Your growing company is hitting a sales plateau – it’s becoming difficult to close deals with security-conscious customers. Your sales and technical teams are getting bogged down with cybersecurity questionnaires and questions about a “SOC 2.” You need to know how to get a SOC 2 certification so you can remove this roadblock your company faces.
This guide will give you as much information as is possible to get you started on your road to SOC 2 compliance.
What is SOC 2?
Service Organization Controls (SOC) 2 is an information security compliance standard maintained by the American Institute of Certified Public Accountants (AICPA). It’s designed to test and demonstrate the cybersecurity of an organization.
To get a SOC 2, companies must create a compliant cybersecurity program and complete an audit with an AICPA-affiliated CPA. The auditor reviews and tests the cybersecurity controls to the SOC 2 standard, and writes a report documenting their findings.
The resulting SOC 2 report facilitates sales and vendor management by providing one document that sales teams can send to potential customers for review, instead of working through cybersecurity questionnaires.
As cybersecurity becomes an increasingly large business concern, merely having a SOC 2 is becoming table stakes for selling to many large enterprises. Many companies will refuse to do business with vendors that don’t have a SOC 2, or will sign contracts with written demands that a company will become SOC 2 compliant by a certain date.
One more thing: despite it commonly being referred to as a “SOC 2 certification,” SOC 2 is actually an attestation. SOC 2 auditors do not certify that a given company has met the standard, instead the report is an attestation to what they’ve observed in the organization’s security program.
This distinction may seem semantic, but it is significant. SOC 2 compliance is much more freeform than an actual certification like ISO 27001. Companies have more freedom in what controls to pick and implement to secure their company with SOC 2.
We will use both terms in this piece to reflect how people speak and think about this topic.
SOC 2 vs SOC 1 and SOC 3
The AICPA also has two other SOC reports they issue: SOC 1 and SOC 3.
SOC 1 is about controls over financial reporting, and is not particularly relevant to cybersecurity.
SOC 3 covers information security just like SOC 2 does, but SOC 3 is just a summary report of an organization’s cybersecurity program. In order to get a SOC 3 report, an organization must have had a SOC 2 audit done.
The SOC 3 report does not include any confidential information about an organization’s controls and is generally sparse on details. It is not nearly as comprehensive or as valuable as a SOC 2, but it can be published publicly and distributed without any parties needing to sign an NDA.
How to get a SOC 2 certification: pick your variables.
There are several decisions an organization pursuing a SOC 2 certification must make.
First, it must decide whether it wants to get a SOC 2 Type 1 or a SOC 2 Type 2. Then, it must decide which of the five Trust Services Criteria to include in the scope of its audit.
Let’s make these decisions simple for you: We recommend getting a Type 1 for your first audit. For Trust Services Criteria, which ones you select will depend largely on the service your organization provides. We’ll give more detail on both of these decisions now.
There are two different types of SOC 2 reports you pursue: a SOC 2 Type 1 and a SOC 2 Type 2.
The difference between the two of them is three-fold:
- The period of time over which the audit was performed. A SOC 2 Type 1 is a point-in-time evaluation. A SOC 2 Type 2 evaluates the security program over a period of time.
- The nature of the audits. A SOC 2 Type 1 evaluates the design of the program while a SOC 2 Type 2 evaluates the execution of the program.
- The required evidence. A SOC 2 Type 2 requires collecting sampled evidence over the audit period, while a SOC 2 Type 1 does not.
A SOC 2 Type 1 reflects the cybersecurity program as it was on the day it was completed.
A SOC 2 Type 2 evaluates a company’s security over a longer period of time, usually 6 – 12 months. A company must demonstrate to the auditor that it is adhering to its security program over the entire time period.
A SOC 2 Type 2 is more valuable because it highlights a greater level of commitment to security and because it’s more informative about the ongoing state of the security program. A Type 2 audit includes the auditor sampling data throughout the period, evaluating how well the company is adhering to its program.
A company with a SOC 2 Type 1 could potentially get its SOC 2 report and then stop upholding any of the controls it says it does.
Should you get a SOC 2 Type 1 or Type 2?
While a SOC 2 Type 2 is much more valuable than a SOC 2 Type 1, it’s still worth getting a SOC 2 Type 1 first if your company is pursuing cybersecurity compliance for the first time.
