With cloud-hosted applications proliferating, compliance with SOC2 is fast-growing as a must-have security benchmark for SaaS firms. Therefore, getting SOC 2 compliance isn’t a question of why as much as when.
So, if SOC 2 is on your mind, here’s a handy SOC 2 compliance checklist to plan and prepare for a successful compliance journey.
SOC 2 Compliance Checklist
A SOC 2 compliance checklist should include step-by-step guidance on how to comply with the many requirements of the framework. Based on our experience of having helped hundreds of businesses become SOC 2 compliant, here’s a SOC compliance checklist for your reference:
1. Choose your Objectives
The first action item of the SOC compliance checklist is to determine the purpose of the SOC 2 report. The specific answers to why SOC 2 compliance is important to you would serve as the end goals and objectives to be achieved in your compliance journey.
Here are some examples:
- Your customers have asked for it
- You are entering a new geography, and SOC 2 compliance will add to your strength
- You want to bolster your organization’s security posture to avoid data breaches and the financial and reputation damage that comes with it
That said, not wanting a SOC 2 compliance because customers aren’t asking for it or because none of your competitors has it isn’t advisable. It’s never too early to get compliant. And it’s always an advantage to be proactive about your information security.
2. Identify the type of SOC 2 report you need
A SOC 2 report comes in Type 1 and Type 2. You can decide which one you want depending on what your customers require of you and the timelines you are ready to work with.
While a SOC 2 Type 1 report affirms that your internal controls are in place to meet SOC 2 checklist requirements at that point in time (it’s like a snapshot), Type 2 confirms that the controls in place are actually working too over a period of time; the one we think you will need eventually.
For instance, choose SOC 2 Type 1 if you are starting your compliance journey, or are pressured for time and need to show compliance intent to prospects or customers. Choose SOC 2 Type 2 if you are already compliant with other frameworks, completed your SOC 2 Type 1 and the three-six months observation period, or if your customers have specifically asked for it. The level of detail required regarding your controls over information security (by your customers) will also determine the type of report you need. The Type 2 report is more insightful than Type 1.
3. Define the Scope of your Audit
Defining the scope of your audit is crucial as it will demonstrate to the auditor that you have a good understanding of your data security requirements as per SOC 2 compliance checklist. It will also help streamline the process by eliminating the criteria that don’t apply to you.
You must define the scope of your audit by selecting the TSC that applies to your business based on the type of data you store or transmit. Note that Security as a TSC is a must. Regulatory requirements will also have a bearing on your criteria selection. That said, in our experience, most SaaS businesses typically only need Security, Availability and Confidentiality (or their combination) as TSC in their SOC 2 journey.
Here are some examples of how you can define your scope:
- Choose Availability if your customers have concerns about downtime.
- Choose Confidentiality if you store sensitive information protected by non-disclosure agreements (NDAs) or if your customers have specific requirements about confidentiality.
- Include Processing Integrity if you execute critical customer operations such as financial processing, payroll services, and tax processing, to name a few.
- Include Privacy if your customers store PII such as healthcare data, birthdays, and social security numbers.
On that note, a bad example here would be leaving a relevant TSC out of your SOC 2 scope. Such oversight could significantly add to your cybersecurity risk and potentially snowball into substantial business risk.
A SOC 2 audit looks at your infrastructure, data, people, risk management policies, and software, to name a few items. So, at this stage, you must also determine who and what within categories will be subject to the audit. For instance, you can keep some of your non-production assets from the scope of the audit.
4. Conduct an Internal Risk Assessment
Risk mitigation and assessment are crucial in your SOC 2 compliance journey. You must identify any risks associated with growth, location, or infosec best practices, and document the scope of those risks from identified threats and vulnerabilities. You should then assign a likelihood and impact to each identified risk and then deploy measures (controls) to mitigate them as per the SOC 2 checklist.
Here are some questions to help you in this process:
- Have you identified the potential threats to your business?
- Can you identify your critical systems based on the risks identified?
- Have you analyzed the significance of the risks associated with each threat?
- What are your mitigation strategies for those risks?
Any lapses, oversights or misses in assessing risks at this stage could add significantly to your vulnerabilities. For instance, missing to identify the risks for a specific production entity (endpoint) in the case of an employee on extended leave or lapses in risk assessment of consultants/contract workers (not employees) could leave a gaping hole in your risk matrix.
5. Perform Gap Analysis and Remediation
You must examine your procedures and practices at this stage and compare their compliance posture with SOC compliance checklist requirements and best practices. Doing this will help you understand which policies, procedures, and controls your business already has in place and operationalized, and how they measure against SOC 2 requirements. Remediate the gaps with improved or new controls, as applicable. These may include modifying workflows, introducing employee training modules, and creating new control documentation, among others. The risk ratings (carried out earlier) will help you prioritize the remediation.
