No one wants to go into a SOC 2 audit blind or unprepared. So how do you know when you’re ready? Whether you tackle your SOC 2 preparation solo, or with the help of an expert such as Strike Graph, there are a few tasks that, when completed, can be a good indicator of readiness.
‘Mapping’ and ‘Coverage’
One of the first things an auditor will ask you is whether you have ‘mapped’ all of your controls. Mapping is a bit of an art form, not only because you get to choose which of your controls you want to map, but you also get to navigate the mystery of the SOC 2 framework. Mapping is subject to your interpretation and, eventually, the interpretation of your auditor. About 80% of your mapping will look similar to everyone else’s, but the remaining 20% of your mapping could be vastly different based on the size and complexity of your organization as well as your interpretation of the framework.
The output of the mapping exercise is to demonstrate how your organization is meeting each criteria through the alignment of your controls. The SOC 2 framework starts with the Common Criteria, which is composed of 33 criteria, which are further broken down into 206 points of focus. If you include Availability, Confidentiality, Processing Integrity and Privacy in your SOC 2, these numbers will increase. The tricky bit to mapping is that many of the SOC 2 Criteria can be mysterious and some points of focus are not easy to translate into plain English.
The good news is that the Strike Graph approach does this mapping for you behind the scenes. This saves you many hours of head scratching and the desire to toss your keyboard across the room out of frustration. Mapping is hands down a SOC 2 pain point and our goal is to ease that pain. However, if you choose to go at it alone, here are a few tips:
First, attempt to map each point of focus to a control. The example of a manual mapping worksheet is below; it shows all Points of Focus for CC6.1 - Logical Access. Think of points of focus as hints on how to address each Criteria. As you map, note that controls can repeat - don't fall into the trap of thinking there needs to be a unique control for each point of focus. Also, there will be a handful of points of focus that will have a one-to-one relationship with a control and these will be easy to spot. For now, skip any points of focus that are confusing or mysterious. Also, if a point of focus is not applicable, make a note. In the example below, a control header or name has been used, but you will want to show the entire control description.
After your first pass, take a step back and look over your list. Have you mapped a few controls to each of the Criteria? This step will show you how much ‘coverage’ each criteria has and is a step your auditor will also perform. Anywhere you see that there are no controls that align with the Criteria or there are too few, then you have a gap in coverage. You can see this in the example above - there are not nearly enough controls to be able to demonstrate that the Criteria has been met. In this example, you will need to close these gaps by implementing meaningful controls or by re-mapping a control you already have that you think fits.
After closing gaps and making a whole hearted attempt at mapping, you will have identified anywhere from 60-130 unique controls (depending on your organization and the level of detail with which your controls are written).
Are Your Controls Working? Prove it!
Do you have faith that all of the controls you have mapped to the framework are working as you intended? Be certain, because your auditor will be looking for instances where processes were not followed, configurations and alerts were not set up, or a critical step was missed.
You should pressure test your controls to make sure that they are working as intended. Depending on the control, you will be able to do this via screenshots, comparing procedure documents, change or help tickets, emails, and reports pulled directly from various tools.
Strike Graph offers a quick solution. Each control is aligned with typical audit evidence. Each evidence item can be assigned an ‘expiration date’. You can set up a control monitoring cadence (a SOC 2 control!) to alert you when control evidence has not been provided, is incomplete or late. This allows you to investigate control issues, and also provides another layer of readiness comfort.
Bonus: Other Readiness Activities
In addition to mapping, coverage and assessing your controls, there are a handful of other tasks to keep on your ‘readiness radar’. Make sure that all relevant policies have been written, procedures are up to date, tool alerting is turned on, all employees have signed all onboarding docs, and that any other processes you have tagged for the SOC 2 audit is up and running.