Unlike some frameworks that have a narrower focus, SOC 2 requires you to demonstrate solid corporate governance practices across the organization. Before joining Strike Graph, I was an IT compliance program manager for a handful of my own clients. During every annual SOC 2 audit, one VP of Engineering would consistently ask why the auditors wanted to see so much HR ‘stuff’. My go to answer was that SOC 2 was not just about IT and security controls, but it also covers operational business controls that reflect a holistic approach to good governance.
About a quarter of the SOC 2 criteria relate to business operations. This incorporates controls related to corporate oversight from the Board (or owners, if there is no Board), corporate values and ethics, HR hiring and personnel practices, internal and external communication practices, vendor management, and risk oversight. As a result, various departments in your organization will be pulled into the SOC 2 fold. The leadership team, HR, procurement, and even customer support should be prepared to participate in the process.
So why are there so many business or operational controls in the SOC 2 framework? The SOC 2 was developed by the AICPA, which is an organization that sets the rules for Certified Public Accountants. Remember that Enron debacle that led to Sarbanes Oxley (SOX) Act? As part of the new focus on corporate governance through compliance with SOX, CPAs pushed a framework called COSO. This framework outlines a set of overarching corporate governance controls related to monitoring, risk, communications and oversight of a control environment. A few years ago, the AICPA merged COSO and the existing SOC 2 framework, and thus introduced more operational controls.
Why do these business operational controls matter? For the simple reason that SOC 2 is more than just an IT Security framework. A SOC 2 allows organizations to demonstrate that they not only meet Security (*and, where added, the other Trust Services Criteria of Availability, Processing Integrity, Confidentiality, and Privacy) criteria, but also what the organization has in place to prioritize all around good corporate governance. Also, IT risks extend well beyond the obvious IT related issues. For example, well designed HR hiring practices such as background checks or a robust interview process, can help to mitigate the risk of hiring unscrupulous individuals that could leak sensitive information and land you in the news or worse.
Customers will appreciate knowing that your executive team is ethical, employees are well trained, laws are adhered to, and that you take the security of their data seriously. This is what makes SOC 2 more than just an IT framework. Spending time to get the operational controls right is just as important as all of the IT controls, and is integral to having a clean SOC 2 attestation. This, in turn, leads to customer trust which is a key to unlocking revenue.
How can Strike Graph help?
One thing that sets Strike Graph apart is that we supplement our solution with expert customer success managers who are familiar with both IT security solutions and business operations. We’ll work together to guide you through your unique SOC 2 journey. Give us a shout!