4

Are there any specific steps one must follow to achieve SOC 2 compliance? Or should one just get a checklist from a specialized auditor?

Some context:

  • We are a small company and need to become SOC 2 compliant in order to integrate with a partner's API.
  • We have a Ruby on Rails app hosted on Heroku.
rebagliatte
  • 201
  • 2
  • 3
  • You have to first become SOC 1 compliant and then follow the guidelines from the Auditors of SOC 1 for a period(12 months or so) for SOC 2. you will then have regular audits. - My two Cents – JOW Nov 08 '16 at 10:17
  • 1
    Really wish there are more answers to this question... e.g. what kind of providers are out there to provide certification (e.g. accounting firms? business consultancy?), what is the typical cost etc... – Anthony Kong May 01 '17 at 00:58
  • @JOW I do not think you are correct. SOC1 refers to Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting, while SOC2 deals with information security. Maybe you meant SOC2 type I vs SOC2 type II? – FanaticD Oct 23 '18 at 04:19

1 Answers1

8

I am an IT security professional, currently working as an IT Auditor and am very familiar with the SOC 2 attestations.To answer your question, it helps to first give a little of background into the SOC 2 program.

Th SOC 2 certification is the brainchild of the AICPA and it is based on Trust Service Principles. Each Trust Principle has a defined set of control criteria that outlines what characteristics the system as your management defines must meet. As to the specific controls used to meet each control criteria, that is a decision of your company's senior management.

Are there any specific steps one must follow to achieve SOC 2 compliance?

This question is ultimately misguided. The SOC 2 is concerned around the controls that your management has defined governing the services it provides to a client. As such, rather than asking what checklist I can use to ensure I pass, think about which of the Trust Principles are important to the customers of your company. Most likely they will be reviewing the audit results before deciding whether or not to do business with your firm. If controls attested to by the service auditor are of no value to the end customer, having a SOC 2 certification means nothing for that particular customer

At a high level, the service auditor will be looking to see that the the controls contained in the description given by the senior management of your company are suitably designed and operating effectively to meet the control objectives for each of the Trust Principles. Representative questions the service auditor may ask are listed below:

  • Are procedures and policies necessary to meet the Trust Principles (as applicable based on service provided) communicated to relevant users?

  • Is the system as defined protected against unauthorized access (Security Principle)

  • Is confidential data as defined with the customer protected as agreed upon? (Confidentiality principle)

Ultimately, you are much better served, by focusing on customer needs rather than a generic "check the box" approach.

Anthony
  • 1,736
  • 1
  • 12
  • 22
  • Thanks for nice explanation of the topic - I have further questions, thought, that I believe you could answer. I am helping to get company I work at SOC2 compliant and I think I would like to proceed to become SOC2 auditor in the future. How do I become one? Internet is full of online video courses ending with questionable certification, but I seem to be unable to actually discover what to study and where to get certified. Do you know anything about this? Thanks. – FanaticD Oct 23 '18 at 04:16
  • @FanaticD - Join the chat room and we can discuss. SE discourages lengthy discussions in comments – Anthony Oct 24 '18 at 01:24