Maintaining SOC 2 After Your Initial Report

A successful SOC 2 attestation is an accomplishment for any organization. You likely spent countless hours designing controls, implementing and documenting the necessary policies and procedures, vetting CPA firms, and more. But, as good as it feels to have that report in hand, the work isn’t over.

Like with most security frameworks, there is no finish line for SOC 2. To keep your report current, your organization must go through an annual audit. Each audit will require time-consuming tasks. This is especially true if your business is growing. New customers, third-party vendors, employees, and contracts can result in the need for new controls.

To make your annual audits as smooth as possible, your organization needs to make SOC 2 compliance a year-round commitment. Here are some steps businesses can take to avoid having to scramble as your audit approaches.

Create a Compliance Calendar Visible to All Internal Stakeholders

Maintaining SOC 2 compliance involves completing many tasks throughout the year, including.

• Monitoring controls execution to avoid waiting until the audit to discover a control wasn’t operating effectively, which can have a negative impact on your report.
• Maintaining audit trails for your periodic evidence captures and storing them for audit time.  Periodic evidence usually includes vulnerability scans, access reviews, key leadership meeting minutes and agendas.
• Reviewing and updating all policies and procedures.
• Conducting period requirements like risk assessments, BCP/DR testing, and Incident Response testing.

Keeping the associated dates in the heads of a small group of employees is asking for something to be forgotten, which inevitably will make your next audit more difficult. Create a calendar with dates for the work that needs to be done on a weekly, monthly, quarterly, or annual basis. Everyone who has responsibilities related to SOC 2 needs to get automated reminders as their tasks approach.

Update Policies and Controls to Reflect Changes to Your Business

Your policies and controls are not set in stone. Your business will almost certainly experience change over the course of a year, and your SOC 2 compliance needs to reflect those changes. For example, your control statements may need to change if you move your data processing center to or from a data hosting provider, or the structure of the company changes. If a change in your operations results in a control needing modified, begin that process right away. As vendors come and go, keep your approved vendors list current. To make life easier at audit time, be sure to document who made the changes and that evidence exists to prove the new policy was communicated to everyone who needs to know.

Quarterly Huddles

Good communication within your organization will go a long way toward staying SOC 2 compliant. Schedule a quarterly meeting with staff members who are involved with any aspect of your upcoming audit. Use this time to:

• Review any potential new compliance gaps
• Review new policies and procedures
• Assign any new tasks
• Review tasks that need to be completed in the upcoming quarter

If it’s not practical to get the whole team together for a meeting, consider creating a quarterly SOC 2 report. Everyone with SOC 2 responsibilities can provide an update that can be compiled into a single report and shared.

Delegate

SOC 2 compliance should be a team sport. Train people throughout the organization on how to properly document SOC 2-related tasks to avoid putting too much on the plates of just a few people. Some examples include having HR document when a new employee has completed their security training, or IT employees signing off when a new keycard has been assigned, or when a computer or mobile device has been set up.

If you’re maintaining SOC 2, or working towards your initial report, CompliancePoint has an experienced team of experts that can help your organization prepare for a successful audit. Contact us today at connect@compliancepoint.com to learn more about how we can help.