Here are some questions to point you in the direction:
- Do you have a defined organizational structure?
- Do you have authorized employees to develop and implement policies & procedures?
- What are your background screening procedures?
- Do your clients and employees understand their role in using your system or service?
- Are your software, hardware, and infrastructure updated regularly?
Remember, SOC 2 audit requires you to produce evidence for the processes, policies and systems you have put in place. Evidence can be your information security processes and procedures, screenshots, log reports, and signed memos, to name a few. Your inability to show demonstrable proof of SOC 2 compliance requirements can get flagged as exceptions by the auditor. And you don’t want that!
6. Implement Stage-appropriate Controls
Based on the TSC chosen, align and deploy controls to demonstrate how your organization meets SOC 2. To put it in perspective, each of the five TSC in SOC 2 comes with a set of individual criteria (totaling 61). You will, therefore, need to deploy internal controls for each of the individual criteria (under your selected TSC) through policies that establish what is expected and procedures that put your policies into action.
Know that the controls you implement must be stage-appropriate, as the controls required for large enterprises such as Google differ starkly from those needed by startups. SOC 2 criteria, to that extent, are fairly broad and open to interpretation.
For instance, you may implement two-factor authentication to prevent unauthorized access to your network, while another organization may choose to implement firewalls, while others may deploy both!
7. Undergo Readiness Assessment
Undertake a readiness assessment with an independent auditor to see if you meet the minimum SOC compliance checklist requirements to undergo a full audit.
Here are your focus areas for the assessment:
Client cooperation – Your clients must perform a guided assessment to create a profile of their activities and scope.
Gap analysis – It aims to detect vulnerabilities and gaps and generate a list of specific recommendations and actions. It takes around 2-4 weeks from start to finish.
Controls matrix – It lists the objectives map, internal controls identification, and control characteristics.
Auditor documentation – It involves drafting the request list for auditors and testing procedures.
Based on the auditor’s findings, remediate the gaps by remapping some controls or implementing new ones. Even though technically, no business can ‘fail’ a SOC 2 audit, you must correct discrepancies to ensure you receive a good report.
8. SOC 2 Audit
Authorize an independent certified auditor AICPA approved to complete your SOC 2 audit and generate a report. While SOC 2 compliance costs can be a significant factor, choose an auditor with established credentials and experience auditing businesses like yours.
Expect a long-drawn to and fro with the auditor in your Type 2 audit as you answer their questions, provide evidence, and discover non-conformities. Typically, SOC 2 Type 2 audits may take between two weeks to six months, depending on the volume of corrections or questions the auditor raises. Type 2 has a mandatory monitoring period of three-six months. A Type 2 report, therefore, offers more significant insights into your organization’s controls and its effectiveness.
Here are some questions the auditor may ask:
- Can you share evidence to show that all your employees undergo background verification?
- Can you show proof of how you ensure that the changes in your code repositories are peer-reviewed before its merged?
- Can you demonstrate with evidence that you remove access to emails and databases once an employee resigns from your organization?
- Can you show proof that you run background checks on all your employees?
- Can you share proof of how you maintain the endpoint security of all systems?
The audit for Type 1, in comparison, doesn’t require a monitoring period, is less intrusive, and requires you to give a snapshot (with evidence) of the various checks and systems (read as controls) you have put in place to meet the SOC compliance checklist requirements. Note that after you clear your SOC 2 Type 1 audit, you will need to go through an observation period of three-six months before you can apply for Type 2.
9. Establish Continuous Monitoring Practices
Getting your SOC 2 compliance report isn’t just a one-time event. The report is just a start as security is a continuous process. It, therefore, pays to establish a robust continuous monitoring practice as SOC 2 audits happen annually. For instance, when an employee leaves your organization, a workflow should get initiated to remove access. If this doesn’t happen, you should have a system to flag this failure so you can correct it.
Here are some guidelines on what a robust continuous monitoring practice can achieve:
- It should be scalable; it should grow with your organization
- It should make evidence collection easy and streamlined
- It shouldn’t get in the way of your employees’ productivity
- It should alert you when control isn’t deployed or deployed incorrectly
- It should give you the big picture as well as an entity-level granular overview of your infosec health at any point in time
These apart, you will need to undertake measures (at additional cost) such as mobile device management (MDM) software, vulnerability scanners, incident management systems, updation of security measures, and pen-testing, among others, all these measure should part of your SOC compliance checklist.