Completing a SOC 2 Type 1 audit takes considerably less time and money than a SOC 2 Type 2 audit. Achieving a SOC 2 Type 1 first will help your organization build the skills and practices necessary for ongoing compliance. The lessons learned from the first Type 1 audit will help ensure the more impactful Type 2 audit goes smoothly.
Plus, completing a SOC 2 Type 1 will give your company something to show for your security efforts earlier, and many security-conscious vendors will be happy with a SOC 2 Type 1 report in the interim as long as you are planning to get your Type 2.
SOC 2 Trust Services Criteria
As if the choice between a Type 1 and Type 2 wasn’t confusing enough for first-time auditees, SOC 2 has more complexity in the form of its five Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy.
Each criteria is best thought of as an area of focus. Organizations getting their SOC 2 must select which of the five criteria they are going to cover in the report.
Here’s a quick summary on each of the of the criteria:
SOC 2 Security Criteria
- Security is the only required criteria, all SOC 2 audits must cover it.
- Security is the largest criteria with the most required controls.
- The criteria includes guidelines on company management and culture, risk assessments, communication, control monitoring, and cybersecurity strategy.
SOC 2 Availability Criteria
- Availability criteria is all about the uptime of a vendor’s service.
- Availability controls include plans to maximize uptime and restore availability after an outage.
- Business continuity, data recovery, and backup plans are all important controls for this criteria.
SOC 2 Confidentiality Criteria
- Confidentiality covers controls used to keep confidential business data confidential.
- This criteria expects vendors to identify and protect confidential data.
- Example controls for confidentiality include encryption and data destruction.
SOC 2 Processing Integrity Criteria
- Processing Integrity is about how a vendor processes the data it collects.
- Processing Integrity controls are meant to evaluate that data processing is being performed in a consistent manner and that exceptions are handled appropriately.
- It is challenging and laborious work to create the documentation needed to meet this criteria, because it requires SOC 2-specific content with detailed descriptions on how data is being processed. (Almost all other content used in a SOC 2 audit has applications outside of SOC 2, this does not.)
SOC 2 Privacy Criteria
- Privacy covers how personal information is kept private.
- SOC 2 Privacy is more applicable to Business-to-Consumer companies as opposed to Business-to-Business companies.
Which Trust Services Criteria should you pick for your SOC 2?
All organizations getting a SOC 2 must include Security and should include Confidentiality as well – controls on keeping business data confidential are very important.
Availability is important if your business provides a mission-critical service, and Processing Integrity is important if your service processes a lot of client data.
For Privacy, you are better off following guidelines provided by regulatory programs such as GDPR and CCPA instead of following the SOC 2 Privacy criteria.
A few example Trust Service Criteria Selections: Most SaaS companies typically select the Security, Availability, and Confidentiality criteria. For consulting companies, the common choice is Security and Confidentiality. In cases where the company is processing data, they sometimes include Processing Integrity.
How to Prepare for your first SOC 2 Audit
Preparing for your first SOC 2 audit is no small task.
- Decide on the scope of your audit.
- Identify and fill gaps in your cybersecurity program.
- Create and edit security content (policies and other documentation).
- Modify internal procedures.
- Select an auditor.
- Begin audit.
How to get a SOC 2 certification: Scoping your Audit
The first step in getting a SOC 2 is deciding on the scope of your audit.
SOC 2 is about demonstrating your commitment to security and improving customer confidence in your security program. You should include all services and products that you expect customers will have security concerns for.
Most smaller companies will often scope the entire company. As companies get larger and have multiple product lines they will need to decide if SOC 2 covers the whole company or specific product lines. There can be a huge advantage to have the whole company covered. But of course, if one part of the company is running things looser than the other parts then that could cause problems with your compliance program.
This is also the stage where you will decide between Type 1 and Type 2, and pick which Trust Services Criteria to include.
Identify and fill Gaps in your Cybersecurity Program
Once the scope of the audit is decided, you need to evaluate your current cybersecurity program in comparison to the SOC 2 control set. Even companies with mature cybersecurity programs do not meet every single control from the get-go.
There are a number of administrative and technical security controls that are often overlooked prior to getting a SOC 2, and they can be sticking points that generate a lot of additional work before and during the audit process – we’ll dive into them later.
Document your Cybersecurity Program
In order to evaluate your security program, the auditor must have actual items to evaluate!
Unfortunately, it’s not enough to just tell the auditor that you require Multi-factor Authentication for your users. You need to have it documented in a policy: who is required to have it? What types of apps are required to use it, versus which ones are not? What authenticator apps are allowable?
