to survive and grow. There are a handful of generic best practices but beyond that, cybersecurity programs must be tailored to...

Read more
The Silver Bullet Defense to Ransomware – by Andy Cottrell
Ransomware
The Silver Bullet Defense to Ransomware – by Andy Cottrell

In an era of cost-cutting, downsizing and generally insufficient budgets for everything, we are often asked, what is the one, main thing to do to protect against a ransomware attack? According to Statista, in 2022, there were 493.33 mi...

Read more
Cryptographic Agility – by Jeff Hall (the ’PCI Guru’)
Security Program
Cryptographic Agility – by Jeff Hall (the ’PCI Guru’)

With the advent of quantum computing, a new threat has been added to the information security mix. The threat is today’s secure cryptography may not be secure once quantum computers reach their potential. The threat to cryptography has...

Read more

info@truvantis.com

+1 (415) 422-9844

    © 2022 Truvantis, Inc All Rights Reserved.

    Privacy Policy    Terms of Service