We're excited to announce that we'll be joining the One Trust family! Together we'll help companies get certified, build trust, and win deals. Find out more about it here on the Helm or check out our official press release. Feel free to leave a comment or question regarding the big news.

The Top 3 Things That Will Delay Your SOC 2

edited June 2020 in SOC 2
This came up as a question from a few customers, so we figured we'd ask our CISO Jose Costa, head of the Tugboat Labs Team (dedicated to helping customers know everything about compliance) and former partner at PwC, and our audit partners for their take. Here are the top 3 things that will hold you back from passing SOC 2:

#1: Risk assessments

This is the leading cause of companies not getting SOC 2 certified on time – no surprise if you think about it. From a fundamentals / best practices standpoint, risk assessments are the cheatsheet to passing SOC 2: they tell your org how to become more secure AND are a forcing-function for taking stock of all potential risks your org faces.

And, risk assessments are a security control you need to implement as part of SOC 2 (and other security certifications such as ISO 27001). Regardless of whenever you plan on getting your SOC 2, get half the battle done by completing your risk assessment.

#2: Penetration tests

Similar to risk assessments, you need to start pentests early in order to complete SOC 2 on time. For SOC 2, pentest scopes are typically based on the Trust Services Criteria (TSC) relevant to your org. Note that the Security TSC accounts for 80% of a SOC 2 audit and applies to everyone needing a SOC 2, so you'll need to factor in the time it takes to vet either freelance pentesters and or pentest providers like Cobalt (full disclosure: we're a customer) or White Hat Security.

#3: Internal security audits

Internal audits are a great baseline for measuring the robustness of your org's security posture in preparation for a SOC 2 audit. They take inventory of both the security processes and physical assets in your company (which more or less is what SOC 2 audits cover on a larger, more comprehensive scale) and provide the roadmap to improving your security program.

And best of all, the work you're doing for internal audits overlaps and complements the risk assessment you need to do for SOC 2. The findings you get from your internal audit will aka a dry run of a SOC 2 audit will help you get a head start on implementing the security controls your company needs in order to be secure and compliant.

Have any of these held you back in the past? Is there anything else you really struggled with during your SOC 2 audit? We welcome you to share your experience with us below!