No one wants a SOC 2 examination to go poorly. For most organizations, getting to a SOC 2 report that reflects favorably on the company's security practices is essential. Often there are customers or partners pressing for evidence of a SOC 2 report. When that's the case, the process of engaging an auditor to conduct an examination is one that can cause some anxiety. The concept of a SOC 2 Readiness Assessment has become popular as one of the ways to reduce the odds of unexpected surprises during the examination.
One of the central topics in a SOC 2 Readiness Assessment is the concept of "commitments to customers" -- specifically, determining precisely what commitments an organization has made to their customers. Was there a 99% uptime commitment, or was it 99.5%? Was the commitment made uniformly to all customers, or are there some marquee customers that were promised 99.9%? This is an example of one type of commitment that might come up during a SOC 2 Readiness Assessment.
For organizations that have never previously been through a SOC 2 examination, it may take substantial effort to gather the documents needed to fully understand what commitments have (and haven't) been made to customers. That's the purpose of this post: to suggest some of the items to gather to be prepared to substantiate what commitments to customers exist. Here's our take:
Let's start with the obvious: the written contracts you've executed with customers are a primary source for commitments you've made. Hopefully your contracts are clear about what services are in scope of the agreement, what performance obligations you have with regard to those services, and a clear viewpoint on any particularly sensitive matters such as service reliability, confidentiality, privacy, etc. A review of your standard contract with clients will be essential to well done SOC 2 Readiness Assessment, and it will set the stage for evaluating whether your internal controls are suitable for helping you meet the commitments you've made.
For many technology-centric products or services, customers have come to request Service Level Agreements. Those agreements are almost certainly part of your customer commitments. Beyond the most typical example of "service uptime", SLAs often include performance obligations related to turnaround time in the case of a customer-reported problem, obligations related to timely customer notifications of certain incidents, etc.
When small businesses attract large customers, the eventual agreement between the two companies is often on the larger company's preferred paperwork. Often it is a thick Master Services Agreement that the large company uses as a standard across all of their vendors. There are often customized statements of work and other performance obligations attached in an appendix or incorporated by reference.
Be careful of enterprise security questionnaires that are incorporated by reference in a broader agreement with a customer or partner. When the representations that you make in these documents become a part of a formal agreement with a customer or partner, there is often a breakdown in communications between the person that filled out the questionnaire and the person negotiating the contract. Be sure that you know whether the answers to the security questionnaire constitute a commitment you are making to the customer.
We're saving this for last in our list, but perhaps it's the one that you should do first. Why? Because customized agreements unique to each customer tend to be the ones that take the most time to review for commitments. Often it involves trying to locate redlines relative to the baseline document, to discern whether any of the custom modifications contained commitments unique to the particular customer. Not a lot of fun, and potentially time consuming, but important to gathering a complete list of customer commitments. Having these agreements gathered and reviewed prior to a SOC 2 Readiness Assessment is a huge headstart towards a smooth process.
Getting through a SOC 2 Readiness Assessment and proceeding through a SOC 2 Examination may cause you to review documents that you haven't seen since the day they were initially signed. Getting ahead of that information-gathering process is one of the best ways to have an early sense for whether you have some internal controls that you need to catch up on, or whether you are in good shape. Better to know now, rather than be surprised during your SOC 2 examination. We're standing by to help.