Steps to a successful SOC 2
It can be an intensive job to prepare an organization for a SOC 2 audit. There are a number of steps that can help you with this.
Determine the scope
The first step coincides with the first phase of the SOC 2 trajectory and is twofold. Here you determine the scope of the system and the scope of the criteria (standards). By determining the scope of the system, you define as well as possible what the SOC 2 statement should be about. Leading is here what the needs of the user of the report (your (potential) customer and his auditors). About which system do they want certainty and what falls outside the scope? You can read more about determining the scope of the criteria here.
Get to know the criteria
It is important to understand what will be tested. Read the criteria carefully and always ask yourself what they want to achieve with this criterion. In this way you can link the correct control measures to the criteria and identify where control measures fall short, are missing or have not been described. The IT auditor can help you understand the criteria.
Write what you do and do what you write
IT service organizations often consist of pragmatic people who sometimes lag behind formal procedures and process-oriented work. However, it is important that the organization establishes formal policies, procedures, plans and guidelines, so that processes can be easily followed and responsibilities are formally assigned. So describe the what, how, when and who in the organization and make the documents in which this is recorded available. Conversely, the organization must therefore also carry out what is described. You cannot get away with only a good story during an audit.
Making control measures work effectively depends on the people in the organization. Only when the organization is aware at all levels of the need to work safely, a manageable environment is created. Reporting and describing security incidents, the safe handling of company assets and data carriers, the onboarding and offboarding process for employees; these are just a few of control measures that are highly dependent on people in the organization.
Make it controllable
The existence or effect of some measures can sometimes be difficult to establish. When ad-hoc actions or consultations take place, there is sometimes no record. For consultations and meetings, therefore, provide minutes or a report and for promotions for tickets with a description. In addition, make sure that periodic actions, such as checking access security, have been carried out and that it is clear how, what, when and by whom this has been done. Choose a method that suits your organization so that it costs little extra work.
Follow recommendations from previous audits
Points identified in previous (internal) audits (such as ISO or SOC 2 type1) should be collected and evaluated. The organization will not be able or willing to follow every recommendation. This is valid as long as it is clear that a reasoned choice has been made during the evaluation.
Provide available knowledge and make a detailed plan
The standards affect different fields, teams and departments within an organization. The IT Auditor will therefore want to conduct interviews with those responsible for HR, management, development and operations. When planning the audit, it is important that these responsible persons are available for interviews and walk-throughs. If necessary, discuss with the IT auditor how much time is needed per field, so that you can make a detailed plan.