SOC 2 Bootcamp (4 parts)
In May 2021 we ran a "SOC 2 Bootcamp" that shows what the audit process looks like using our tool. The Bootcamp was split into four sessions: Choosing an Auditor, Policies and Controls, Evidence Collection, and The Audit.
Part 1: Choosing an Auditor
Part 1 Timestamps
00:00 - 01:30 Introduction and housekeeping
02:05 - 04:05 Importance of buy-in when getting certified
04:10 - 13:00 Selecting an Auditor
13:05 - 17:00 Deciding on the size of an audit firm that's best for you
17:05 - 23:40 Expanding on the Auditor selection process
24:00 - 29:00 Trust service criteria overview
29:05 - 37:25 Determining your scope/ Scoping survey demonstration on Tugboat Logic
37:35 - 41:58 Service organization description controls
42:08 - 44:00 If you are paying the Auditor how can they be considered independent?
44:05 - 47:10 Trust service criteria are based on your business but you can choose which criteria to start with? Can you expand on this?
47:15 - 48:42 Can you use your RFP or vendor management process to procure an auditor?
48:45 - 50:37 Can your Financial Auditor also be your SOC Auditor?
50:54 - 54:30 A lot of SOC compliance seems to be based on the Auditor's judgment can you expand on the variation of guidelines based on uniquely on each auditor?
Part 2: Policies and Controls
Part 2 Timestamps
00:00 - 01:42 Introduction and housekeeping
06:40 - 18:50 Policy overview/ Tugboat Logic demonstration
19:00 - 21:05 Controls overview
21:10 - 24:20 Analysis of Business Continuity Plan as an example of a control
26:30 - 31:00 Risk Assessment and Mitigation
31:19 - 37:16 Vendor Compliance Review for a vendor with a SOC2 report
37:20 - 38:30 Vendor Compliance Review for a vendor without a SOC2 report
38:32 - 43:25 How to mitigate risk when working with a small firm vendor
43:30 - 44:25 Do you need to share your controls with a third party or is sharing the policies enough
44:40 - 47:40 What is the difference between procedures and controls
47:45 - 51:00 For the implementation of controls, policies, risk management, reviews, approvals, etc is there an order that you recommend tackling these tasks?
51:10 - 52:25 If you already have your SOC2 Type 2 how easy is it to transfer your policies into Tugboat Logic
52:30 - 54:35 What is the minimum list of SOC2 policies that should be accepted by all employees?
Part 3: Evidence Collection
Part 3 Timestamps
00:00 - 02:00 Introduction and housekeeping
03:00 - 08:51 Evidence overview
09:00 - 10:50 Evidence collection methods
11:00 - 15:02 Business Continuity Recovery policy (example in Tugboat Logic)
15:10 - 16:00 Submitting your Business Continuity plan as evidence
16:05 - 16:50 Other evidence tasks that require a plan or document cannot be done via automation
16:52 - 22:00 Submitting evidence tasks that can be automated
22:05 - 26:20 Analyzing segregation of customer data control
26:35 - 29:30 Reviewing vulnerability scanning and remediation
29:35 - 36:10 Overview of a Penetration test
36:12 - 37:40 General business Penetration test vs SOC2 penetration test
37:44 - 42:30 Process proceeding Penetration test
42:48 - 44:20 Different evidence collection methods for SOC2 Type 1 vs Type 2
44:23 - 48:00 How can you guarantee a Penetration tester is testing against all known as well as the latest variations of cyber attacks?
48:03 - 51:50 In general with evidence would you advise collecting evidence more frequently than you need to in case you miss a cycle?
51:55- 53:10 What is the observation period for a Business Continuity plan?
Part 4: The Audit
00:00 - 01:20 Introductions and housekeeping
01:25 - 03:57 Readiness Assessment overview
04:00 - 04:35 Does every SOC 2 need a signing partner to sign off on it?
04:40 - 07:10 What should be prepared for an audit?
07:15 - 09:15 The difference in preparation for a Type 1 vs Type 2
09:30 - 11:20 How do you start a Readiness Assessment?
11:30 - 12:00 Type 1 audit timeline
12:15 - 19:15 Type 2 audit timeline
19:19 - 21:20 SOC2 Type 2 year 2 audit timeline
21:25 - 28:29 Expectations when doing your inquires and observations with Tugboat Logic
28:30 - 31:10 When can you expect your report
31:12 - 34:40 What to expect at the end of the audit
34:46 - 40:26 How to utilize your report
40:30 - 48:10 Sections of a report
48:15 - 50:36 Who can you share the report with
50:50 - 54:25 Does your report expire?
If you have any comments or questions, feel free to leave them in the comment section below!