<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

How To Stay SOC 2 Compliant | Advice For This Year's Audit

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

It’s safe to say that not many service providers look forward to SOC 2 compliance. I'd guess not many of you have the AICPA on speed dial.

Whether you're preparing for a Type 1 or Type 2, audits may be perceived as events that you prepare for and complete, but then eventually, they go away - at least for a while.

To stay SOC 2 compliant, we suggest a paradigm shift. Treat compliance as a continuous process rather than a point-in-time event. Unlike taxes, there is no 'audit season.' Here are some tips for always being prepared for your next audit.

🎉 Have you heard? StrongDM offers a free and completely self-paced online SOC 2 Course.

Embrace the idea that policies and procedures evolve

After spending considerable time getting your policies and procedures just right to address the trust services principles, it’s tempting to step back and say, “Good, we finally have all this great documentation, now let's not touch it again until we absolutely have to!” However, updating your policies and internal controls is a good thing - provided you have adequate documentation around who made the changes, as well as evidence that the new policy was communicated to the appropriate parties. This applies to both internal teams and from a vendor management perspective too. Some changes will be straightforward, such as adding or removing an approved vendor. Others, such as adopting source control, will be more involved. However, having a method of source control gives you greater visibility into who made changes and when, which provides you with a built-in audit trail.

Declare your repetitive procedures using an automated scheduler

To stay SOC 2 compliant, there are a large number of tasks that occur infrequently but still require your attention on a regular basis. For example, your data classification, information security, system and organization controls, change management, risk management, customer data, and even financial information will need to be reviewed once a year. If you skip it, you’ll regret it, especially for Type ii. Access reviews should happen much more frequently but still can be forgotten without a forcing function. Don’t try to keep all the tasks and schedules in your head. Instead, use a calendaring or task app to set these reminders for you on a daily, weekly, monthly, quarterly, or yearly basis.

Find your allies in HR and IT

You depend on your internal colleagues as much as your CPA firm to complete soc reports and deliver a smooth audit. Look for the person or people on those teams who are detail-oriented and appreciate the structure that policies and procedures provide. Train them on the audit process and how critical a ticketing system can be to tracking all the relevant SOC 2 compliant activities, and emphasize that without such a system, many important tasks will slip through the cracks. One example of a task requiring a ticket is the onboarding or offboarding of employees. This task usually involves several people and departments within your organization and typically requires detailed checklists for the various steps such as account creation, laptop, and mobile device setup, and physical keycard assignment. Simply sending emails or using an ad hoc tool like Google Sheets will not be sufficient when you’re under pressure to deliver evidence to an auditor.

Delegation is your friend

There are many evidence collection tasks required throughout the year, but don’t feel like you have to do everything yourself. You could lose both your hair and your mind - and still not get everything done. Remember that this is a team effort, so rely on your ticketing system to monitor tasks and delegate as necessary. This will help your team maintain familiarity with the system and processes and keep you from having to retrain everyone from scratch right before next year’s Type ii report. You wouldn't want to be caught off guard by new compliance requirements.

Send out quarterly status updates that confirm your systems are working

It’s a good idea to regularly communicate the effectiveness of your SOC 2 compliant program for both a Type 1 report and Type 2 report. This not only keeps your staff in an “always auditing” state of mind but demonstrates to your management team that their investment to ensure processing integrity is paying off. There are several statistics you can include in these updates. For example, you can share how many compliance tickets were opened and closed during the last quarter. You can also summarize how many policies have been created or updated. These updates also demonstrate that your team is always thinking about the next audit so that if any gaps develop in the meantime, you can address them quickly before they bubble up and become insurmountable. That way, your service organization's controls are always up-to-date. Yes, audits can be a thorn in your side that you’d probably rather ignore, but keep your organization thinking about them throughout the year. Make good use of your ticketing system, and continually tune your policies and procedures. These efforts will be well worth it when your next audit rolls around.

To learn more about how StrongDM helps companies with SOC 2 compliance, make sure to check out our SOC 2 Compliance Use Case.


About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

ISO 27001 vs SOC 2
ISO 27001 vs. SOC 2: Understanding the Difference
SOC 2 and ISO 27001 both provide companies with strategic frameworks and standards to measure their security controls and systems against. But what’s the difference between SOC 2 vs. ISO 27001? In this article, we’ll provide an ISO 27001 and SOC 2 comparison, including what they are, what they have in common, which one is right for you, and how you can use these certifications to improve your overall cybersecurity posture.
Answering auditor questions in a SOC 2 review
Answering Auditors’ Questions in a SOC 2 Review
We recently completed our own SOC 2 audit, so we thought we’d review how we dogfooded our own product. We’ll share tips and tricks to make the audit process a little easier, whether you’re wrapping up your own or about to dive into the coming year’s audit. Here are the questions auditors asked us during our own SOC 2 audit and the commands and strongDM tooling we used to gather the evidence they requested.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Audit
Everything You Need to Know About SOC 2 Audits
Whether you’re looking to achieve SOC 2 compliance, or just want to learn more about it, your Googling is bound to lead you to a wealth of articles chock full of buzzwords and acronym soup. ‍In this post, we will provide a guide with definitions, links and resources to gain a solid understanding of everything you need to know about SOC 2 audits.
SOC 2 Policies Guide
A Definitive Guide to SOC 2 Policies
In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual SOC 2 policy.