Most controls need to have a policy and evidence your organization is sticking to the policy created for them. It’s a lot of work – but your company will become much more secure in the process.
How to get a SOC 2 certification: Choosing your Auditor
Not all auditors are created equal. Since the standard is administered by the AICPA, almost any CPA can technically perform a SOC 2 audit, but that doesn’t mean that just any CPA should perform a SOC 2 audit.
Bad auditors are bad news for your compliance program. It’s important to pick an auditor who is knowledgeable about SOC 2 and cybersecurity to increase the likelihood of a smooth audit with a high quality report.
There are a number of things you might consider when selecting an auditor:
Cost – as with any service, it’s important to make sure that costs are covered in the budget, and to preserve buy-in for any expenses. Remember, you will be paying for a SOC 2 Type 2 audit every year going forward!
Experience – You want to select an auditor who has specialized in technical audits. They should have a practice that specifically focuses on SOC 2.
Timeliness – You want an auditor who can commit to a time frame in order to keep everything running smoothly, with key reporting or other benchmarks being completed when they are expected.
Readiness Assessment – Some firms provide a pre-planning readiness assessment to evaluate how ready the organization is for a SOC 2 audit. The auditor should roll the results of this assessment into the audit, and not make you redo all of the work!
If you are working with a SOC 2-knowledgeable consultant, then you probably don’t need the readiness assessment. The benefits of the assessment will be covered by the Virtual CISO services your consultant provides. If you don’t have outside assistance, then the Readiness Assessment will be a very valuable tool.
How consultants can help you prepare for and complete a SOC 2 audit.
Preparing for and completing a SOC 2 audit takes a lot of additional specialized work that should fall on a Chief Information Security Officer (CISO) and their team. Few growing companies learning how to get a SOC 2 certification for the first time have a CISO or any other built-in resources and talent to efficiently complete this work.
There is a lot that existing executive leadership, like a CTO, is capable of doing. The problem with this approach is that assigning them these cybersecurity and compliance tasks takes away time that they could be spending on their high-value primary role.
This is why many companies turn to Virtual CISO consultants to assist them with preparation and completion of their SOC 2 audit. Virtual CISOs are experienced with SOC 2 and can help with every step from the initial scoping to the completion of the audit itself.
Here’s a small sample of SOC 2 audit tasks that can be given to Virtual CISOs.
Perform a Gap Assessment – A gap assessment is crucial for taking stock of an existing cybersecurity program and finding gaps that need to be filled to get your company audit-ready.
Acquire and implement technical controls – if there’s a deficit, consultants help companies add those needed controls to to improve security and ensure compliance.
Adjust policies and procedures – As we just mentioned, policies and procedures are likely not be audit-ready until efforts are made to make them so.
Create content – The content that’s created is going to be key documentation for a SOC 2 audit. Policies, procedures, reports – they can write it and get it in place.
Project manage – Virtual CISOs can project-manage the whole audit project. There’s something to be said about domain-expert project managers.
Perform risk assessments – if this is not something that you were doing before you will now! Risk Assessments are mandatory for SOC 2 compliance, and a Virtual CISO can perform the assessment and write the report.
Perform vendor evaluations – Vendor management is a part of every SOC 2 compliance program. If this is not already in practice at an organization, it can valuable to outsource the activity to an expert.
Perform “External Internal Audit” – Internal audits are necessary for SOC 2 compliance – they help make sure that your company is doing everything needed before the auditor catches you. Some firms don’t have an internal audit function, so an “External Internal Auditor” who is familiar with the standards and can keep the organization accountable is helpful.
(“External Internal Auditor” might sound like an oxymoron, but who doesn’t love jumbo shrimp?)
Select an Auditor – A good Virtual CISO will know what makes a good SOC 2 auditor and can remove auditor selection from your plate.
Advocate on your behalf with the Auditor – Your Virtual CISO will be with you for every audit call. They will advocate on your behalf, ensuring the auditor sets realistic compliance expectations for your organization.
Common Tripping Points/Challenges to getting a SOC 2 Attestation
Administrative controls are where most companies fail to comply with SOC 2 requirements. Sometimes, the controls aren’t in place at all (usually this is rectified before the audit begins). Other times, mistakes are made where certain policies or procedures are not carried out correctly.
Either way, learning how to get a SOC 2 certification includes learning a lot about administrative security controls
Access control has to do with who has access, and what each user’s level of access is. Included items may include permissions, account status, and tiered access.
