SIGN-IN

BLOG

Don't fail your SOC 2 with a "just do it" attitude

We’ve all heard “Just Do It”. Since 1988 it’s been a mantra for a certain shoe company and five years ago became a meme for motivation, thanks Shia LaBeouf!.  We all desire to take quick and decisive action if possible in order to achieve an outcome. Personally, the “Just Do It” slogan has always been a great motivator.

However over the years I’ve learned that the *real* hard work is in the planning. Having a game plan that focuses on only what is necessary is critical so you are not wasting precious time. Identifying the correct activities that are not going to help you achieve your goal is always faster. For a company with a goal of achieving a SOC 2 certification, before “Just Doing It” first plan and prepare to ensure success.

The SOC 2 certification process has two distinct phases: planning for the audit then preparing for the audit. We have interviewed many companies that jumped into passing the audit and without properly planning. This tends to make the process quite painful! Companies will create a lot of  policies and procedures preparing for their audit. It's easy to find a list of "typical policies" and make them your own. However the result is creating  cyber security requirements that the auditor will test. Fail those imaginary requirements and you fail your audit! What a waste of effort and time.

At Strike Graph right-sizing the scope of certification is the first thing we do. Customers use a risk-driven assessment to narrow the scope of a compliance practice.  This can dramatically reduce the requirements of your cyber security practice. It will also focus time & energy on the things that contribute to passing your audit. If you’re a SaaS company, make sure you’re only identifying specific risks to your service and then you can determine the appropriate controls to put in place. Without this approach, we’ve seen companies try to “boil the ocean” during an audit and greatly expand the time, effort and cost of the certification. Make sure you have a clear scope with your risks assessed and controls identified before collecting the evidence needed.  

With the right scope preparation moves right into evidence collection to support the SOC 2 auditor. Now you can surgically go after the artifacts - screenshots, config files, policies - that will help you demonstrate your security posture and validate the controls you have put in place. This preparation saves you a tremendous amount of back-and-forth with the auditor during the actual audit and sets you up a much lower "total cost of ownership".  Most importantly it can dramatically reduce the likelihood that you'll fail your audit.

It should be no surprise that hard work upfront in scoping pays dividends in helping make the audit a success. Take the time to use a risk-driven approach to your SOC 2 certification process and you will see the benefits. While “Just Do It” is a great mantra and motivator, just make sure you are scoping the work in preparation prior to jumping into the auditors office.

About Strike Graph

Strike Graph is a compliance SAAS solution simplifying security certifications such as SOC 2 Type I/II or ISO 27001. These certifications dramatically improve revenue for B2B companies. Facilitated by the Strike Graph platform, key actors in the process including Risk Managers, CTO's, CISO's and Auditors can work collaboratively to achieve trust and move deals. For more information visit https://www.strikegraph.com.

Brian Bero
Brian is the VP of Business Development and a Co-Founder at Strike Graph. He is a serial entrepreneur with a deep background in technology sales and compliance. Brian graduated from University of North Carolina at Asheville with a degree in Computer Science. He was a co-founder at Apptio and Greytwist.

THE STRIKE GRAPH CLOUD GRC PLATFORM

Let's work together to pass your cybersecurity audit.