More and more we see small businesses being asked by their clients for some sort of assurance that the data shared with them is kept secure and private. Many times businesses are requested to have SOC 2 compliance with a certification as proof. If this happens to you (or your client), the question is often “how can my 20-person company meet these standards”? The answer may surprise you.
You must first understand the SOC reports. A SOC 1 report is focused only around financial controls, these are usually used for companies needing to provide assurance that the company will remain solvent and not become victims of fraud. SOC 2 is the type that will involve information security. SOC 2 Type I reports are a moment in time, “On August 17th 2018 this company was compliant with the Common Criteria“. The most commonly requested are SOC 2 Type II, which evaluates the information security over time, “From February 1st to August 18th 2018 this company remained compliant with the Common Criteria“.
SOC 2 compliance is actually a very achievable standard, and even if you don’t go for the certification, the principles should be attainable goals for every organization. One of the keys is scoping. There are 5 principles used in order to evaluate an organization for a full SOC 2 certification:
- Security
- Confidentiality
- Availability
- Integrity
- Privacy
These core principles are evaluated using the ‘Common Criteria’. Your organization may not ‘process data’ for example, therefore integrity may not be a principle that is a risk area for you, and you now can reduce the scope. Another example of scope reduction would be the actual evaluated systems. For example, if you have a specific system used for your clients that is cloud-based and has no local or legacy systems with their data, the scope could be reduced to just that system. All of this will impact the time and effort needed to become SOC 2 compliant.
Even if you have reduced the scope or if you don’t need to go through the entire certification process. (Some organizations only require that their vendors can demonstrate the principles in some meaningful way without performing a full certification). Your organization will benefit from the exercise and the improvements to the security program by understanding the common criteria and working to apply them in your day-to-day operations.
As stated earlier, a benefit of starting the journey as soon as possible is that while type 1 audits are a point in time audit, type 2 audits (which are usually the ones asked for or required), are intended to review the controls in place over a period of time (usually six months). If the client requires a SOC 2 report and certification you will be prepared to achieve it. If the client or RFP requires it today and you have done nothing proactively, it will take a minimum of 6 months before you can achieve it and you may lose opportunities.
While only CPA firms can provide a full SOC report and certification, clients who work with Foresite through our SOC readiness offerings have a leg up on getting through the process as quickly and painlessly as possible. And even if they don’t go for the certification, they will have matured their program to be able to meet and provide evidence of following best practices and common criteria if asked.