Foresite Catalyst
MXDR for Google Cloud
Foresite Cybersecurity's Journey to SOC 2 Type II Compliance
What is SOC 2 Type II?
SOC 2, or Service Organization Control 2, is a framework developed by the American Institute of CPAs (AICPA) for service organizations to demonstrate they securely manage customer data. A SOC 2 Type II report is particularly rigorous, as it evaluates the design and operational effectiveness of an organization's internal controls over a specific period, typically 3 to 12 months. This is different from a SOC 2 Type I report, which only attests to the design of controls at a single point in time. The Type II report provides a higher level of assurance to customers, showing that an organization not only has the right policies in place but that they're also consistently followed.
Foresite Compliance Journey
Laying the Groundwork: The Control Statements
Our journey to a SOC 2 Type II report was a meticulous and systematic process. It began with a deep dive into the AICPA's Trust Services Criteria, which form the basis of the SOC 2 framework. These criteria include Security, Availability, Processing Integrity, Confidentiality, and Privacy. We focused on the criteria most relevant to our services, primarily Security, Confidentiality and Availability.
Using these criteria as our guide, we developed specific control statements. These are clear, concise declarations of how we would meet each requirement. For example, a control statement might be: "Access to sensitive customer data is restricted to authorized personnel based on the principle of least privilege."
Codifying Controls and Preparing for the Audit
Once we had our control statements, the real work began. We needed to ensure each statement was not just a promise but a documented, repeatable process. This involved a multi-step approach:
- Policy and Procedure Creation: Each control statement was formally integrated into our company policies and procedures. This codified our security posture and provided clear instructions for our team on how to maintain compliance.
- Audit Schedule and Frequency: We established a rigorous audit schedule for each control. This defined how often we would review and test a specific control to ensure its continued effectiveness. The frequency was determined by the criticality of the control and the associated risk.
- Evidence Collection: We identified the specific evidence needed for each control and designated a central, secure location for its collection. This evidence could be anything from access logs and training records to change management documentation. Having a designated place for evidence made the external audit process much more efficient.
The Audit and the Positive Opinion
With our program established and our documentation in order, we embarked on the audit period. During this time, we meticulously executed our documented procedures, collecting all the necessary evidence. We then engaged an independent CPA firm to conduct the external audit. The auditors reviewed our control statements, examined our collected evidence, and performed their own tests to verify the operational effectiveness of our controls.
The result of this intensive process was a SOC 2 Type II report with a positive auditor opinion. This is the best possible outcome and confirms that our security controls are well-designed and have been operating effectively throughout the audit period.
Foresite Continuous Compliance Cycle
The Journey Continues: From Readiness to Advantage
Achieving a positive SOC 2 Type II report isn't the end of our security journey—it’s proof that our program works every day, not just during an audit window. Because our controls are embedded into daily operations, we operate in a state of constant audit readiness.
For our customers, this means confidence that their data is always protected and compliance is never an afterthought. For other organizations aiming for SOC 2 Type II, here’s what we recommend:
- Shift from periodic to continuous compliance — Treat every day like audit day.
- Automate evidence collection — Manual processes slow you down and risk gaps.
Embed compliance into operations — Make it part of the culture, not a project.
This approach doesn’t just satisfy auditors—it builds lasting trust and gives you a competitive advantage in a market where security is a deciding factor.
Prove your security program works every day, not just once a year.
Schedule a Discovery Call to see how Foresite’s continuous compliance approach can help your organization achieve and maintain SOC 2 Type II.
