Key Concepts For SOC 2 Type 1
The first time I went through SOC2 I wasted way too many hours on Google trying to figure out best practices. It drove me nuts how much was written without actually telling me anything actionable. Why wasn’t there a simple summary to understand:
- How long will a SOC 2 Type 1 audit take?
- How much will SOC 2 Type 1 cost?
- What are best practices for each policy?
Two years later, we decided to write our own. This is the first in a series of blog posts that answer each of those questions in detail.
What To Expect
If you are new to compliance, it’s easy to confuse SOC 2 Type 1 and SOC 2 Type 2. SOC 2 Type 1 is different from Type 2 in that a Type 1 report assesses the design of security processes at a specific point in time, while a Type 2 report (also commonly written as “Type ii”) assesses how effective those controls are over time by observing operations for six months.
If that weren’t confusing enough, SOC 2 is different than SOC 1, which focuses on an organization’s financial statements and financial reporting. It’s also different than SOC 3, which reports on the same information as SOC 2, but in a format intended for a more general audience.
SOC 2 is Voluntary
It is important to note that pursuing SOC 2 is voluntary and not necessarily motivated by compliance or other regulations, such as HIPAA or PCI-DSS. Many SaaS and cloud computing organizations, such as IT managed service providers, want to demonstrate that they are properly protecting data within their data center and information systems. It is also common for customers (known as user entities in SOC terminology) to reach out to partners and request results from an auditor’s tests.
Step 1: Form Your Team
The first step in SOC2 Type 1 is team formation.
Start with an executive sponsor who will lead the project and help navigate the office political landscape. Expect that at many points during the process you will step on someone’s toes and insist their team changes its habits. When that time comes, you’ll need a powerful advocate to overcome objections.
You will then need team leads from each department, including HR, Technology, Sales, etc…A lot of the burden will be shouldered by technology teams so, so there so you will need a representative who understands how to enforce access controls to your most sensitive data, for example.
Because there is so much writing, you will need an author able to collaborate with each team lead and translate their business needs into policies.
If you have the budget, you may find it helpful to also include a compliance consultant. While it’s not a requirement, that person’s expertise can help avoid wasted time and effort. Just be sure they’re appropriate for your team’s size and stage. Too many times consultants propose overly complex policies more suited for teams with dedicated compliance teams and a lot more funding.
Step 2: Limit Scope
Once your team is formed, you will want to define scope. SOC 2 reports are based in the trust Service Principles (renamed to Trust Services Criteria in 2018) defined by the AICPA, and report on controls at a service organization relevant to security, availability, processing integrity, confidentiality and privacy. You will use these principles to guide and limit the scope of your audit. If your organization specializes in one particular service, perhaps only a small number of the Trust Services Principles will apply, and therefore your scope will be small. If your organization offers a variety of services, it makes sense to narrow the scope as much as possible. Work with your team to identify areas where the principles don’t seem applicable. It is common for service organizations to have separate SOC reports for the various services they offer.
Once scope is fully defined, you will write and refine policies. This is a large effort and needs to be led by someone senior on your team. The policies are intended to complement each other and create a system of checks and balances. You can avoid a lot of unnecessary technical work by rewording policies up front.
We’ve created an open source SOC 2 templates for every single SOC 2 policy. You can download each and customize them to suit your specific business needs. They’re 100% free.
Step 3: Implementation
At this point, you are ready for the implementation phase, which will identify many gaps you need to address with tools and procedures. Your goal during implementation shouldn’t be perfection. Don’t spend a lot of time arguing over policy details, but limit scope where you can and continue moving forward even if you have existing gaps. This phase shouldn’t take more than two months. You will also select a firm to conduct the audit, and when you have a good idea of when the implementation phase will be complete, you can get your audit on the auditing firm’s calendar. In the meantime, test the new procedures you’ve created and validate that tickets are being created and resolved appropriately. Additionally, ensure your new HR onboarding and offboarding procedures are being followed and documented.
When the specified date of the audit arrives, the audit team will commence testing, which typically includes interviews with staff, walkthroughs of your physical space and a thorough review of your documentation before the audit report is created. Then, the results of the testing will be compiled, and the auditor will work with you to clarify any necessary exceptions. Finally, the SOC 1 report will be generated.
In conclusion, SOC2 Type 1 is a snapshot of an organization’s controls, and is a good starting point when working towards a SOC2 Type 2, in which an auditor will assess the operating effectiveness of those controls over time. Learn how strongDM makes SOC 2 compliance easier for high-growth startups and schedule a demo today.