Determine Service Offerings for compliance?

The first step is to define what service offering(s) you want certified. This may seem trivial, but the ramifications of this decision are far reaching. The first big question you should ask is, who will want a SOC2 report from you? Is this report going to a client as part of a contract or SLA agreement, or is it going to a business partner who may need it as part of their audit? It is important to think about where your business is going and who may demand this certification. Each service offering you add to your compliance efforts adds complexity and cost. And, if your customers only require one service to be compliant, then it would be unnecessary to certify the others. However, sometimes it is easier to certify everything and create uniformity across your business. However, you will have to maintain the controls moving forward.

Define the Scope

Once you have settled on the service offering(s), the next step is to determine what constitutes the scope of the audit. In other words, what is relevant and in scope for the services you are making compliant. This is a good time to engage your IT/IS team to help identify the systems (networks, servers, switches, etc.) the target services use. The narrower the focus, the less systems you must make meet the criteria. You and your team must look at these systems as they are defined in the AICPA Trust Principles and Criteria documentation.

Decide Which TRUSTED SERVICE PRINCIPLES (TSPs) are applicable?

After the scope is defined, the next step is to decide which TSPs are applicable to your organization’s systems. A common mistake is to assume you must comply with all five. In fact, the AICPA gives you the flexibility to decide which ones based on the scope and service offering(s). However, at a minimum, we recommend you comply with the Security trust principle. This provides a baseline assurance to your clients and partners that their information is protected from unauthorized access.

To validate your scope and TSP selection, some other considerations are:
Are there any service level agreements or contracts made between the client(s) and the service organization, such as uptime availability and acceptable downtime? If so, then availability should be one of your TSPs. Are there different levels of data classification the service organization needs to consider, such as restricted, confidential, and unrestricted when dealing with a client’s data or their own? If so, then process integrity and confidentiality may be relevant. Will the service organization collect, use, retain, and disclose any of their client’s private information to third parties? If so, then privacy would apply. Once you have decided on which TSPs are applicable to your systems, the next step is to dig into the details.

Map and Gap :

The next step is to map your existing environment against the relevant TSP criteria. This is a gap assessment. The ultimately goal of the gap assessment is to determine what gaps exist, and what exactly you must to do close those gaps. This includes purchasing new equipment, hiring staff to implement those controls, writing documentation, and many other details. The ideal gap assessment lays out a road map for meeting compliance requirements.

Remediate Gaps

This is probably the most time-consuming of all efforts. As mentioned previously, the amount and level of efforts and resources from the gap analysis will determine the date of the SOC 2 audit. Historically, in our experience, if your organization is doing this “from the ground up,” you will need 6 to 12 months to implement all the required controls.

Of course, this is highly dependent on several factors, such as the number of gaps needed to be remediate, available personnel to do the remediation, any new equipment needed, the timeline established to remediate findings, and of course management’s ongoing support and involvement.

To keep things on track, focus on procuring and implementing the required controls first. This includes buying technologies like firewalls and SIEM solutions. Get these controls working? Second, integrate these new controls into your operational practices. Make sure you have good reporting and administration of the controls. Lastly, document the relevant policies and procedures around those controls.

Audit Preparations

Once the remediation is nearing completion, the next step is to engage a CPA firm. The more involved your CPA is with your business, the more likely they will be able to understand the nuances of your implementation. Furthermore, if you work with a consulting partner to implement the controls, they too should have a relationship with the CPA firm. The closer your consultants are to the CPA, less likely the two groups will disagree. Keep in mind that a consulting partner or value added reseller (VAR) can tell you one thing, but at the end of the day, it is the CPA firm who signs the audit.

SOC-2 Report Template Contains:

Independent services auditor’s report

Management’s assertion

System description

Applicable trust services criteria and related control activities





Related links

Unlike PCI DSS, which has very rigid requirements, SOC 2 reports are unique to each organization

Read More


Praesent nec nisl a purus blandit viverra. Praesent ac massa at ligula laoreet iaculis. Nulla neque dolor, sagittis eget, iaculis quis, molestie non, velit. Mauris turpis nunc, blandit et, volutpat molestie, porta ut, ligula.