You will need to review your access controls for all of your key systems. This will include your Identity and Access Management (IAM) system, cloud services, networking equipment, servers, VPNs and anything else that you have that’s important.
We regularly find users that don’t belong when we review clients’ systems. You need to check this before you begin the audit and be vigilant about maintaining it, or the auditor will catch it and you will get an exception.
Another important aspect of the audit process is change control. Every change needs to be properly documented.
For the purposes of SOC 2, this involves documenting changes to software, configuration, networking or customer requests.
How do you consistently document changes? A ticketing system!
A ticketing system provides one of the best ways to make sure documentation of every change is consistent and thorough. Most software companies have ticketing down for software changes, but do not apply the same practices with changes to configuration, networking, or administrative privileges. This is necessary to implement for SOC 2 compliance!
If you make firewall rule changes for instance, you should be documenting in a ticketing (or other) system.
Risk Management and Vendor Management
Risk and Vendor Management are two crucial elements to any cybersecurity program. They are going to be a part of every SOC 2 audit, no matter how you scope it.
For the same reason that your customers are asking you for details about your security program, you must ask your vendors about theirs.
You need to make sure that your vendors who are performing key functions don’t cause an upstream compromise of your customers’ data. They might have been the ones who got compromised, but who are your customers going to blame for trusting their data to an insecure vendor?
You need a program to monitor your suppliers. This program should be differentiated by vendor – you don’t need to spend the same amount of time on your paper towel vendor as you do for cloud vendors that are processing your customer’s data.
You also need to perform, write, and maintain a risk assessment for your organization. It needs to be part of a formalized process for your management team to make deliberate decisions around risk. They will want to decide whether to avoid, mitigate, transfer or accept the risk.
It’s important to have a customized risk management setup, because every business is different. What works in one industry will not work in another. That is why you will need a program inside your organization to manage risk.
There’s also the need to have internal audit structures in place.
The idea is that even without an outside audit, there is somebody monitoring and evaluating internal controls.
The most important element here is that the internal auditor has to be independent.
Why? Well, the key question is this: “Would the internal auditors feel pressured to not present findings because their boss would be unhappy?”
If the answer is “yes,” then they are not truly independent. The internal auditor cannot care about the consequences of their findings, they must care only about factually reporting their findings.
Test yourself in this role: If your boss/buddy/teammate has to remediate the findings, or would be embarrassed by deficiencies in their work, then you are probably not an independent auditor.
This is why an “External Internal Auditor” can be very helpful!
There are controls used to respond to specific cybersecurity incidents. These controls are essentially your response and recovery plan to how your firm handles unanticipated threats and breaches. The problem with many companies is that they do have a plan, but it is not detailed enough to adequately respond and recover from an incident.
The best way to prepare for common incidents is to have a step-by-step plan in place in the event an incident occurs. These steps for staging an event should include preparation, damage control and analysis, containment, eradication and recovery, complete with a thorough post-incident research and all enhancements.
It is essential that these plans are practiced regularly to be able to account for the various complexities of real-life incidents along with a comprehensive incident response. The most common form of Incident Response practice is a tabletop exercise.
Outside relevant regulators or third-parties should also be informed by detailing other important areas of response. Your plan should include who you will bring in to help with a technical breach response, solutions and a complete analysis of how the incident occurred.
A good Incident Response plan can prevent a cybersecurity incident from becoming a cybersecurity disaster. If a company does not have proper technical expertise in place prior to a breach or incident, any incident will likely become disastrous. This is why is it essential for companies to have technical expertise prior to incidents occurring.
Technical Security Controls
There are a lot of technical controls as part of a SOC 2 audit. Technical controls get a lot of attention in early-stage security programs, so many organizations have a bunch of these in-place before beginning a SOC 2 compliance project. Here are a couple that they often don’t have in-place.
Vulnerability Assessments & Penetration Tests – SOC 2 Technical Controls
It is common practice for companies to evaluate their organization’s vulnerabilities. Most cybersecurity professionals agree that it is best to continuously evaluate your firm’s entire infrastructure. A complete assessment includes laptops, servers, network equipment, applications and all devices connected to the firm’s network. Penetration testing is required to get the complete picture.
Vulnerability evaluation is an essential part of your daily cybersecurity procedures. If your organization fixes what it finds, it will lower your firm’s cybersecurity risk.
