SOC2 Considerations

Top 6 considerations for SOC2 certification

In today’s business environment the cloud is increasingly forming the core of every business, be it for data storage, mining, or security with businesses migrating in droves. What is expected of vendors dealing with the cloud is to follow standardized operations with proper security systems in place that ensure that customer data is handled in a professional and well-demarcated manner. All it needs is a single oversight to cause irreparable losses and terrible discomfiture to businesses. The only way one can bring about security is by ensuring standard policy frameworks and related certifications including the likes of ISO 27001/ GDPR/ SOC2. There is often a dilemma at the service provider’s about the timing of such certification(s) given that the time and investment ought to revert with desired ROIs.

In 2020 I had the chance to handle one GDPR and two SOC2 certifications in their entirety, right from audit vendor selection to completing audit successfully.

When is the right time?

Irrespective of your being a service or product company, as you scale up or upon entering the phase of targeting enterprise customers, these certifications and validations become increasingly valuable.

What are the right certifications?

With varied certifications across industries and verticals, this becomes a pertinent concern. With experience, I understand these differ across activities and places.

  • For those providing services to end customers/ end users who reside in Europe, GDPR could be the right certification.
  • For those serving entities in the fintech or financial domain with target markets in North America, SOC2 shall be of immense use.
  • Similarly for those serving the healthcare domain, HIPAA could be of extreme importance.

To repeat, certifications differ across a type of services being targeted as also the target market for your product.

How to go about this?

Once you decide to go for an audit, you need to do the following:

  • Locate the right auditor. For the same, you could use your existing network of folks who have already done something similar. Alternatively, you could ask for a proposal online.
  • Do get a detailed proposal about the coverage that you can have, for example, if you plan for a SOC2, do consider whether you would like to cover all the areas like privacy and confidentiality.
  • Decide on the financial aspect and timeline as this exercise can sometimes take months (min 6 to 9 months) of effort and require support and help from every department of the organization.
  • Organizations may sometimes lack even basic policy framework and procedural documentation required to create policy documentation to satisfy these audits given that these audits will touch on almost all aspects of your organizations from recruitment, onboarding, employee policies, finance, risk management, infrastructure, change management, security to name some.

SOC2 Journey

SOC2 audit has two major steps and it’s always recommended that you go to SOC2 Type 1 followed by the SOC2 Type 2.

The first phase is essentially about putting in place a basic framework with all the policy documentation and evidence around that.

The second phase shall consist of actual fieldwork against frameworks that were set in the 1st phase. Results in this stage shall be compared against the 1st phase.

A note of caution

The whole SOC2 exercise requires commitment from the company leadership, the time commitment of the key people in the HR leadership and infrastructure team, and loads of information around infrastructure, configuration, and settings. It’s equally important that those driving the SOC2 initiative understand the entire landscape of SOC2. This can require understanding the HR & finance policies (whether it’s employee policies, fraud management /risk management), infrastructure documentation around the firewalls, change management documents around the engineering side of the organizations, contracts, and information security policy. Having the exposure of all these areas will essentially help you to reduce the overall time required to drive this journey and reduce the dependency within the organizations.

End Game

Upon going through both stages successfully, you would get a draft report from your auditors detailing the fulfillment of the control requirements for this audit. It certifies that your firm is following the standard policies and procedures under the AICPA trust principles. Upon getting the final certification, the company can register on the AICPA website and download the SOC2 logo that can be displayed at strategic locations along with the likes of press releases to amplify the fact.

The SOC2 exercise can be completed in as short as 6 months or between 9 to 12 months. The SOC2 Type 2 is the journey where you will operationalize and make sure policies and frameworks you have in place are followed into letter and spirit on an ongoing basis.

Feel free to reach out where you plan to embark on this journey and have questions about this.

Leave a Reply