In collaboration with our partners at Cobalt, we produced a webinar with infosec expert Aaron Kraus to help startups and other organizations kick off their SOC 2 journeys. Here’s a sneak peek.
SOC 2 stands for Service Organization Controls 2 and is a framework created by the AICPA, or American Institute of Certified Public Accountants, to set standards for service providers and their cybersecurity practices. A SOC 2 report represents your auditor’s opinion on how well you’re meeting the criteria set forth by the SOC 2 framework. There are two types of SOC 2 reports: Type I and Type II. A Type I report reviews the framework of controls you have designed; a Type II report reviews both the design as well as the operational effectiveness of your control framework.
Some of the key drivers for why you might seek a SOC 2 report is to meet contractual requirements or for marketing and business strategy benefits. Whatever your key driver is, obtaining a SOC 2 report leads to new business, assures your customers that you are committed to security best practices, and enables better infosec risk management.
We’ll look at it from a three-part perspective. The first step to preparing for your SOC 2 audit is to define the scope, or the area that is subject to the audit. The recommendation is to start small and build over time. It is not recommended to cover your entire organization for your first audit.
Within the SOC 2 framework, there are five Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality, and privacy. These are the criteria that your business needs to meet to undergo a SOC 2 audit. Whichever TSCs you choose for the scope of your SOC 2 audit should be tailored to your organization. You should not try to implement all criteria at once. Check out the clip below to learn more about the TSCs.
Step two and three of preparing for your SOC 2 audit consists of implementing the necessary controls for whichever criteria you’re trying to meet using the People, Process, and Technology (PPT) methodology and then figuring out your audit timeframe and getting organized for it.
For more details on steps two and three, sign up to watch the full webinar, which includes an informative Q&A session, and download the slides here.