SOC 2 Posts


33 Essentials for Your SOC 2 Readiness Assessment

If you are considering a SOC 2 Readiness Assessment, now is the time to think critically about what you want out of that process. Most companies pursuing a SOC 2 Readiness Assessment see it as their smooth on-ramp into a full SOC 2 examination. And, they see it as a way to preemptively identify and resolve any major gaps in their security program.

In almost any imaginable case, that approach is dramatically better than getting knee-deep into an audit and discovering that you have a huge pile of urgent remediations that you need to take care of in order to obtain a clean SOC 2 report (an "unmodified opinion"). If you find yourself discovering major SOC 2 shortcomings during an audit, something went very wrong during your readiness effort.

So, SOC 2 Readiness Assessments are a good thing, right?  Yes. But only if you pick one that is rooted in TSP Section 100.

SOC 2 Readiness Assessment - 33 Essentials

SOC 2 Readiness Assessment, Contractors, and Commitments

SOC 2 Readiness Assessment has become a buzzword amongst the community of founding teams that are starting companies that sell their services to big businesses. And why shouldn't it be? Most startups with that particular go-to-market strategy will almost certainly need to successfully complete a SOC 2 examination to satisfy enterprise requirements at some point now or in the future. So, "readiness" is a natural first step.

Today we'll zoom in on a particularly misunderstood topic -- one that is even misunderstood by many of the SOC 2 Readiness Assessment providers. If it's misunderstood by some of the companies that are conducting SOC 2 Readiness Assessments, we'll bet it's also misunderstood by the founder-led teams that they serve.

Today's misunderstood topic is the interplay between service organization commitments and contractors.

SOC 2 Readiness Assessment and Contractors
Cyber SecurityEnterprise Security QuestionnairesRemote WorkSOC 2Vendor OnboardingWFH Cybersecurity

9 Small Business Cybersecurity Wakeup Calls for Founders

Every day we talk with startup founders about small business cybersecurity. Although we'd love to speak with founders that spontaneously decided to "do more" about cybersecurity, our conversations usually start very differently than that.

Most often, there is a very specific and urgent cybersecurity-related need at hand. And an urgent call to our team for help thinking it through. We're happy to help -- not a problem! However, for the benefit of founders that haven't yet hit one of those moments, here's what folks a few steps ahead of you are running into. We're glad to help with these more proactively if you'd like, to save a hectic scramble later.

9 Small Business Cybersecurity Wakeup Calls Founders Do Not Want

The Fundamental Flaw in Your SOC 2 Compliance Checklist

Companies seeking to obtain a SOC 2 report are often in a hurry. So, what's wrong with searching for a SOC 2 Compliance Checklist?  Maybe this whole SOC 2 examination thing can be a quick, simple matter of working through a checklist and obtaining a report?  Not quite.

Although we specialize in helping companies prepare for SOC 2 examinations -- and we've gone to great lengths to ensure that we are attuned to the most common security controls that SOC 2 auditors tend to evaluate -- auditors are required (for good reason) to maintain independence.  That means that no provider (not Havoc Shield or anyone else) can supply the perfect checklist of items that is sure to lead to a clean SOC 2 report (an "unmodified opinion").

The Fundamental Flaw in your SOC 2 Compliance Checklist

Getting Ready for a SOC 2 Readiness Assessment

If you've begun to explore the possibility of obtaining a SOC 2 report, you may have heard that a SOC 2 Readiness Assessment is a good place to being the journey. That's reasonable advice.  Just as you wouldn't invite a financial auditor to review your financials without taking preliminary steps to ensure that your financial statements are in order, you wouldn't pursue a SOC 2 examination if you didn't have reason to believe that you had the necessary security practices in place to perform well under professional scrutiny. For that reason, the following sequence has become popularized:

Getting Ready for a SOC 2 Readiness Assessment

SOC 2 Readiness Assessment: Commitments to Customers

No one wants a SOC 2 examination to go poorly. For most organizations, getting to a SOC 2 report that reflects favorably on the company's security practices is essential. Often there are customers or partners pressing for evidence of a SOC 2 report. When that's the case, the process of engaging an auditor to conduct an examination is one that can cause some anxiety. The concept of a SOC 2 Readiness Assessment has become popular as one of the ways to reduce the odds of unexpected surprises during the examination.

One of the central topics in a SOC 2 Readiness Assessment is the concept of "commitments to customers" -- specifically, determining precisely what commitments an organization has made to their customers. Was there a 99% uptime commitment, or was it 99.5%? Was the commitment made uniformly to all customers, or are there some marquee customers that were promised 99.9%? This is an example of one type of commitment that might come up during a SOC 2 Readiness Assessment.

For organizations that have never previously been through a SOC 2 examination, it may take substantial effort to gather the documents needed to fully understand what commitments have (and haven't) been made to customers. That's the purpose of this post: to suggest some of the items to gather to be prepared to substantiate what commitments to customers exist.  Here's our take:

SOC 2 Readiness Assessment Commitments to Customers

SOC 2 Obligations for Board of Directors Members

SOC 2 involves internal procedures for the company's employees and doesn't involve any board of directors involvement, right? Wrong. In this post, we'll offer some insights into the ways in which a company's board of directors should expect to be involved in the company's SOC 2 efforts.

SOC 2 Obligations for the Board of Directors

SOC 2 Compliance Checklist #Fails

We've seen many attempts at a SOC 2 compliance checklist over the past few years as more and more companies have become interested in obtaining a SOC 2 audit report. Unfortunately, there are fundamental flaws that we routinely see in these types of checklists. Today we'll dive into the the flaws to watch out for -- ones that could lead to extreme frustration if you were to complete a SOC 2 compliance checklist and later discover (with an auditor present) that you are far from read for a SOC 2 audit.  Here's the scoop.

SOC 2 Compliance Checklist Fails
Cyber SecurityInfosec PoliciesSOC 2

Movies, Photographs, and SOC 2 Type 1 vs Type 2

Would you rather talk about movies, photographs, or SOC 2 Type 1 vs Type 2?  If your answer was "all of the above" then you've come to the right place.

Amongst companies evaluating the possibility of obtaining a SOC 2 report, there's been some confusion about the difference between SOC 2 Type 1 vs Type 2.  Lets see if we can clear that up; here's what the AICPA says about it.

Movies, Photographs, and SOC 2 Type 2 vs SOC 2 Type 1
Enterprise Security QuestionnairesSOC 2

SOC 2 Compliance Checklist: Pre-Audit Steps

Thinking of engaging a SOC 2 auditor? Good thinking. Successful completion of a SOC 2 audit carries a great deal of credibility, especially for small organizations seeking to do business with large enterprises.  Heading into your SOC 2 audit (and in fact, before you engage an auditor) you should have a SOC 2 compliance checklist in mind.  That checklist should contain the things that you believe you will need to demonstrate to the auditor.

A common misperception is that the SOC 2 process is designed to help you implement additional controls and processes.  Not so.  The SOC 2 audit is designed to evaluate your organization's practices, on the premise that you already have the controls and processes in place.

SOC 2 Compliance Checklist Pre-Audit Steps