SOC 2 Gap Assessment involves a few interviews, typically lasting 1-4 hours, depending on the complexity of the firm’s environment. These interviews are conducted between the reviewer and individuals who can provide a high-level perspective on the controls. The Gap Assessment covers relevant areas in HR, IT, and Engineering, among others. For example, one of the questions might be, “Can you explain your process for evaluating new hires, including background checks?’
Following these meetings, the output is a brief report outlining the identified gaps and missing controls needed to meet SOC 2 criteria. This could range from the broad requirement of documenting the annual risk assessment to the specific need for implementing a monthly vulnerability scanning and remediation program in the production environment.
Does this guarantee that you will emerge from the assessment with no exceptions?
No, but a successful gap assessment provides a good idea of where you will stand when the external auditor conducts their assessment.
Should it be performed by that external auditor?
This would be the best-case scenario. You can have a separate consultant perform this gap assessment; however, at the end of the day, it’s the auditor’s opinion that stands in the SOC 2 report. So, it does make sense to fill out their standards before the assessment.
At Render Compliance, the gap assessment is genuinely one of our favorite parts. We love to help folks figure out what they need in a compliance framework and figure out a game plan for how to get there. That’s why we offer it for free, with no strings attached. So don’t hesitate to give us a call or an email if you are considering SOC 2 and you want to know where you stand.
Disclaimer: Remember, you identify the controls for your environment, it is important that your management takes responsibility for defining their own control framework.