The SOC 2 Certification Process

Does your to-do list look like this?:

Improve reputation with customers
Feel confident about data security
Reduce the risk of data breaches
Get dog food
Make business processes more streamlined

If so, here’s how to do all that in one go. It’s time to dip your toes into the crazy world of SOC 2. SOC 2 is a data security and privacy accreditation that checks all the boxes (except the dog food), and it’s an almost must-have if you’re dealing with customer data. So, here’s a fast and furious look at the SOC 2 certification process.

Hang On, What’s SOC 2, And Do I Have To Do It?

SOC 2 is short for the oh-so-memorably-named Service Organization Control 2 and was created by accountants (yes, accountants, whom we love dearly). The American Institute of Public Service Accountants (AICPA) created SOC 2 way back in 2010 as a way to standardize and assess how well (or not) organizations looked after the security and privacy of customer data.

SOC 2 isn’t compulsory. No law says you gotta do it. But it’s a way of demonstrating that you’re committed to data security and privacy for your customers, and it’s becoming expected. And if you’re a startup, SOC 2 makes you look like a restaurant with a Michelin star. Just as a Michelin star recognizes a restaurant’s excellence in food quality and service, SOC 2 compliance is a respected standard that recognizes excellence in data privacy and security. That way, investors can be confident you won’t blow their investment on legal fees after your customer data goes public (or back to the restaurant metaphor, you’re worth the hype).

Ready to Get Your SOC 2 On? Let’s Talk About What It Really Means

SOC 2 has a set of criteria for you to meet. These criteria are chunked up into five categories called “trust service categories,” each of which requires particular controls. Let’s break those bad boys down in a table:

The Five SOC 2 Trust Service Categories
Security	Protection from unauthorized access and use, modification, or destruction of data or systems.
Availability	Ensures data or systems are available for use as agreed with or expected by your customers.
Confidentiality	Similar to the “Security” category — protects data and systems from unauthorized access, use, etc.
Integrity	Ensures that data is processed correctly: authorized, promptly, accurately, and completely.
Privacy	Ensures data is treated as per privacy laws: this includes collection, use, modification, and disposal of the data.

The SOC 2 Certification Process: Where Do You Even Start?

The good thing about the process is that you’re not the first to tackle it. There’s a whole industry behind gaining SOC 2 accreditation, and there’s a tried-tested-trusted methodology that you’ll apply to your own business. This is what it looks like, roughly:

You’ll be busy defining your scope and maintaining compliance, while your SOC 2 auditor will be auditing, testing, and reporting like a pro. Because they are the pro, and you’re not.

Step 1: Define Scope

Here’s where you’ll decide what in your business is relevant to SOC 2. What customer data do you use? What systems do you use? How do you use the data? Not every aspect of your business will be relevant to SOC 2, and only the “Security” trust service category is mandatory.

Step 2: Audit Controls

Behold, your independent and qualified SOC 2 auditor strides about your business, taking a long, hard look at the security controls you have hurriedly put together to protect that sacred data. They might be looking for the existence of things like:

All the encryption that ever was.
Properly configured MDM.
An IT asset register that’s actually up to date.
Remote lock & wipe facility for your mobile fleet.
DNS filtering.

..and more.

Step 3: Test Controls

Once your auditor has listed the controls you have in place, it’s time to test them out. They’ll do this by talking to your people and observing them in action, reviewing your data security policies, and trying to bust through your controls, e.g., to get unauthorized access to some of that sweet, sweet data; or maybe testing how you process your data to check for completeness.

Step 4: Report

Here’s where your auditor sits down with a tall beer, writes up their findings, and hands you over their report. There are two types of report, and you’ll have agreed with your auditor beforehand which report they’ll prepare for you:

SOC 2 Audit Report	What it covers
Type 1	This reports on your controls at a snapshot in time, e.g., yesterday
Type 2	This reports on your controls over a period, e.g., over six months

I Have My SOC 2 Report, And Now I’m Depressed

No, no, no. You should be setting fire to beacons because now you know how to get fully SOC 2 compliant. You’ve been handed a list of checkmarks and gaps, which are your path to glory because when you’ve finished remediating them (fixing them), you’ll be SOC 2 compliant.

Your first step is putting together a gap remediation plan. Its elements look something like this:

SOC 2 Gap Remediation Plan Elements
What it is	What it does	Example
Nature of gap	Describes the gap to be remediated	Cripes! The OS on fleet devices hasn’t been updated for months
Cause of gap	Identifies why this gap happened/keeps happening	Automatic updates not switched to “on”/ Users can bypass update messages
Risk of gap	Assess the likelihood of bad stuff happening and the consequences if it goes unresolved. This helps you put your gap fixes in priority order.	Hackers can attack known vulnerabilities in outdated software: risk is high, so let’s prioritize this.
Action to take	Notes on how you will fix this gap, who’s responsible for fixing it, the timeline, who’ll be monitoring the fix, etc.	Joe will configure MDM to enforce automatic updates by Tuesday. Samir will amend the acceptable use policy to specify employees must accept updates by the end of the month. Neela will monitor the fix.

Gap Remediation Is A Thing, And We Do It

If you’re not sure how your IT infrastructure can stand up to the SOC 2 certification process, then that’s perfectly normal. It can seem overwhelming, and not every, or even any, organization gets it right the first time. SOC 2 accreditation is an effort, taking resources and time, but the benefits of accreditation are cool, and you’ll never be starting from scratch. For instance, our style of MDM checks off 28 SOC 2 controls alone. If you’re thinking of SOC 2, or have just been handed a report the size of a bus by a laughing SOC 2 auditor, call us because we can help you fix (remediate) those gaps quickly.

Ignition is Silicon Valley’s best (and friendliest) IT security, compliance, and support team. Contact us now – chatting about IT support and cybersecurity is our favorite thing to do!

5 Overlooked Ways Device Inventory Management Boosts Cybersecurity

Hybrid Workforce Management: IT Solutions for the Distributed Workforce

Adolescence can be brutal.

You bombed the big test. A growth spurt left you with pants that stop at your shin. The school jokester snuck a bag of live bait in your locker.

You're now past all that, but what's changed? Your new biz is hitting roadblocks, it's not prepared for scaling, and its cybersecurity can't stop worm attacks (see what we did there?)

The good news? We know IT solutions for startups, and we can help you pass that test, stay in clothes that fit, and keep your stuff safe.

Contact us today to get started.

CONTACT

SEARCH

CATEGORIES

Geeks made out of real people.

Contact Us

Are you a...*
- New Customer
- Existing Customer
What is your name?*
First
What is your phone number?*
What is your email?*
How can we help?
Name
This field is for validation purposes and should be left unchanged.