One of the most critical steps is selecting members to lead the initiative. Many organizations start planning for SOC 2 thinking they can delegate responsibilities solely to members of the IT and information security staff.
Although members of those teams will play a big part in the process, your core SOC 2 team will also include HR, legal and other business units as well. This blog will help you understand your core SOC 2 team and how to build it.
Let's break down the essential positions on this team:
- Executive sponsor - ultimately, this person must be able to answer as to why the organization is pursuing SOC 2. This person must also be able to understand and continuously explain why, for example, next year's revenue depends on completing SOC 2. It will also help if this individual had some experience with risk management. If you have a particularly complex organization, your executive sponsor will have a lot of work to do.
- Project manager - this person will help drive the SOC 2 effort and manage the day-to-day responsibilities of gathering information, scheduling resources, etc. Your project manager doesn't necessarily need to fully understand the requirements for SOC 2 certification or have compliance expertise, but they need to be good at getting tasks completed across the organization.
- Primary author - you need someone senior in the primary author position who can handle some quasi-legal technical writing. This person also needs to understand the business and operations, otherwise that person will be ineffective when interviewing other teams, thus slowing down your entire SOC 2 progress.
- Legal - as you begin creating and refining policies, ask your legal team for input early in the process. They will also play an important part in working with your business partners and third party vendors when contracts need to be updated. Your legal team’s counsel and support of your audit will be an ongoing need even after the initial audit is finished, as you will continually tune your documentation year over year.
- IT/security - your security and technology teams will have a large volume of technical functionality that needs to be conceptualized, built and proven during an audit. This is high-intensity work, and much of it revolves around making sure your organization can detect and respond to a security incident. Coming out of the audit, you will likely need to purchase additional tools, such as an intrusion detection system. And you may need to change the way your organization controls physical access to your office building or data center. Thus, you may need to hire additional security and technology resources to help these teams shoulder the workload due to the sheer volume of items that are required during and after the audit.
- External consultant (optional) - if your organization or team is new to SOC 2, it might make sense to also hire a third-party consultant to help guide you through the process. This consultant, likely a CPA (Certified Public Accountants), will bring a broad range of expertise to your audit and have extensive knowledge of the Trust Services Principles (renamed to Trust Services Criteria in 2018). The Trust Service Principles, defined by the AICPA (American Institute of CPAs), include security, availability, processing integrity, confidentiality, and privacy. The consultant will help you figure out which principles apply to the scope of your audit and how any of your organization’s compliance requirements, such as PCI or HIPAA, incorporate into SOC 2. Once you receive the SOC reports from your auditing firm, the consultant can help you interpret the changes that need to be made to each specific internal control.
Also, keep in mind that although your other employees aren’t officially part of your team, treat them as auxiliary members. They will be significantly affected by the changes you make during the SOC 2 initiative. Specifically, the new policies and procedures you create will change the way they work, particularly around the processing integrity of sensitive data such as customer data and personal information. For example, SOC 2 requires that service providers have fairly strict password requirements, which may prompt you to install a password management system. Learning and using this new password system will create more work for your users - at least initially. Be prepared for some pushback, and ensure your SOC 2 team is ready to handle questions and criticism.
If you read the team requirements above and now feel completely overwhelmed, don’t panic. You might find that the skills you need for SOC 2 might already exist in your organization - within one person or many. For example, you can’t start the project without an executive sponsor, project manager, and writer - but it could be that your executive sponsor and project manager are the same people. Additionally, that person might be in the security department, so they will bring some security know-how to the table as well. At the end of the day, the leadership team can come from any department. But their expertise in that department is separate from the responsibilities they hold on the SOC 2 team.
As far as the amount of work to expect for your SOC 2 team, it mostly depends on your organization’s current configuration and history. For example, if you have been through three acquisitions and had to merge complex legacy infrastructures, be prepared for your technical team and your technology leader to do a larger share of the work. But on the flip side, if you have a global team with multiple offices, your executive sponsor is going to have a substantial amount of work selling the SOC 2 initiative and securing buy-in.
In addition to understanding the workload balance between departments, you need to set realistic timelines for each team’s tasks. Typically, your legal and HR teams should be able to handle the workload on their own, but you should expect longer lead times for certain items, such as updating legal contracts. On the other hand, the IT and security teams may be able to churn through their workload faster, but due to the larger volume of tasks, you may need to support them with extra temporary staffing help.
Picking a great team is your first big step towards SOC certification. The members you select will need to work hard and wear many different hats, but with the right combination of organization and determination, your team will be on its way to a successful audit.
Looking for more resources on SOC 2? Check out Comply, a free resource center for SOC 2 certification.