The question of how to better prepare for a SOC 2 assessment comes up frequently for the assessors at 360 Advanced.
In our recent webinar, “SOC 2 Overview: A Conversation with Experienced Professionals,” 360 Advanced team members discussed items like how to get prepared for a SOC 2, penetration testing and risk assessments, and leveraging SOC 2 for other compliance frameworks.
360 Advanced Practice Director John Kadechka, CPA, CISA, CRISC, CCSFP, and Senior Compliance Executive Kris Francis led the discussion, which addressed common SOC 2 questions. Here’s some of what we talked about:
Top 5 Takeaways from Our SOC 2 Webinar
1. What are the most important aspects of being prepared for a SOC 2?
Kadechka and Francis agreed this is a recurring question they’re often answering.
Kadechka said management should understand the specific services that are being performed and ensure they have a detailed understanding of the services that need to be included in the report.
“Quite often, we get on these scoping calls with a client who has an additional service they want to add, and what we’ll learn coming out of that call is that a SOC 2 might not be a fit for their purposes,” Kadechka said. “I always say it’s critical to understand the services and understand what you want to bring into that report.”
Kadechka pointed out that the AICPA created an overview guide to help management know what to anticipate and how to prepare for a SOC 2 report called “Information for service organization management.”
Management needs to be included on the details of the project and the time commitment it entails, Francis said.
“I will sum this up to three key pieces,” he said. “The first is tone at the top. This ensures employees stay engaged and see the project as a priority. Secondly, complete an annual risk assessment so the organization understands their risks and how to address them. Third, make sure you have dedicated resources working on the project because it helps keep the project on track.”
2. What is the best way to choose a service auditor?
Kadechka thinks of himself as more than just an auditor. To build trust, he said it’s important to ask questions and engage in conversations. And it’s important to establish relationships.
He’s not interested in just coming in to audit your controls and handing you a list of findings.
“I want to try to identify areas of inefficiencies, things you could do differently, that you could potentially do better, obviously without crossing that independence line,” he said. “I always say ‘choose an auditor you can trust.’”
And it comes down to what the organization is after, Francis said. Regardless of your specific compliance goals.
While some organizations want a check-the-box style auditor, choosing the auditor that you have the best working relationship with is key.
3. How can SOC 2 be leveraged to complete assessments under other frameworks?
Kadechka said a SOC 2 report is not going to fully address all of the requirements of, for example, a NIST 800-53, HITRUST, or HIPAA review. He said there are SOC 2 plus reports, where an additional requirement can be layered on, such as with a SOC 2 + HITRUST or SOC 2 + HIPAA.
To leverage SOC 2 under other frameworks, 360 Advanced takes the requirements the regulatory bodies have established and adds them into the SOC 2 report, which results in one report that includes the additional controls.
Francis said there’s a lot of control overlap between SOC 2 and HIPAA and ISO “and just a tiny bit with PCI.” If you bring in a HIPAA security assessment that you want to leverage from your SOC 2, there are about 80% of controls you’ll need for that assessment for HIPAA that are already there.
For example, if 360 Advanced is conducting a SOC 2 assessment and HIPAA, a single document request is issued that will list everything needed as evidence for the SOC 2 and HIPAA assessment.
“Physical security is something we won’t have to ask for twice,” Francis said. “So that’s leverage. We can now use that piece of documentation for both frameworks, and that’s how you start to see those efficiencies, from both a fee and time perspective.”
4. Will a SOC 2 make my business more secure?
The word “security” is often used incorrectly when referring to SOC 2 Kadechka said, and that it all boils down to trust—trust with stakeholders, clients, management, and regulators that may use the report.
“At the end of the day, when you’re putting a SOC 2 report out to the markets, you’re giving your stakeholders a peek into your control environment because you’re bringing in a third-party, a service auditor, to assess your overall control environment,” he said.
But does it make your business more secure?
“It enhances your credibility, specifically to any security commitments you’re making,” Kadechka said. “We’re going to come in and we’re going to look at those controls, and we’re going to report on those controls and the results of that testing to your customers. It builds trust.”
Francis said SOC 2, as a reporting framework, reports on what you’re doing to be secure.
If an organization has nothing in place, a SOC 2 will make it more secure at a general level.
“It’s going to force you to put certain things in place that weren’t there before,” Francis said, enhancing your credibility.”
5. Is a penetration test or risk assessment required for a SOC 2?
A risk assessment is required for a SOC 2 report. Within the common criteria, there are nine different areas that auditors assess, one of which is a risk assessment.
Penetration testing is not required for a SOC 2, however, Kadechka said it’s a control that he’d want to include in the scope if it’s already being performed.
“You’re giving more comfort and providing more assurance to your users that you’re going above and beyond doing the penetration test,” he said.
Francis said that if you’re undergoing a penetration test, your auditor will add a control into your SOC 2 report that references the frequency in which that’s occurring. This gives further insight to the steps you’re taking to secure the data.
“From your client’s perspective, that gives them more assurance,” he said.