If your business handles data that belongs to your clients, or your clients’ clients, then you’ll need SOC 2. It’s a must-have if you store your customers’ data in the cloud. But you already know this, because you take cybersecurity compliance seriously, and achieving SOC 2 certification has been on your to-do list since Jurassic Park (the good one) landed.
So if you think it’s time to get SOC 2 certification, here’s our uber-helpful ultimate SOC 2 cyber security compliance checklist, to make sure you have everything covered.
Wait, SOC 2 Isn’t Mandatory, so Why Should I Bother?
We’ve been through this already. Because helping switched-on businesses achieve SOC 2 is our thing, we beat it to death here and here. Yes, we’re obsessed, and for a good reason. SOC 2 isn’t a pain in the glutes. It’s an awesome business advantage, and here’s why:
- You get a massive shot of credibility. Your clients will trust you with their data, because you’ve proved you take care of it.
- It’s often a qualifier. Sometimes you’re not eligible to play for the big bucks unless you’ve achieved SOC 2.
- It forces you to tighten up your own data and IT security, and that means less risk of uglies like costly data breaches, the potential for legal action, and a shattered reputation.
- You’ll look shinier than your non-SOC 2 competitors.
SOC 2 certification is an industry standard, so let’s get going. Here’s how:
Your SOC 2 Cyber Security Compliance Checklist Starts Here
1. Build Your SOC 2 Framework.
You’ll need a framework, for reasons, but mostly because frameworks give you a way of working that covers it all, and that everyone understands and works with. Just like with HIPAA and other IT standards, it’s good practice to use a cybersecurity compliance framework for SOC 2, to help you:
- Make sure you complete the SOC 2 requirements.
- Prepare properly for your SOC 2 audit.
Yep, you get audited. How else are you going to demonstrate that your data security policies and protocols are doing All The Things? When you choose an auditor, make sure they are a Certified Public Accountant (CPA) or accountancy organization accredited by AICPA.
Your framework should contain all the usual project management essentials, such as responsibilities, timelines, communications, and review, but it should also cover:
- Choosing the SOC 2 Trust Service Criteria that apply to your business
- Assessing your current cybersecurity controls for SOC 2 compliance
- Filling in the gaps: do you need further controls to achieve compliance?
- Creating a task list to fill those gaps.
Putting together a robust SOC 2 compliance framework is the first step on your crazy SOC 2 adventure. Through the framework, you’re looking to produce two internal reports that your friendly SOC 2 auditor will use as a basis for their judgment. You’ll produce:
SOC 2 Type 1 Report: This report is a point-in-time snapshot of the controls you have in place, and whether they properly address the trust service criteria. Your auditor will use this report to check a) that you have controls in place and b) that they do the job they’re supposed to do.
SOC 2 Type 2 Report: This report shows how well your controls do the job over a period of time—usually six months.
2. Choose the Right Trust Service Criteria
Say what? You got this. SOC 2 defines how to manage customer data, based on five “trust service criteria”. Sometimes you’ll hear “trust service principles”, but they mean the same thing.
The five criteria are:
- Security: protects against unauthorized access.
- Availability: articulates a minimum accessibility and performance level for your services.
- Processing Integrity: addresses whether your system achieves its purpose.
- Confidentiality: controls access to data.
- Privacy: addresses how you collect, use, disclose and dispose of personal information.
You may not need to jump through all five hoops—only the Security criterion is mandatory. It all depends on what your business does and who it does it with.
3. Assess Your Current Controls
Here’s where the real work happens. You’ll assess what data security systems, controls, and policies you have in place to comply with the trust service criteria you’ve chosen. We’ve put together a quick and dirty guide to the types of cybersecurity controls that can go a long way to satisfy each of the criteria:
Security:
To comply with the Security criterion, you’ll need to show that your cybersecurity systems protect the data from unauthorized access. Cover this through:
- Network and application firewalls.
- Two factor authentication.
- Intrusion detection.
- Mobile device management.
Availability:
To comply with the Availability criterion, you’ll need to demonstrate that you’re reducing the risk of downtime and loss of service. Cover this through:
- A robust performance monitoring system.
- Clear disaster management and recovery policies.
- Incident handling protocols.
Processing Integrity:
To comply with the Processing Integrity criterion, you’ll need to demonstrate that your service and security protocols are fit for use. Don’t be offended - you’re only making sure that your systems and services achieve what they are supposed to achieve. Cover this through:
- Robust quality assurance, to establish standards and requirements.
- Service Level Agreements with your clients.
- Performance and process monitoring, to make sure that requirements are met.
Confidentiality:
To comply with the Confidentiality criterion, you’ll need to show that only authorized people or roles have access to the data. Cover this through:
- Encryption
- Access control
- Network and application firewalls.
Privacy:
To comply with the Privacy criterion, you’ll need to demonstrate that you use personal information in compliance with privacy standards. Cover this through:
- Access control
- Two factor authentication
- Encryption
Now, it may have crossed your mind that some of these cybersecurity controls cover more than one of the SOC 2 trust service criteria. And you’ll be right. Check it out—put some sweet, sweet access control in place, and you’re some way to check off Privacy AND Confidentiality. That’s the beauty of data security controls. You can cover two pizzas with one bucket of Monterey Jack.
4. Define and Fill the Gaps
Now it’s time to assess where your current controls fall short of compliance. You can get your people to do this, but sometimes an outside, independent eye is useful (ahem, that’s us. Shameless).
There are some simple ways to ensure that you have as few gaps as possible. A robust Mobile Device Management (MDM) service, with Cloud Single Sign On (SSO) as a frosting, comes with a whole truckload of SOC 2 compliance fitted as standard.
MDM is packed full of features that address access control, which checks off elements of Security, Confidentiality and Privacy criteria. For instance:
- Automated encryption, remote-lock, and remote-wipe functions stop the baddies from getting their mitts on your data
- Automated role-based provisioning and permission levels lock down access to authorized people only
- Automated deprovisioning tightens up access when you let go of staff
Cloud SSO enforces multi-factor authentication to strengthen your single point of entry, as well as reduce risk by dispensing with the need for multiple passwords for users.
SOC 2 Compliance: Where to Start
SOC 2 is worth it. It’s worth it because you’ll be more trusted, more credible, and have more business opportunities open to you. But it does take time and effort. Even if you’re confident in your ability to ace SOC 2, it can be helpful to be open to an external review, or even a pre-audit audit, to check you’re compliant.
Hint. We’re always here to make the SOC 2 cybersecurity compliance process easier and faster—and sustainable and scalable. We can drop in at any of the stages, from walking you through the process, helping you to create your framework, assessing your current controls, finding gaps—and then plugging them. It’s what we do.
Want to learn even more about our SOC 2 cybersecurity compliance checklist? Contact us for a friendly SOC 2-flavored chat now.