Compliance audits require copious amounts of documentation. A SOC 2 audit for cybersecurity controls is no different.
When the auditing team arrives to perform a SOC 2 audit on your business, you’ll need to provide access to the documentation that defines your security processes, as well as evidence that your policies are aligned with your SOC 2 compliance requirements.
Exactly what documentation you’ll need will depend on which SOC 2 audit you’re undertaking (Type I or Type II) and which “trust services criteria” will be included in the audit.
For example, if you’re only attempting a SOC 2 Type I audit using the “security” trust service criteria, that’s much less documentation necessary than a Type II audit using all five criteria: security, availability, processing integrity, confidentiality, and privacy.
Today we’ll discuss several approaches to collecting compliance documentation for SOC 2. First, however, let’s review SOC 2 compliance and what it entails.
What does SOC 2 compliance mean?
OC 2 is an auditing framework designed to provide assurance in business-to-business relationships. It focuses primarily on service organizations (“SOC” stands for “service organization control”), which the American Institute of Certified Public Accountants defines as:
The entity (or segment of an entity) that provides services to a user organization that is part of the user organization’s information system.
SOC 2 requirements address many business relationships that have the potential to affect proprietary or customer data security—say, a data storage provider hosting the confidential data of its customers. In that relationship, the data storage firm is the service organization and acts as part of its customers’ information systems.
SOC 2 was designed to enforce proper and sufficient security controls to safeguard data. It outlines a framework for implementing those controls but allows organizations to tailor the framework to meet their specific needs.
To learn more, please check out our Guide to SOC 2.
What kind of compliance documentation is required for a SOC 2?
As previously stated, the documentation required for SOC 2 depends on which trust services criteria you want to include in your audit. Those criteria are:
SOC 2 documentation must provide an attestation of data protection controls in place to prevent unauthorized access.
Documentation must define reasonable information security controls that assure the service is available and that all access controls specified in the terms of service are being implemented.
Documentation must provide authentication that all transactions are processed promptly and accurately, with proper authorization, and in accordance with the objectives of that business process or transaction.
Documentation must prove that all private or confidential data is protected according to the cybersecurity policies laid out in the organization’s service agreement.
Privacy of Customer Data
Documentation must show that personal and private information is handled according to any relevant privacy regulations or controls specified in the service agreement or privacy notices.
What are the best practices for compliance documentation for SOC 2?
SOC 2 compliance can be an arduous process, with many moving pieces that need to work in alignment. The following best practices and auditing standards can help you get started.
1. Appoint a SOC 2 team.
That team should include a specific leader with defined responsibility and authority; plus whomever else has relevant experience from IT security, legal, or other business functions. The team should also be properly staffed with more junior members as necessary to assure sufficient manpower for the work involved.
2. Determine your SOC 2 goals.
- Are you pursuing a Type I audit or a Type II?
- Which trust service principles are you trying to achieve certification for?
- Do you need SOC 2 attestation for a single service, or for your entire organization?
3. Define your scope.
Which of SOC 2’s Trust Services Criteria (TSC) apply to your certification?
4. Gather your documentation.
For each of the trust service criteria you’ve chosen, you’ll need to identify the security controls that apply, evaluate their effectiveness, identify and fill any gaps, and gather the documentation you need to prove you’ve done your due diligence.
Organize evidence according to each trust criteria included in your SOC 2 audit.
5. Perform a self-audit.
Before you invest in a formal audit report, it’s best to assure that you’ll pass! Perform a self-audit to be confident that you have all relevant controls in place and documentation ready. This will also lessen some of the pressure of your first official SOC 2 audit (Type I) or any future re-evaluations (Type II).
6. Implement continuous monitoring.
The process doesn’t end at achieving SOC 2 certification. You’ll need to submit your organization for annual recertification, so it’s best that you monitor your security controls consistently to assure they remain effective and enforced overtime.
7. Submit your organization for an official SOC 2 audit.
The AICPA specifies that only independent certified public accountants (CPAs) are qualified to perform SOC 2 audits.
For more in-depth guidance on how to prepare for SOC 2 certification, please see our SOC 2 compliance checklist.
How do I document my internal controls?
If you’re in the earlier phases of compliance certification, you may be just starting to establish documentation around your own internal controls. So how do you document them to comply with SOC 2 requirements? Here are some guidelines to help you prepare your documentation.
Step 1: Risk assessment
The first step to documenting internal controls is to conduct a risk assessment. Understanding your risks will help you to understand what controls you have (or need) to mitigate the risk. These are the foundation of your internal controls that you will be documenting.
Step 2: Establish a control framework
Next, you need to establish the framework for your internal controls. What are the key processes to mitigating a potential risk? What are the objectives of the control? What requirements must be in place for you to control the situation effectively?
Step 3: Document the control activity
Now you need to spell it out. What are the programmatic steps taken to achieve the goals of your internal controls? Be as detailed as possible.
Step 4: Define control activity roles
Another important aspect of documented internal controls is the roles around the control. That is, you must document who performs the activity, including which people fulfill specific parts of the control if control requires multiple people. You must also document what tools or processes people use, and why those activities satisfy your control objectives.
Step 5: Test control effectiveness
A strong part of robust internal controls is testing to assure it’s effective at preventing security incidents. If it isn’t, include a remediation log that details the steps taken to correct issues and ensure the control is effective.
How ZenGRC Can Support SOC 2 Compliance For Your Data Center
A SOC 2 compliance program is important for every business today, whether you are a startup or an enterprise.
Ignoring SOC 2 audits, or poorly managing the process, can result in lost business if your customers perceive your business as one that can’t safeguard their sensitive data during the business relationship.
ZenGRC is a SaaS tool that can shoulder much of the burden of SOC 2 compliance and risk mitigation.
The ZenGRC dashboard provides a “single source of truth” for your compliance posture at all times, across multiple frameworks and security standards including SOC 1, SOC 2, HIPAA, PCI DSS, and more.
Our compliance templates can show you where your gaps are, and tell you how to resolve them. And when it’s time to hire an auditor, ZenGRC can save time and money by providing all of your documentation in an easy-to-use format.
ZenGRC can also cross-check objectives across multiple frameworks, streamlining your compliance efforts and freeing your team to focus on activities that grow your business.
Worry-free compliance and risk management is the ‘Zen’ way! To see ZenGRC in action, contact us today for a free demo.