There is a stretch of time in your organization’s SOC 2 journey where security practices are being established or refined. Sometimes they are being established during the mad scramble to prepare for a looming audit. Your customers are growing antsy and they really need to see a SOC 2 certification "yesterday." The security questionnaires start to pile up, in myriad formats, and they all seem to ask similar questions. On top of that, everyone still needs to do their day jobs. 

How can your organization harness all of your pre-audit efforts, present them to prospective customers, and continue to make sales without a SOC 2? How can you prove that your organization is trustworthy if your audit is months away? If sales is the driver of pain, then what can your organization do to make all of these efforts less painful?

Understand risks.

First, take the time to perform a risk assessment that focuses on information security risks. Brainstorm what could go wrong with respect to the IT environment, specifically around the data that you are responsible for. This can include risks around appropriate access,  risks related to the use of the tools necessary to create your product, risks of migrating unapproved or untested code into your production environment, risks of a cyber attack (ex. phishing, denial of service attacks), and even risks that could surface with your subcontractors or vendors.  

Once you have a solid list, score these risks based on the likelihood that they could happen and the potential impact ($, people, laws) if they did happen. A 1-3 scale (in other words, High, Medium, Low) for each is sufficient. Once scored, identify which risks have the highest impact to your organization (Risk score = Likelihood x Impact).

Do it yourself example:

With Strike Graph:

Scope your controls. 

From the results of your risk assessment, identify any processes, or controls, that are currently being performed and might address each risk. For the risks that appear to be unaddressed, ask yourself if you could mitigate them with a quick fix or a documented operating procedure? Ask yourself if it’s a good  time to set up a project, or put the budget aside in order to introduce a lasting and scalable response? The end result will be a list of risks with your organization’s response plan. Note that not every risk will have a solution. You may need to accept some risks for the time being due to financial, hiring, or other constraints.  

Compare controls to the SOC 2 framework.

Once your organization has a solid set of identified controls (including control gaps), compare your list against each of the Points of Focus found in the SOC 2 framework. You can also match your controls against another framework such as ISO 27001, NIST or the CIS 20. This will give your organization a preview of how it would do if the audit were today. This mapping exercise will also identify additional control gaps that should be added to your list of gaps from the Risk Assessment. This cumulative list of gaps becomes a roadmap to SOC 2 certification.   

Create a security environment narrative.

If your organization is on the SOC 2 path,  you will be required to present a System Description. The purpose of the System Description is to clearly define your organization’s product, solution, or services, and the controls you have in place to meet your service objectives. Think of the System Description as a technical marketing document that eloquently describes how the network is set up, how data flows through it, and how all of the controls in place will protect and secure both. You can share the first draft of your SOC 2 System Description (un-audited) with your customers to demonstrate that you mean business.

Get a comfort letter.

As soon as you have a signed contract  with an auditor, you can request that they issue a comfort letter. This is a letter, on the auditor’s letterhead, stating that the auditor is engaged and the audit is on track. You can send this letter to any customer that is waiting on your organization’s SOC 2. A comfort letter can be used to provide your customers  anywhere from 3 to 12 months of peace of mind - they will have confirmation that an audit is on the horizon. In the meantime your customer may ask you to fill out a security questionnaire, show pen test results, or provide other security assurances.

You will have to work hard to prepare your organization’s security program for an audit, but by taking these preparatory steps you will mitigate the chaos of the process. By performing a risk assessment, identifying the controls and control gaps, and aligning your controls against a framework, you can turn this arguably daunting task into a succinct roadmap to certification. You can also share the output of these steps with customers before an audit to win their trust — simultaneously providing a library of controls that you can use to complete security questionnaires.