From a SOC 2 perspective, it is important to monitor for and detect vulnerabilities, threats, and attempted attacks. Penetration testing helps identify control deficiencies while vulnerability scanning helps organizations comply with monitoring and detecting requirements.
System Logging and Monitoring – SOC 2 Technical Control
The other SOC 2 Technical Control that we are covering here is the logging and monitoring of your company’s systems.
It is critical that organizations log all key security events. However, this is pointless if all you do is create automatic logging but never actually monitor what goes into the logs.
To actively avoid potential complications, organizations should constantly monitor their infrastructure and applications for inconsistencies.
What is a SOC 2 Audit Process Like?
External cybersecurity audits are actually more collaborative than you would think. Most auditors don’t sit down with the intention of busting your company on every little thing you’ve done wrong. They usually want to see the companies they work with succeed and sometimes provide help and advice to get them there.
Before COVID made work remote, an audit was typically a very intensive, short period of time where the auditor was on-site.
Remote collaboration has slowed down the audit process somewhat. An audit usually starts with a kick-off call with the auditor and key stakeholders at the company present. A plan is created for how the audit will proceed that everyone agrees to, and work begins. Evidence is collected and submitted to the auditor, who reviews it. Once all is collected, a report is created.
How much does it cost to get a SOC 2 certification?
Everyone knows going in that a SOC 2 isn’t going to be free… but how much exactly does it cost?
The answer is simple: it depends!
There are multiple variables that go into the cost of getting a SOC 2.
Auditor costs: Auditor costs can vary widely. For small-to-midsize firms, expect an annual auditor charge of $15,000-$50,000 depending on the scope of your audit, the size of your firm, and the brand of the auditor.
We have not seen a quality audit performed for less than $20,000, but it is possible that some exist.
Time and Effort: Many clients ask us how much their time/effort is going to cost. The answer is the same… it depends!
Do you have a great security program that just needs validation or are you building everything from scratch? The former is going to be a lot less work than the latter.
Mid-sized companies should expect a team of 3 employees to spend 3-5 hours per week each for six months to be ready for their first audit.
You likely need to factor in other costs as well. For instance, do you already have a ticketing system (or similar system) for tracking change control? If not, then there is going be an implementation cost for that service.
Do you do a great job of checking access controls already? Then don’t worry about that one. Do you have policies in place, approved by management, understood by employees and lived by the whole company? If yes, no work there.
For companies undertaking this process for the first time, it’s more than likely that there will be a considerable amount of work to do.
It is possible to put together a cost estimate together with this information, but only people with information about your organization can figure out what the cost will be for your organization.
We successfully got our SOC 2 Certification! Now What?
Congratulations on getting your SOC 2 Attestation! Assuming you have a great report with no exceptions, it’s time to leverage it to grow your business.
You’ll want to set up some sort of system for distributing your report to existing and potential customers when they request it from you. Since the SOC 2 report contains confidential information about an organization’s security program, it’s required that requesters sign an NDA before receiving a copy of the report.
Depending on the scale of your business, there are different ways to go about this. You can create a form on your website for people to submit a request, so that someone internal will be alerted to the request and can facilitate the process. You can also leave it to sales to handle it, so you are only distributing to customers in the pipeline.
Large enterprises have many compliance documents and have purpose-built tools to facilitate their distribution, like AWS Artifact. Midsize ones may use third-party vendors for the same process.
You should also direct your marketing team to start including your SOC 2 compliance status in your marketing materials! Having a good cybersecurity program is a differentiator that will put you to the top of any security-conscious customer’s vendor consideration list. Understanding how to read a SOC 2 report will help you understand what potential customers will be looking for in it, and help your team communicate better about your report.
On the actual security and compliance front – just getting a report is not the end. You will move into maintaining and further developing your security and compliance program as needed. At the very least, you will want to transition your program into maintaining annual SOC 2 Type 2 audits. You do not want to lapse in continuous audits, cybersecurity moves fast and a report older than a year will fail to impress any customers performing vendor management.
Conclusion on this very long “How to get a SOC 2 Certification” guide
Achieving a SOC 2 is no small task, and that’s why this has been no small guide! We’ve tried to include as much information as possible in this guide to teach you how to get a SOC 2 certification, and we wish you luck on your compliance journey.
If you feel like you need more hands-on help with your SOC 2 effort, Fractional CISO is here for you as well. Our Virtual CISO services have helped dozens of companies become SOC 2 compliant, reducing risk and growing their companies as a result. To get in touch, visit our contact page.