Written by Jordan Bellman

In my experience as a Manager of Customer Success at Strike Graph, I’ve become quite familiar with the trends in my customers’ anxieties as they embark on their maiden SOC 2 voyage. One of the most common questions I get asked in a discussion about controls is, “do I need this for SOC 2?!” I always try to stress the point that the beauty of the SOC 2 audit is its flexibility.

Sure, there are some controls that you “need”. If you’re a SaaS company, you probably need a penetration test. But what if you’re a managed services company and you don’t even have a product? When you sign with an auditor to perform a SOC 2 audit, you get to choose your own control set, as long as you have some controls to cover the subcategories of the AICPA criteria.

Controls

The thing I love most about the Strike Graph approach is that both our tool and our philosophy are centered around flexibility. No two of my customers have the same control set, and why would they? They all come from different industries and have unique environments. A control is simply a statement, a sentence, or paragraph, stating a security practice that an organization may have in place. For example, a control about antivirus might look something like: “antivirus is installed on workstations and servers to help protect against viruses and malicious software on the systems.” 

The language of your controls is how you tell your auditors that your organization has a mature security program, and is worthy of a positive SOC 2 attestation. Every Strike Graph customer has access to our library of about 250 templated controls. They can use our language as a starting point, and customize each control to describe their unique security practices. The most common feedback I get from customers is that having some suggested language to use as a jumping-off point saved them hours of work, but most importantly saved them from a lot of unnecessary stress and confusion. You can also add your own custom controls from scratch, and map them to other frameworks you might be working towards like ISO or HIPAA.

Evidence

Even if you have been through a SOC 2 audit before, the hardest part of each assessment is knowing what exactly you need to send to your auditor for testing. I don’t mean the control set, where you tell your auditor what your security practices are. I’m referring to the attachments: the actual documents, policies, screenshots, and settings where you show your auditor how secure your practices are. 

Much like my wide variety of customers, these evidence attachments are not one-size-fits-all. Each control in our robust control library comes pre-populated with a handful of our suggestions for how to prove that the control is operational. At Strike Graph we call this “suggested evidence”. Some of our suggestions may not be relevant to a customer's environment. For example, if your organization doesn’t have a virtual private network, you probably don’t need to produce the evidence attachment asking for “proof that your VPN sessions are encrypted”. All you have to do is simply remove that evidence suggestion in your Strike Graph account. The reverse works as well: you can also add your own custom piece of evidence and attach it to a custom control.

Conclusion

When embarking on a major compliance undertaking like SOC 2, having Strike Graph in your corner can be incredibly helpful. Our product was designed to be for any company or any size and customizable so you don't burden your team with unnecessary cybersecurity controls or work toward your compliance goals.

Our objective is to save our customers time and make the daunting task of going into audit not only tangible and manageable but achievable. 100% of our customers have received clean audit reports! We commit to the success of our customers by guiding and scoping each customer’s journey, ensuring that they don’t waste time doing unnecessary work that isn’t appropriate for their environment.