Building Effective Security Policies: FOMO vs. Build-as-you-Go
Ever gone to check the company policy for something and found yourself lost and hopeless in a thousand page policy
Resources to Help You Manage your SOC 2 Program.
Ever gone to check the company policy for something and found yourself lost and hopeless in a thousand page policy
In the fast-paced world of compliance automation, where promises of rapid audits abound, it’s time to pause and reconsider our
Determining the timeline for achieving SOC 2 compliance is a bit like asking “how long does it take to build
It may be obvious that running a ‘serverless’ environment reduces your operational responsibilities.
A SOC 2 Gap Assessment is a high-level review of a firm’s control’s environment against SOC 2 criteria to identify
In the whirlwind of implementing a compliance framework, companies are inundated with information.
Short answer: No, penetration tests are not required for the SOC 2.
A SOC 2 report does not have a fixed expiration date like a certification – rather, it is intended to
Most people seeking an answer to this question are often wondering if there’s a government regulation mandating compliance for specific
Why not just post your SOC 2 report as a downloadable version on the website to speed up the sales
How much does a SOC 2 Report cost? Your prospects are beginning to ask you for it, it’s been on
As the factual history is rather complex, let’s summarize this in a fun anecdote about an accountant named Bob.
When it comes to choosing a compliance management software, the array of tools on the market can be dizzying. So
We’ve all been there – 3 months into an audit, and suddenly realize – nobody knows the boundaries of SOC
A control is something you do to keep the bad guys out. There could be other reasons to perform controls,
A brief, Plain English guide to one of the most common external security assessments used across the United States.
Is a minor control exception on your SOC 2 report reason for panic?
Do you pull the trigger on a consultant to manage your compliance program, hire a pro, or run it yourself?
Selecting an auditor is not like choosing a gas station.
Rest assured, we won’t flood your inbox – we’ll send updates, no more than once a week.
Many companies rely on third parties to provide services, and in doing so they expose themselves to risk. For example, if a hospital uses a data center to store PHI, how can it trust that the data center will do its job to protect the PHI?
These companies may request a SOC 2 report from the third party, which supports their risk assessment of the third party and helps them know if it can be trusted to protect such data or provide such services. So in this example, a hospital would request a SOC 2 report from a data center.
The SOC 2 timeline depends highly on the complexity and maturity of your control environment, your motivation to get it done, and on who you select as the auditor.
For simpler environments and highly organized/motivated companies, the SOC 2 exam could last as short as 4 weeks. For more complex, or less organized/motivated companies, the process could take 6 months.
It involves the following major milestones:
A Type 1 exam assesses the description and controls as of a point in time.
A Type 2 exam assesses the description and controls over a period of time.
Most entities that request a SOC 2 report will be looking for a Type 2 report.
However, many undergoing SOC 2 for the first time choose to start with a Type 1 exam. This allows them to quickly issue a report to their dependent users as soon as they have reached an acceptable level of security and compliance. Then, they might choose to complete a Type 2 exam just 3 months later if the need is more urgent, or wait a full 12 months.
No. While SOC 2 is a highly popular report for companies doing business in the United States, the ISO 27001 is a standard and/or certification used more often by European companies.
Besides the standards for each being published by separate regulating bodies, and separate project timelines, while ISO 27001 is primarily about evaluating that you have a program in place, SOC 2 (Type 2) will evaluate whether the security controls identified actually operated over a time period.
The SOC 1 exam covers controls relevant to Financial Reporting, whereas the SOC 2 exam covers controls relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.
One significant difference between the two reports practically is that SOC 1 controls are required to support Control Objectives, which are defined by you. Whereas the SOC 2 controls must support the standard criteria defined by the AICPA.
No.
As a licensed CPA firm, we are held to strict independence standards in order to perform attestation engagements.
Basically, we can’t audit our own work.
We could provide Gap Assessments, where we essentially do an ‘audit-lite’ and report on the results you might expect. But we can’t assist in implementing SOC 2 controls.