If you've begun to explore the possibility of obtaining a SOC 2 report, you may have heard that a SOC 2 Readiness Assessment is a good place to begin the journey. That's reasonable advice. Just as you wouldn't invite a financial auditor to review your financials without taking preliminary steps to ensure that your financial statements are in order, you wouldn't pursue a SOC 2 examination if you didn't have reason to believe that you had the necessary security practices in place to perform well under professional scrutiny. For that reason, the following sequence has become popularized:
Everyone that sets out to obtain a SOC 2 report is hoping for an "unmodified opinion" -- one that indicates that organization's security controls are sufficient. The above sequence (when done well) helps companies get to that outcome by sussing out any deficiencies early on in the process so that they can be addressed before they rise to the level of impacting the examiner's opinion as expressed in their report.
If you are reading this article, there is a good chance that you are on the early end of this journey, so here we'll offer some advice about how to get ready for a SOC 2 Readiness Assessment. Here are our thoughts:
A SOC 2 examination can contain any of the following focus areas (Trust Services Criteria):
As you'd expect, the larger the scope the larger the cost and effort. Many organizations begin their SOC 2 effort under some time pressure, such as a situation where a partner or client has asked them to obtain a SOC 2 report. When there is time pressure, many organizations conclude that they'll isolate their initial SOC 2 examination to only one TSC (Trust Services Criteria): Security. Others with less time pressure or more resources, may choose to pursue more than one TSC (or perhaps even all five).
Either way, doing some brief research on the Trust Services Criteria and having an opinion about what scope you favor for your SOC 2 examination is an important preliminary step as you get ready for a SOC 2 Readiness Assessment.
We've written about the SOC 2 Type 1 vs SOC 2 Type 2 decision before. If you are in a hurry and having some SOC 2 report quickly is business critical, you might initially pursue a Type 1 report. Meaning, an examination that evaluates your security controls at a point-in-time as opposed to evaluating them across a multi-month examination period. There is no "wrong" answer to which type to pursue.
Most organizations that set out to obtain a SOC 2 report view it as something that they'll do on a recurring basis going forward. The logic is that if the organization needed a SOC 2 report "now", they'll probably also need one in future years. Due to that, many organizations that race to get a Type 1 report now, end up immediately following through into a Type 2 examination. For some, it's the best of both worlds -- a relatively speedy Type 1 report followed by a more exhaustive Type 2 examination. The downside? Paying for two types of examinations can be expensive.
In any case, on your path to beginning a SOC 2 Readiness Assessment, you'll want to have an understanding of the Type 1 vs Type 2 decision and to have an inkling about which direction you'd like to head.
A good SOC 2 examiner will front-load discussions about precisely what customer commitments your organization has made. We've written before about the types of commitments that SOC 2 examiners are in search of. See, the basis of evaluating your security controls is an understanding of what commitments you are aiming to achieve with the use of those controls. Controls that might be satisfactory for one organization might be totally inadequate for another.
What's not fun, is to get into that discussion with a SOC 2 examiner and find that you don't have a neatly organized set of customer contracts, terms of service, an analysis of any custom commitments made in special negotiations with specific customers, etc.
There is no time like the present to gather those materials, because you'll absolutely be asked by your SOC 2 examiner to supply evidence of your customer commitments. A good SOC 2 readiness assessment would raise the same question. Being ready for that moment will save you a headache in that moment.
The process of obtaining a SOC 2 report involves a sequence that -- when managed well -- should give you the opportunity to obtain an unmodified opinion in the examiner's final report. Part of managing that process well is to be ready for a SOC 2 Readiness Assessment on the front end of the process; which we're glad to help you do.