Since you’re here, it’s safe to assume that your organization needs a SOC 2 report and you’re considering Fractional CISO’s help to get it done. Thanks for the interest!
We realize that, when discussing long-term consulting projects, the specific work that gets done can seem pretty vague.
The point of this article is to give you a more concrete picture of the specific work Fractional CISO does to help companies like yours become SOC 2 compliant.
100% of our clients have successfully met their compliance goals. Here are nine ways we help lead businesses to SOC 2 compliance .
1. Fractional CISO reviews your SOC 2 use-case.
The reason why your company is getting a SOC 2 is the first thing we will discuss with you. This will likely happen before you’re even officially a client!
It’s important to understand the “why” because it will help set the correct objectives and milestones for the program. Do you need a SOC 2 Type 2 by a contractual deadline? Or do you need one because of general market pressure, with many prospective customers asking if you have one? Or maybe you want to just stop filling out dozens of cybersecurity questionnaires!
Once your vCISO understands your needs, they will chart the appropriate course to meet them in an efficient and timely manner.
A big decision that will be made early on is whether to go straight for a SOC 2 Type 2, or to get a SOC 2 Type 1 first. Remember, a SOC 2 Type 1 is a point-in-time evaluation that’s often used as a stepping stone to the more valuable SOC 2 Type 2, which evaluates the performance of a cybersecurity program over a period of time – usually six months or one year.
For organizations whose cybersecurity efforts are still immature or ad-hoc, we often recommend starting with a SOC 2 Type 1 report. This approach provides a valuable foundation, ensuring your controls are designed effectively and provides a “practice run” of the audit process. If an organization doesn’t already have a strong, well-documented security program in place when they start the SOC 2 Type 2 period, they run the risk of auditors asking for evidence of a control before it was implemented (or documented).
It’s better to make mistakes during your initial SOC 2 Type 1 run than during the more important SOC 2 Type 2!
Going straight to a SOC 2 Type 2 is often not even needed to satisfy security-conscious customers!
Proof that you are taking cybersecurity seriously by acquiring dedicated cybersecurity leadership from Fractional CISO, combined with a letter from an auditor stating you are getting a SOC 2 Type 1 with an expected SOC 2 Type 2 date is usually more than sufficient.
On the other hand, companies boasting mature cybersecurity programs, or those already certified with standards like ISO 27001 , may find themselves well-prepared to tackle the SOC 2 Type 2 from the get-go.
By the end of this introductory process, you’ll have both a clearer understanding of your SOC 2 compliance roadmap and also the insights needed to align your cybersecurity posture with both current and future demands. Our tailored guidance ensures that, regardless of where you stand today, you’ll be on the right track to demonstrating the mature security practices customers expect from a SOC 2-compliant organization.
2. Fractional CISO scopes your SOC 2.
The next step to planning your SOC 2 program is deciding on the scope of the audit.
SOC 2 doesn’t have to be all-encompassing of a given company. You can decide whether to include the organization as a whole, or to focus on one portion of the company – such as a product or small handful of products.
This decision is strategic based on your business model, available resources, long-term goals, and customer expectations.
Scoping your entire organization within the SOC 2 audit demonstrates a commitment to security and requires buy-in from every part of the organization for success. This complete approach requires more work, but will drive cybersecurity improvements across every department, greatly reducing your risk of suffering a serious cyber attack!
Conversely, focusing the audit on specific segments reduces the workload and organizational buy-in required to achieve SOC 2 compliance . This can be beneficial for companies who want their SOC 2 report fast or those with limited resources, but comes with a caveat. Some customers may not trust a SOC 2 with too narrow of a scope, and it creates additional workload if you choose to expand your scope in the near future.
Since this is about how Fractional CISO helps with the SOC 2 process – we usually recommend our clients scope their entire companies. If you’ve acquired the services of a Virtual CISO firm , then you clearly care about giving cybersecurity the resources needed for success. Getting an all-encompassing audit done with Fractional CISO is easier than running a narrow-scoped audit on your own.
3. Fractional CISO performs a Gap Assessment of your current security program.
The Gap Assessment is the first major cybersecurity evaluation we will complete on your behalf.
Your provided cybersecurity team will complete a comprehensive review of your organization’s current IT program, network infrastructure, and product security to capture the starting state of your cybersecurity posture.
To conduct this evaluation, your cybersecurity team will interview your employees, collect documents such as network diagrams and policy documents, examine software development practices, and more.
The Gap Assessment is mapped to our Fractional CISO BASIC (Base Analysis for Security Information Controls) cybersecurity control framework. Fractional CISO BASIC is a simple 20-control framework mapped to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF):
1. Identify involves understanding and prioritizing cybersecurity risks relevant to the organization’s mission, assets, and business context.
2. Protect entails implementing safeguards to ensure the security and resilience of critical infrastructure, systems, and data.
3. Detect focuses on promptly identifying cybersecurity events to mitigate potential impacts through continuous monitoring and analysis.
4. Respond involves developing and implementing response strategies to contain, mitigate, and recover from cybersecurity incidents efficiently.
5. Recover encompasses restoring normal operations and services following a cybersecurity incident, while also improving resilience against future events through lessons learned and continuous improvement.
All of the controls covered in Fractional CISO BASIC are high-value and required for SOC 2 compliance. Beyond Fractional CISO BASIC, the SOC 2-focused Gap Assessment will cover a few other important SOC 2 controls, such as change management.
