Strike Graph security compliance blog

The secret ingredient for a smooth SOC 2 audit

Written by Kenneth Webb, CISSP, GWAPT, CSSLP, CISA, CIS LA | Apr 15, 2021 7:00:00 AM

Readiness. You will encounter this word often as you start to research SOC 2. It is typical for auditors to include a readiness phase as part of their SOC 2 audit services. What do they mean by readiness? Do you need this step? Most importantly, what if an audit is not yet on your radar? 

A readiness assessment is akin to a pre-audit, or gap assessment of your current information security program against a framework. It typically comes up with SOC 2, but can also come up with other frameworks. SOC 2 auditors will conduct interviews with key members of your staff to determine the state of your controls and practices, and identify any gaps accordingly. 

The outcome of a readiness assessment is generally a high-level list of recommendations for your team to implement to meet the criteria of the framework in question. It is not a report card, but more like a high-level cheat sheet of the items you still need to implement so that you can have a clean audit. Some auditors will then offer examples or templates that you can use to close these gaps, while others will just leave you with the to-do list.

A readiness assessment without an audit? 

What if you don't know if you will want a SOC 2 audit or if you want to shoot for an ISO 27001 certification? Maybe you want to become HIPAA compliant? You do know that you need something in place, mostly to stay in compliance with the IT security clauses of contracts. You also need to streamline the completion of security questionnaires. We know that many organizations are not ready to adopt a framework, but we also recognize the desire to stand up some best practices. The Strike Graph approach to readiness is more like foundation building - the building blocks are the important bit.  

Foundation setting: the Strike Graph equivalent of readiness

There are a variety of frameworks out there, and sifting through what constitutes as the minimum set of controls is arguably subjective. Laying a solid foundation for an appropriately sized information security program is key to long-term success. To set a solid foundation, Strike Graph customers are first guided through a risk assessment. The outcome is the identification of activities, or the exact controls, that are appropriate to both their risk appetite and their organizational maturity.

A risk assessment is a key element of many security frameworks, most notably, SOC 2, HIPAA, ISO 27001, and NIST. The risk assessment is beneficial in multiple ways: it can lead you to the exact policies you will need to create, as well as identify the repeatable controls appropriate for your organization. The completed risk assessment also serves as a required control for many frameworks. 

The resulting control set identified by the risk assessment can be mapped to any security framework. Once mapped, the gaps in coverage will become apparent allowing you to identify next steps in the security roadmap. These existing, active controls can also be used to facilitate the completion of security questionnaires and can be shared with prospective clients. 

We know, from our own experience and that of many of our customers, that putting in the time before engaging an auditor can lead to the quickest, easiest means of creating value. For example, well before embarking on a SOC 2, ISO 27000 certification or another framework journey, filling out security questionnaires will likely be a reality. When a procurement department sends these to you as part of their vendor onboarding program, there is an assumption that you have established basic security practices. To win the new deal, or stay in compliance with the security sections of contracts, there is an assumption that your organization already has a security program in place.  

Our customers have had success, prior to an audit, by showing their end customers something we call a readiness package. This package includes a control set with the corollary policy documents, and a well-crafted system description or narrative. This package is akin to an “un-audited SOC 2” and allows you to focus on revenue first - not an audit. The effort invested in preparing this package will not only support winning more sales but will serve as the foundation of a right-sized security program.

The takeaway

Unless you have a customer asking for a specific certification or attestation today, there is no reason to pigeonhole yourself into one framework. Having a strong foundational security program sets you up for success with any framework: ISO, SOC, NIST, CIS, HIPAA, PCI DSS, or others. Phase in the right way with a risk-based approach! Then, when ready, you can adapt your security program to the most appropriate framework.