Ines Guerra
8 min read
As we announced in the last post about SOC 2, this week, we will give you 7 steps to obtain in a shorter period the SOC2 certification. The first step is to be clear and choose what kind of SOC2 certification we want to get and which SOC2 AUDIT we will submit to our company.
SOC2 comes in two "types": Type 1 and Type 2. You have to decide which type of audit you want to perform, as it will influence the amount of time and resources you allocate to the project.
Here are the main differences between Type 1 and Type 2:
- Type 1 is a quicker, more straightforward, one-day audit of your system and security controls. It certifies that you are aware of security best practices and are working on their implementation. The SOC2 certification will measure the data security procedures and policies the organization has in place at any given time. Your company will select a Type I report when it needs to achieve SOC compliance as soon as possible.
- Type 2 examines the same controls as Type 1, but over 6 to 12 months. The observation period is more extended than for Type 1 because, in this one, an auditor will only certify that adequate controls have been designed in your company. For Type 2, on the other hand, the auditor needs to ensure that your organization has designed and implemented the necessary controls. This more extended observation period allows them to collect random samples and certify that the requirements are met. To maintain SOC2 Type 2 certification, your company will need to conduct an audit every year. And this will be the certification that will ensure safety in your processes because the audit measurements are taken over some time, and potential customers can feel more comfortable with the accuracy of the SOC2 audit results. Customers can have more confidence in the results when the organization can maintain its safety measures for several months or even for a year.
Your company may choose a Type II audit report after passing a Type I report. This is usually done because the organization may want to demonstrate that the audit report was not a fluke. Sometimes a specific client of the organization may require a Type II report.
Therefore, the process is usually to perform a SOC2 Type 1 audit, followed by a SOC2 Type 2 audit, since the auditor cannot grant SOC2 compliance until the Type II report is completed. If the organization has chosen a 12-month Type II audit process, at least 12 months are required to achieve the final results. Therefore, organizations that need quick results choose the type I report to start with and do the Type II report later.
The AICPA (American Institute of Certified Public Accountants) states that a less than six months reporting period is probably not useful for user organizations and their auditors when performing SOC2 audits. Therefore, your company should schedule the SOC2 audit, either Type 1 or II, at regular intervals of 6 to 12 months to ensure regular and thorough compliance.
One of the most critical points in preparing for SOC2 compliance begins with measuring and quantifying the revenue and confidential business and customer information that is at risk. The different methodologies can be used to measure financial risk accurately. Early in the process, you and the auditor should establish the importance of the preparation tasks and set expectations for the remainder of the preparation.
SOC2 certification is a long-distance race; the process can take months. But it will run more efficiently if you identify the crucial roles and the people who will fill them. A qualified team to obtain
SOC2 certification will be composed of:
- Lead Author: This person will have a crucial role, needing technical writing experience and communication skills. They will also need to have a broad knowledge of the business and operations to effectively interview members of other teams and report accurately on what they are doing.
- Project Manager: The project manager is the person who will coordinate the SOC2 audit activities and team members. They are gathering information and documents, scheduling resources, setting deadlines, and helping to ensure that everyone has what they need and that deadlines are met.
- Executive Sponsor: This person will also play a key role in explaining to senior management why SOC2 certification is suitable for your company. They will relate the certificate to current security issues, future revenue, risk management, and more.
- IT and security staff: The role of this team will be to create a lot of material that needs to be developed and tested during the audit process. The bulk of the work will demonstrate that the company can effectively detect and respond to security issues.
- External consultants: if the company is undergoing SOC certification for the first time, or if there have been significant changes since its last audit, external assistance can help prevent major issues that will delay SOC2 certification.
- Legal staff: Finally and very importantly, a legal team should be involved in the SOC2 process from the beginning. Their input will be invaluable when working with third-party suppliers to ensure that all contracts are up to date. They will also be helpful when documentation is continually updated throughout the SOC2 project, and all legal requirements must be met to move the process forward.
At this point, the IT team should understand which essential elements of the control environment need attention for possible remediation before performing the SOC2 audit. It does not matter if we already have all the other preparatory steps in place. Performing these optimization tests is very important to ensure that the service organization's controls are working as we want them to. It is not demanding that deficiencies come to light during an optimization assessment for SOC2 and issues that need to be resolved before the SOC2 audit. Optimization testing can help narrow the scope to the exact business processes and systems in the audit. This is key to saving time and resources that will otherwise waste our company's time and resources.
Next, let's name a few items that can help your company steer optimization testing in the right direction, such as the following:
Analyzing and detecting cybersecurity gaps fast lets you verify that all essential controls are documented and in place. Performing this process requires a thorough review of the system we have chosen and its criteria. A good gap analysis helps to detect problems before starting an audit. And it gives your company the time and opportunity to make corrections, so allowing sufficient time to fix issues that may arise is critical.
In this phase, we can also see some shortcomings that the company presents, such as:
This is why SOC2 certification will prove that all cybersecurity standards are met and that your company can operate in a secure and reliable framework for the marketplace.
The first remediation period will begin when the gap analysis is completed, and the SOC2 self-assessment is completed. This process will take from 2 to 9 months. The duration of the correction of internal problems in the company will depend on the magnitude of the deficiencies found in the previous analysis and the resources available to solve them.
This execution is the part of the process where teams will feel the impact of the changes required by SOC2. It is not uncommon for new hires to be made to meet the requirements. It is also possible that the software development process will be modified to accommodate cybersecurity needs. After this implementation and remediation period, we will perform another assessment. If this assessment is completed, your company will be ready to pass the SOC2 audit. If we find new deficiencies, we will repeat the process until we obtain a favorable report.
Are you starting to prepare for a SOC2 audit?
With MyLenio, your team will work in an optimal cybersecurity framework to achieve this certification.
In the next post, we will talk about how much it will cost your company to obtain the SOC2 certification and its preparation and how to do it optimally so that the investment of economic resources is lower.
