SOC 2 Posts

If you are considering a SOC 2 Readiness Assessment, now is the time to think critically about what you want out of that process. Most companies pursuing a SOC 2 Readiness Assessment see it as their smooth on-ramp into a full SOC 2 examination. And, they see it as a way to preemptively identify and resolve any major gaps in their security program.

In almost any imaginable case, that approach is dramatically better than getting knee-deep into an audit and discovering that you have a huge pile of urgent remediations that you need to take care of in order to obtain a clean SOC 2 report (an "unmodified opinion"). If you find yourself discovering major SOC 2 shortcomings during an audit, something went very wrong during your readiness effort.

So, SOC 2 Readiness Assessments are a good thing, right?  Yes. But only if you pick one that is rooted in TSP Section 100.

SOC 2 Readiness Assessment has become a buzzword amongst the community of founding teams that are starting companies that sell their services to big businesses. And why shouldn't it be? Most startups with that particular go-to-market strategy will almost certainly need to successfully complete a SOC 2 examination to satisfy enterprise requirements at some point now or in the future. So, "readiness" is a natural first step.

Today we'll zoom in on a particularly misunderstood topic -- one that is even misunderstood by many of the SOC 2 Readiness Assessment providers. If it's misunderstood by some of the companies that are conducting SOC 2 Readiness Assessments, we'll bet it's also misunderstood by the founder-led teams that they serve.

Today's misunderstood topic is the interplay between service organization commitments and contractors.

Companies seeking to obtain a SOC 2 report are often in a hurry. So, what's wrong with searching for a SOC 2 Compliance Checklist?  Maybe this whole SOC 2 examination thing can be a quick, simple matter of working through a checklist and obtaining a report?  Not quite.

Although we specialize in helping companies prepare for SOC 2 examinations -- and we've gone to great lengths to ensure that we are attuned to the most common security controls that SOC 2 auditors tend to evaluate -- auditors are required (for good reason) to maintain independence.  That means that no provider (not Havoc Shield or anyone else) can supply the perfect checklist of items that is sure to lead to a clean SOC 2 report (an "unmodified opinion").

If you've begun to explore the possibility of obtaining a SOC 2 report, you may have heard that a SOC 2 Readiness Assessment is a good place to being the journey. That's reasonable advice.  Just as you wouldn't invite a financial auditor to review your financials without taking preliminary steps to ensure that your financial statements are in order, you wouldn't pursue a SOC 2 examination if you didn't have reason to believe that you had the necessary security practices in place to perform well under professional scrutiny. For that reason, the following sequence has become popularized:

No one wants a SOC 2 examination to go poorly. For most organizations, getting to a SOC 2 report that reflects favorably on the company's security practices is essential. Often there are customers or partners pressing for evidence of a SOC 2 report. When that's the case, the process of engaging an auditor to conduct an examination is one that can cause some anxiety. The concept of a SOC 2 Readiness Assessment has become popular as one of the ways to reduce the odds of unexpected surprises during the examination.

One of the central topics in a SOC 2 Readiness Assessment is the concept of "commitments to customers" -- specifically, determining precisely what commitments an organization has made to their customers. Was there a 99% uptime commitment, or was it 99.5%? Was the commitment made uniformly to all customers, or are there some marquee customers that were promised 99.9%? This is an example of one type of commitment that might come up during a SOC 2 Readiness Assessment.

For organizations that have never previously been through a SOC 2 examination, it may take substantial effort to gather the documents needed to fully understand what commitments have (and haven't) been made to customers. That's the purpose of this post: to suggest some of the items to gather to be prepared to substantiate what commitments to customers exist.  Here's our take:

SOC 2 involves internal procedures for the company's employees and doesn't involve any board of directors involvement, right? Wrong. In this post, we'll offer some insights into the ways in which a company's board of directors should expect to be involved in the company's SOC 2 efforts.

We've seen many attempts at a SOC 2 compliance checklist over the past few years as more and more companies have become interested in obtaining a SOC 2 audit report. Unfortunately, there are fundamental flaws that we routinely see in these types of checklists. Today we'll dive into the the flaws to watch out for -- ones that could lead to extreme frustration if you were to complete a SOC 2 compliance checklist and later discover (with an auditor present) that you are far from read for a SOC 2 audit.  Here's the scoop.