Demystifying the SOC 2 Process
Published On October 30, 2023
There is a lot of discussion these days about how best to respond to the variety and volume of vendor security questionnaires, which request information about your organization's internal policies, procedures, and controls. One recommended way to respond is to complete a third-party assessment or certification report. These reports provide most of the required information while showing that your organization has been examined by a qualified third party to affirm your security posture and validate that proper controls are in place. It is also an effective way to differentiate your organization from competitors who have not completed qualified assessments or certifications.
One such report is a SOC 2 examination. However, not all SOC 2 reports are created equal, nor are the issuers of SOC 2 reports.
It's not hard to find organizations that promise you can be "SOC 2 certified" in a very short period of time. But these are false promises, as there is no such thing as a SOC 2 certification. A SOC 2 is an examination or attestation that provides an auditor's opinion about the design of specific controls at a point in time (Type 1 report) or the design and operating effectiveness of those controls over a period of time (Type 2 report).
Let’s take a closer look at what you can expect throughout the SOC 2 process, including the length of examinations, how to tailor the examination to your requirements, and key questions to ask to select a qualified partner.
How long does the process take?
Your organization will not be able to effectively prepare, provide the required evidence, and have the external auditing firm perform the correct testing procedures in a mere few weeks. No matter what automated tool someone may push, a qualified auditor must determine if the evidence provided satisfies the appropriate testing procedures. While some tools can help you quickly gather evidence to provide to the auditor, the tool can't complete a SOC 2 examination for you.
So now you may be asking, "How fast can I get a SOC 2 report issued?" That's a great question, and the answer depends on several factors. The first one concerns the SOC 2 Trust Services Criteria (TSC), which are relevant to your organization. These factors, which can impact the length of the examination process, include:
- The size of your organization
- The maturity of your information security program
- The number of systems/applications in scope
- The resources you have available to assist the auditing firm with gathering evidence
- Existing governance, risk, and compliance (GRC) tools you are using
If all of these considerations factor in, you may be wondering how other firms are promising a quick process. It depends on the firm, but many of them are trying to sell you an automated tool that will aid in preparing for a SOC 2 examination rather than actually performing the SOC 2 examination. To issue a SOC 2 report, an organization must be a CPA firm registered with the American Institute of Certified Public Accountants (AICPA). Some of the companies trying to sell you a tool aren't CPA firms themselves but may be partnered with a CPA firm. The company will provide the tool and then pass along the process to the CPA firm for the actual examination. Since your organization is selecting the tool and not the actual firm, however, that CPA firm may or may not be the right fit for your organization.
Can I tailor the examination to my specific needs?
One of the advantages of a SOC 2 over other potential examinations or certification reports is that it delivers the freedom to customize the in-scope controls to your organization. Other frameworks dictate specific control language (e.g., HITRUST) which you must meet. With SOC 2, you work with the auditing firm to determine which controls are appropriate for your organization and how many should be included. As long as you meet the SOC 2 TSC, the control wording is up to you. Some tools being sold have over 125 controls included in the scope for which they want you to provide evidence. However, if you are a smaller organization only doing the security category of the TSC, you may only require about 70 of these controls.
There are five categories within the SOC 2 TSC. They are Security, Availability, Processing Integrity, Confidentiality, and Privacy. You must use the Security category (also called the Common Criteria), but the other categories are optional. You can choose one or more of the remaining categories for your examination scope.
How do I get started?
Now you're probably thinking... "Okay, what do you recommend we do? How are we supposed to start this process?" Again, great questions. Start by asking yourself:
- Why do you want to obtain a SOC 2 examination report (e.g., contractual requirement, marketing tool, internal initiative, etc.)?
- What is your timeline for obtaining a SOC 2 examination (e.g., six months, one year, etc.)?
- Do you understand the SOC 2 requirements, or will you need much assistance throughout the process?
- Do you have a complex environment, or do you only have a small application hosted by someone else (e.g., AWS)?
In addition to asking these questions yourself, a quality SOC 2 examination firm should ask similar questions to understand how best to assist you on your journey to getting a SOC 2 report. That indicates a firm that wants to be a true partner rather than one focused on merely issuing a commoditized report.
You should also ask questions of the potential SOC 2 examination firm prior to engagement. These include:
- Do I get to customize my control set, or do I have to use a specific tool's control set?
- Do you provide a formalized readiness assessment to help us determine what potential control/evidence gaps we may have?
- Do you provide remediation assistance to help us determine if we are closing any identified gaps?
- We have a GRC tool with our control set and some policies/procedures. Can you use that GRC instead of whatever you have?
- What happens if an exception is identified during testing?
A qualified partner for your SOC 2 journey
This is a lot of information, which can be overwhelming to organizations that are new to SOC 2s. But don’t let that discourage you. Meditology Services is here to provide you with a steady, guiding hand throughout your journey to obtaining a SOC 2 examination report. Our team has completed dozens of successful SOC 2 examinations over the years and is committed to serving as a trusted partner to our clients. We would gladly answer any questions, provide some basic education, and discuss an approach that will work best for your organization. Contact us here to learn more.
About the authors
Alan DeVaughan is an experienced compliance and information security senior manager specializing in assisting organizations with SOC 2 readiness assessments and examinations for over 10 years. In addition to leading the firm's SOC 2 service line, he serves as a consultant team leader focused on advising healthcare clients of varying sizes and complexity in areas of IT, privacy, security, and compliance. Alan has in-depth knowledge of security technology frameworks such as NIST, HITRUST, SOC 1 / SOC 2, HIPAA, and FFIEC. With a background in network administration, he has over 25 years’ experience in information technology consulting for a wide variety of organizations and industries.
Shannon McNally is an experienced compliance and information security manager specializing in assisting organizations with SOC 2 readiness assessments and examinations. In addition to SOC 2 examinations, she serves as a project and delivery manager focused on advising healthcare clients of varying sizes and complexity in areas of IT, privacy, security, and compliance. Shannon has in-depth knowledge of security technology frameworks such as NIST, HITRUST, SOC 1 / SOC 2, HIPAA, and SOX. Shannon has over a decade of experience in the healthcare industry, working with and for different electronic medical record organizations and healthcare providers across the country.