Interview With a SOC 2 Auditor: Maintaining Your SOC 2
Do you already have your SOC 2 Type II report? Are you worried about maintaining your compliance in the upcoming SOC 2 audit?
Getting your first unqualified opinion report is only the first step. To obtain your SOC 2 attestation over the long term and keep your customer data protected, you need to be proactive.
Unless you implement best practices and avoid common pitfalls, it’s easy to compromise your security practices over time.
We interviewed K.C. Fike, Data Analytics Practice Lead at The Cadence Group, to help companies do just that. With over 10 years of experience overhauling IT processes and data handling in businesses, he’s got a lot of knowledge to share.
In this interview, you’ll learn what processes to set up, mistakes to avoid, and how to ensure you keep your SOC compliance over the long term.
How long is a SOC 2 report valid?
A SOC 2 report is only valid for the time it states on the report (this can be 3 months, 12 months, even a week). The vast majority of companies renew every year.
Although the report is valid for 12 months, that doesn’t mean the assessment period for your new report must be 12 months. You can conduct a report for a three-month or six-month period — but we recommend 12 months as the gold standard.
With a shorter assessment period, you risk that some controls might not even be operating within the three-month period. You can’t test the efficacy of fail-safes if they’re never needed.
Choosing six or 12 months gives you more runway to get annual controls operational, employee performance review, and more. A 12-month assessment leads to a cleaner report and — more importantly — creates more trust with potential and existing customers.
Why do you need to renew it every 12 months?
The SOC 2 report is only valid for a period of time because it helps ensure that controls are followed and implemented over the long term. That makes it a lot easier for customers to trust you with sensitive information and data.
You can’t “set and forget” a data security program. You need to consistently train new employees and maintain your procedures and controls over time, and be aware of new infosec issues and challenges coming into your landscape.
SOC 2 certification is valued by potential customers precisely because you need to renew it frequently. They don’t care how secure your systems and processes were five years ago. They want to know how robust they are today.
Depending on the number of internal changes to the system, some companies choose to renew SOC 2 even more frequently.
Why is maintaining your controls for your SOC 2 so important?
There are plenty of reasons to invest in maintaining your SOC 2 compliance.
Some of the most important benefits of remaining compliant include:
- Customer relationship — build trust with your existing customers. Clients like to know that their data is safe and respected. They don’t want to risk losing customers or facing lawsuits because of leaks or other issues.
- It’s like high-level B2B social proof that you can use on your website and in other marketing materials. You can prove that their data is protected with you.
- SOC 2 controls help improve your security program, fail safes, and other reliability infrastructure.
- Removes information security as a potential sales blocker in enterprise deals. Customers care about how you handle their sensitive data.
- Lower downtime and better handling of potential incidents.
- It also helps maintain the productivity of your service organization with clear processes and controls. In the long term, these minimize systemic issues and keep your teams firing on all cylinders at all times.
Is the process for renewing SOC 2 compliance different from the initial report?
If we’re talking about renewing a SOC 2 Type II report, then yes, it’s virtually the same as getting your first report.
The renewal process is very similar to your first Type II. We do a kickoff with the customer. We ask to see a sample of evidence from the last 12 months, such as the new population of employees, any software or system changes, and more.
But if you’re going from a Type I report to a Type II, things are a bit different. With a Type I report, auditors give their opinion on an “as of” basis.
“As of June 11, 2021, these are the controls that we know are designed and in place.”
With a Type II, it’s a period under review. Companies always do a SOC 2 Type II report after they receive their Type I.
Going from Type I to Type II isn’t technically a renewal of your report, it’s when you prove that your company is truly SOC 2 compliant. Most companies that care about SOC 2 certification prefer Type II reports over Type I.
How should you prepare for the SOC 2 renewal audit?
If you successfully passed your Type II report, you already know what to do. The main thing is to make sure that controls are followed throughout your company.
That includes briefing and training all new hires, contractors, and even business partners. You must keep up with all the procedures you set out and designed to get certified the first time.
Ensure you’re spot-checking your processes to see that everything is running properly, continually updating software, and keeping a close eye on new employees.
If you want a list of concrete steps, you can follow our SOC 2 Audit checklist.
What are the best practices for maintaining SOC 2 compliance over the long term?
If you want to keep your SOC 2 certification, here are just a few key best practices you must follow:
- Understand and internalize the trust service principles of security, availability, processing integrity, confidentiality, and privacy — at least the ones you plan to get certified for.
- Focus on following all the controls and procedures you create. Just designing a security program isn’t enough; your employees must follow it.
- Train all new employees and contractors in your processes for handling customer data.
- Arrange periodic spot checks or gap analyses of your controls and systems. You don't want to be caught by surprise when the auditor comes in for the on-site audit.
- Hire someone to handle infosec and check that all departments follow your controls and protocols.
What are common ways you’ve seen companies go wrong after attaining SOC 2?
As an experienced SOC 2 auditor, our company has seen a lot of businesses make mistakes over the years.
Here are some of the most common issues we keep seeing:
- Thinking you just have to do this one time and not following up adequately over time. This mindset will almost guarantee that you fail your renewal.
- Not having buy-in from the top and making this a priority at all levels throughout the company. A small team of security-focused developers won’t get you Type II certified.
- Simply not following the controls and processes they designed. A lack of communication between teams and departments is often the root cause.
- Losing track of procedures after an acquisition or merger. Training these new employees and teams must be a priority. A lack of priority on infosec during this transition is one of the most common reasons for SOC 2 failure.
Becoming a SOC 2 compliant company is only the first step — staying one is the real challenge. You need to maintain the focus on standardization and procedure through every major change and challenge your company faces.
It’s easy to put these things on the back burner when you face issues or have opportunities that seem more important. But you don’t want to lose potential deals or existing customers because you mishandle data.
Do you have any tips that you want to leave a CIO, executive, or manager with?
Sure. In addition to following the best practices outlined above, and avoiding mistakes, here are a few tips to help you stay compliant:
- Ask your auditors questions during the readiness assessment and Type I report. Take advantage of their experience and expertise.
- Be transparent through the process. Don’t try to hide potential issues or hiccups; ask for guidance on how to solve those issues.
- Think about how the organization will grow, from employee count to software changes, and ask for advice on scaling your controls. It’s often a good idea to hire an infosec expert who can train new hires, teams, and business partners in your procedures.
- Give your company enough time to adapt. If you’re going from “we have no controls” to now “we have to follow these 40+ controls,” that’ll take a lot of effort — change management, infrastructure management, stakeholder engagement, you name it. You need a long runway to bring these things on board. You can’t just snap your fingers.
A robust system is the foundation of information security
If you want to stay SOC 2 compliant over the long term, you need a robust set of procedures and an iron-clad tech stack.
If you’re not sure about the security of the various applications and platforms you use, Secureframe can help you get peace of mind.
Using our tools, you can scan for any issues within your cloud, apps, vendor, and HR ecosystems. It makes maintaining and proving your SOC 2 compliance a lot easier.
If you want to ensure that your systems are up to the task, request a free demo today.