You just got your final SOC 2 report back from the Auditor. You sent the report off to the customer that wanted it and a Big Deal has just been signed (congrats!). You also breathe a sigh of relief because you are fully compliant with specific contract terms. You are Official!
But there is more to do!
What to Do With the Report Now
A SOC 2 is intended to be confidential, despite the fact that you may see a handful of reports posted online. Some prospective customers may want to see your report, and this is appropriate. Some organizations will have prospects sign an NDA prior to sharing their SOC 2 report. Whether or not to ask your customers to sign an NDA is your choice, but know that the report should not be widely distributed.
You should also limit the number of employees who can access the report internally. Just as you don’t want to share it publicly, you want to treat it as confidential within your organization. Only provide access to those employees who need to know, or need access to perform their job. For example, sales executives may need access so they can efficiently navigate your customers’ vendor onboarding processes.
Did you know you can brag about receiving your SOC 2? Get ready to brag by following these steps:
- Register and download the Official Logo from the AICPA.
- Note that there are very specific Guidelines for using the Logo. The Terms and Conditions are short, so make sure you read the SOC 2 sections.
- Do not alter the logo in any manner except for size.
- You can use the Logo almost anywhere as long as it is hyperlinked to www.aicpa.org/soc4so.
- Share it!
- On your website
- In marketing brochures, report packages or engagement proposals
- In presentation slide decks
- In social media posts
- in printed physical media, provided the www.aicpa.org/soc4so URL is included in proximity to the placement of the logo
Keep Up the Good Work
You just spent considerable time and effort not only establishing (or refining) a cyber security practice, but also traversing the audit process. A SOC 2 is not just a trophy you dust off right before the auditor comes back next year. You want to maintain the good compliance habits you’ve developed year-round.
A few tips for operationalizing your hard work:
- Share the good news about earning your SOC 2 in an All Hands announcement or meeting. Your team members worked hard to achieve this and it should be celebrated!
- Instill a culture of adherence to controls in order to do what is right (from a cyber security perspective). Share the culture-of-controls message frequently and often.
- Monitor your controls to ensure that they are working as intended. This is important - it is not only a requirement for SOC 2, but it’s good practice. You can spot check a few controls every quarter (by reviewing controls via the Strike Graph GRC Calendar) or you can have an independent assessment performed to ensure that they’re operating correctly.
- Consider where you can automate, update, or streamline controls.
- Ask your auditor to suggest areas where you can improve operationally, or where you can strive to mature your security practices.
- Contact your auditor when you make any major changes to the network or to control processes. Also contact them if you plan to add additional services or products to the scope. They will appreciate the heads up.
- Consider whether it might make sense to add another TSC. The ROI could lead to more sales!
- At “T minus 45 days” from your next audit, refresh the Pen Test, refresh the Risk Assessment and update relevant policies and procedures.