We’ve all heard “Just Do It”. Since 1988 it’s been a mantra for a certain shoe company and five years ago became a meme for motivation, thanks Shia LaBeouf!. We all desire to take quick and decisive action if possible in order to achieve an outcome. Personally, the “Just Do It” slogan has always been a great motivator.
However over the years I’ve learned that the *real* hard work is in the planning. Having a game plan that focuses on only what is necessary is critical so you are not wasting precious time. Identifying the correct activities that are not going to help you achieve your goal is always faster. For a company with a goal of achieving a SOC 2 certification, before “Just Doing It” first plan and prepare to ensure success.
The SOC 2 certification process has two distinct phases: planning for the audit then preparing for the audit. We have interviewed many companies that jumped into passing the audit and without properly planning. This tends to make the process quite painful! Companies will create a lot of policies and procedures preparing for their audit. It's easy to find a list of "typical policies" and make them your own. However the result is creating cyber security requirements that the auditor will test. Fail those imaginary requirements and you fail your audit! What a waste of effort and time.
At Strike Graph right-sizing the scope of certification is the first thing we do. Customers use a risk-driven assessment to narrow the scope of a compliance practice. This can dramatically reduce the requirements of your cyber security practice. It will also focus time & energy on the things that contribute to passing your audit. If you’re a SaaS company, make sure you’re only identifying specific risks to your service and then you can determine the appropriate controls to put in place. Without this approach, we’ve seen companies try to “boil the ocean” during an audit and greatly expand the time, effort and cost of the certification. Make sure you have a clear scope with your risks assessed and controls identified before collecting the evidence needed.
With the right scope preparation moves right into evidence collection to support the SOC 2 auditor. Now you can surgically go after the artifacts - screenshots, config files, policies - that will help you demonstrate your security posture and validate the controls you have put in place. This preparation saves you a tremendous amount of back-and-forth with the auditor during the actual audit and sets you up a much lower "total cost of ownership". Most importantly it can dramatically reduce the likelihood that you'll fail your audit.
It should be no surprise that hard work upfront in scoping pays dividends in helping make the audit a success. Take the time to use a risk-driven approach to your SOC 2 certification process and you will see the benefits. While “Just Do It” is a great mantra and motivator, just make sure you are scoping the work in preparation prior to jumping into the auditors office.