- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
The first time I went through SOC 2 I wasted way too many hours on Google trying to figure out best practices. It drove me nuts how much was written without actually telling me anything actionable. Why wasn't there a simple summary to understand:
- How long will a SOC 2 Type 1 audit take?
- How much will SOC 2 Type 1 cost?
- What are the best practices for each policy?
Two years later, we decided to write our own. This is the first in a series of blog posts that answer each of those questions in detail.
🎉 Have you heard? StrongDM offers a free and completely self-paced online SOC 2 Course.
SOC 2 Type 1 vs. Type 2
If you are new to compliance, it’s easy to confuse SOC 2 Type 1 and SOC 2 Type 2. SOC 2 Type 1 is different from Type 2 in that a Type 1 assesses the design of security processes at a specific point in time, while a Type 2 report (also commonly written as “Type ii”) assesses how effective those controls are over time by observing operations for six months.
If that weren't confusing enough, SOC 2 is different than SOC 1, which focuses on an organization's financial statements and financial reporting. It's also different than SOC 3, which reports on the same information as SOC 2, but in a format intended for a more general audience.
Is SOC 2 a Requirement?
It is important to note that pursuing SOC 2 is voluntary and not necessarily motivated by compliance or other regulations, such as HIPAA or PCI-DSS. Many SaaS and cloud computing organizations, such as IT-managed service providers, want to demonstrate that they are properly protecting data within their data centers and information systems. It is also common for customers (known as user entities in SOC terminology) to reach out to partners and request results from an auditor's tests.
3 Steps Towards a SOC 2 Type 1 Certification
Step 1: Form Your Team
The first step in SOC 2 Type 1 is team formation.
Start with an executive sponsor who will lead the project and help navigate the office political landscape. Expect that at many points during the process you will step on someone's toes and insist their team changes its habits. When that time comes, you'll need a powerful advocate to overcome objections.
You will then need team leads from each department, including HR, Technology, Sales, etc…A lot of the burden will be shouldered by technology teams so, you will need a representative who understands how to enforce access controls to your most sensitive data, for example.
Because there is so much writing, you will need an author able to collaborate with each team lead and translate their business needs into policies.
If you have the budget, you may find it helpful to also include a compliance consultant. While it's not a requirement, that person's expertise can help avoid wasted time and effort. Just be sure they're appropriate for your team's size and stage. Too many times consultants propose overly complex policies more suited for teams with dedicated compliance teams and a lot more funding.
Step 2: Limit Scope
Once your team is formed, you will want to define scope.
SOC 2 reports are based on the Trust Services Criteria (renamed from Trust Service Principles in 2018) defined by the AICPA and report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy. You will use these principles to guide and limit the scope of your audit. If your organization specializes in one particular service, perhaps only a small number of the Trust Services Principles will apply, and therefore your scope will be small. If your organization offers a variety of services, it makes sense to narrow the scope as much as possible. Work with your team to identify areas where the principles don't seem applicable. It is common for service organizations to have separate SOC reports for the various services they offer.
Once the scope is fully defined, you will write and refine policies. This is a large effort and needs to be led by someone senior on your team. The policies are intended to complement each other and create a system of checks and balances. You can avoid a lot of unnecessary technical work by rewording policies upfront.
Step 3: Implementation
At this point, you are ready for the implementation phase, which will identify any gaps you need to address with tools and procedures. Your goal during implementation shouldn't be perfection. Don't spend a lot of time arguing over policy details, but limit scope where you can and continue moving forward even if you have existing gaps. This phase shouldn't take more than two months. You will also select a firm to conduct the audit, and when you have a good idea of when the implementation phase will be complete, you can get your audit on the auditing firm's calendar. In the meantime, test the new procedures you've created and validate that tickets are being created and resolved appropriately. Additionally, ensure your new HR onboarding and offboarding procedures are being followed and documented.
When the specified date of the audit arrives, the audit team will commence testing, which typically includes interviews with staff, walkthroughs of your physical space, and a thorough review of your documentation before the audit report is created. Then, the results of the testing will be compiled, and the auditor will work with you to clarify any necessary exceptions. Finally, the SOC 2 Type 1 report will be generated.
In conclusion, SOC 2 Type 1 is a snapshot of an organization's controls and is a good starting point when working towards a SOC 2 Type 2, in which an auditor will assess the operating effectiveness of those controls over time. Learn how StrongDM makes SOC 2 compliance easier for high-growth startups or schedule a no BS demo today
About the Author
Schuyler Brown, Chairman of the Board, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.