Listen to: "Our Guideline of a SOC 2 Timeline: Know What to Expect"

Summary

When you’ve scheduled your SOC 2 testing, you are well on your way to demonstrating the trustworthiness of your company. However, scheduling your on-site test is not the end of your preparation. There are a number of additional steps along the way. Not sure what your timeline is or what to expect? Read on to learn more about each stage of the process:

When you’ve scheduled your SOC 2 testing, you are well on your way to demonstrating the trustworthiness of your company. However, scheduling your on-site test is not the end of your preparation. There are a number of additional steps along the way. Not sure what your timeline is or what to expect? Read on to learn more about each stage of the process:

Why You Need SOC 2 Audits

First, it’s important to understand what SOC is and why it is valuable. SOC is an abbreviation for “system and organization controls.” These controls are a collection of standards that provide insight into how well a specific organization handles sensitive data. Special attention is paid to the information entrusted to you by customers and third-party vendors.

An organization that has earned SOC certification has been audited by an independent organization. During the audit, an independent certified public accountant will work with your organization to complete several tasks that include a readiness assessment, as well an analysis of your risk management, appropriate SOC guardrails and attestation standards that fit those of the American Institute of Certified Public Accountants. The steps involved are detailed below.

Quantifying Your Risk

The kickoff of a SOC 2 audit involves quantifying the business revenue that is at risk. There are a number of methodologies that can be used to accurately quantify your financial risk. During the kickoff, you and your audit partner will also establish how critical your preparation tasks are and set up expectations for the rest of your preparation.

Next Up: Gap Analysis

The gap analysis stage typically takes anywhere from two to four weeks. This is a stage where the assistance of a third-party service auditor like I.S. Partners is especially valuable.

During gap analysis, your auditor will assess your current environment and how it compares to SOC 2 requirements. How well does your organization fit SOC’s trust service principles:

  • security.
  • availability.
  • processing integrity.
  • confidentiality.
  • privacy.

Some SOC audit procedures can be performed remotely. Others will require an on-site appointment. Procedures that fall into the latter group include environmental and physical security functions.

At the end of this analysis, you and your auditor will have identified the areas where you can improve to serve customers’ privacy needs better and to earn SOC certification. Common issues often identified in this phase can include:

  • A need for core policies that define how your organization protects internal and customer data.
  • A need for consistent employee background checks.
  • A need to adjust or create employment agreements that emphasize security needs.
  • A need for a password complexity policy that meets the latest best practice recommendations.

There may also be key trust service principles that are specific to your business and industry. For instance, if you are working in the e-commerce sector, you will need to add processing integrity to your SOC audit.

Onto Remediation

Once the gap analysis and readiness assessment is completed, you’ll start your first remediation period. This can last anywhere from two to nine months. The length of remediation will depend on what you discover during the gap analysis and what resources are available to seal up the gaps.

This is the part of the process where teams will feel the impact of the changes that SOC 2 requires. It is not uncommon to make new hires to meet requirements. You may also change your software development process to align with security needs.

After this remediation period, another assessment will be performed. There may also be a second remediation period based on your auditor’s findings at this time.

The Information Request List

In the time before your SOC audit, you’ll receive a list of all of the documentation you will be expected to deliver as part of the process.

This list will also highlight what you are currently missing. Most enterprises go into the process with a number of gaps. Giving yourself time to address them will ensure a higher level of success. Some of the most common gaps include:

  • A full asset inventory, as well as the process that keeps your inventory updated and accurate.
  • Human resources documentation that includes procedures for evaluating employee performance, as well as a meta-document that outlines how and when these evaluations are distributed to the applicable managers.
  • Controls and checklists for employee onboarding.
  • A formal process for employee termination or change from one position in the company to another.
  • Core policies, including standard operating procedures and an information security policy.
  • Key security controls for your customer data.
  • Your request list may also include items that do not apply to your specific business. Explain to your auditor which items don’t belong and the reasons why. In some cases, your auditor may not agree with you and will explain why certain items that are not currently in your procedures are important.

    Getting Together Your Documentation

    This stage involves a large quantity of documentation. Make sure you have someone tasked with coordinating it all so that every relevant department knows what is expected of them and when. All of the information should be pulled together in a central repository so that it is easily available to your auditor.

    Summing Up

    The process of getting ready for your SOC 2 certification is a long one. It is important to have the right help along the way. By understanding what is required of you, as well as understanding the scope of the time and effort involved, you can make your certification process go more smoothly.

    Looking for expert help? I.S. Partners has assisted organizations in a range of industries. Call us at 215-675-1400, or send us a message to learn more!

    Author Picture

    Request a Quote

    Get hassle-free pricing in 3 easy steps:

    • Step 1: Send us a message
    • Step 2: Allow us to create a customized plan
    • Step 3: We’ll get you an accurate, no-obligation quote
    [form_name]

    Start Here

    Request a Quote

    Please fill out the fields below and one of our specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

    Request a Quote (Keep)

    I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.

    Sending
    I.S. Partners

    Your choice regarding cookies on this site

    This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.

    If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.