Once complete, you will receive a comprehensive report containing the findings of the gap assessment that will be used to guide your security program to the next steps.
4. Creates short-term cybersecurity plan to remediate gap assessment findings.
Next, your Fractional CISO team will build a cybersecurity plan for the short-term directly targeting the control deficiencies identified in the gap assessment.
There isn’t a one-size-fits-all solution in cybersecurity, so an important part of this step is deciding how to implement many of the required controls. We will help you make these important decisions and implement the controls as you desire. New policies will be written, new technical abilities will be spun up, and new practices such as incident response (IR) tabletop exercises will be started.
Over the course of a few short months many new cybersecurity improvements will be made, quickly improving your organization’s cybersecurity posture and bringing you closer to alignment with SOC 2’s requirements.
5. Builds long-term security and compliance programs.
While the short-term cybersecurity plan is vital to quickly putting your company’s program on the right track, it is not sufficient for the long-term, mature cybersecurity practices needed for ongoing SOC 2 compliance.
Dozens of new policies and cybersecurity processes will need to be implemented. There are several challenging functionalities that need to be built up within the organization, including change management, internal audits, and incident response.
Fractional CISO draws from our robust policy and process documentation library to start, then customizes them to best fit your organization’s practices. We train your employees on how to adhere to these policies, and perform many important functionalities for your company ourselves.
A few of the high-importance functions we provide for SOC 2 compliance include internal audits , quantitative cybersecurity risk assessments , and incident response exercises.
6. Selects an Auditor
Sometimes, our clients come with an auditor selected. That’s fine! If you don’t have one, that’s also fine! We’ll connect you with the right one.
Selecting an auditor might sound simple, but it’s important to get a reputable one that aligns with your needs. SOC 2 reports from CPA firms with poor reputations are not viewed positively by prospective customers!
Factors considered in auditor selection are industry and size specialty (some auditors are better suited to larger customers than smaller ones and vice versa), availability for your timeline, and of course, your budget.
7. Selects SOC 2 Control Set
The SOC 2 framework isn’t simply a list of controls for companies to meet. Instead, there are five “Trust Services Criteria” each containing dozens of security “objectives” such as:
“ CC6.1 … Protects Encryption Keys — The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.”
SOC 2 doesn’t tell you how to meet this objective! In practice, the specific controls used to meet each objective are often left to the auditor and your company.
Some auditors may have their own control set they want their subjects to use. Others may want you to pick your own controls (this is often the best for your own security and internal structure).
Fractional CISO helps in both scenarios! If it’s a complete DIY control set, of course your vCISO will help pick the right controls for your organization. If it’s an auditor provided list, we’ll ensure that the controls are relevant to you and, if not, advocate for modifications to better suit your needs.
At this point in the process is where we identify any remaining gaps between your organization’s cybersecurity program and the final SOC 2 control set, and help to close them so you are in complete compliance.
8. Auditor Engagement and Advocacy Support
During the preparation process and the audit itself, your vCISO will engage with the auditor, helping to arrange meetings, establish timelines, and be present at every meeting you have with them. Each of our vCISOs and cybersecurity analysts have been through dozens of successful SOC 2 audits, allowing for efficient project management.
Even though SOC 2 is a flexible framework, many auditors will still expect to see specific processes, tools, or controls in place at your organization. With a deep understanding of both SOC 2 and (by this point) your cybersecurity program, we advocate on your behalf, ensuring the auditor is satisfied with your security program as it works best for your organization – not their expectations.
Ultimately, we ensure that every party is on the same page and that expectations are set properly so the process goes smoothly.
9. Evidence Generation and Submission
Building a cybersecurity program isn’t the only heavy lifting that goes into becoming SOC 2 compliant! Now, you have to prove it, with evidence.
For each control in the list, the auditor will request some amount of, or type of, evidence that your organization will have to provide in order to prove that you have been faithfully following the requirements of your cybersecurity program. The type of evidence required for a given control can vary wildly. Some, such as [blank] require comprehensive reports. Others require simple screenshots, exported logs, or email records. Others may require physical or virtual walk-throughs.
For example, SOC 2 control CC3.1 requires the following: “The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.” A Risk Management Policy is sufficient evidence to meet this control. When you work with Fractional CISO, we create this policy on your behalf.
Another example is SOC 2 control CC6.3, relating to access control. “The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.”
Evidence for this is a little more complicated. You need to have a policy that outlines how access control is to be handled, and it needs to be implemented and understood by your employees. Then, the following evidence is often provided:
Screen captured video showing the login process for the cloud console.
A comprehensive list of users, groups, and associated permissions.
Screenshots showing steps utilized to export the user list.
We help along every step of this process for every control – ensuring that proper evidence is created and submitted in a timely fashion.
10. Ongoing Compliance Maintenance
Congratulations, you’ve completed your SOC 2 audit and are now compliant!
But your cybersecurity compliance journey doesn’t end here.
Once you get your first SOC 2, you will enter into an annual process of SOC 2 Type 2 reports. Many controls, such as change management, internal audits, and incident response exercises must be completed on a periodic basis. If not practiced regularly, you’ll fall out of compliance with the SOC 2 standard and wind up with a negative SOC 2 report that will NOT impress your customers.
We continue to provide support with these controls, annual audits, and continued cybersecurity program improvements for as long as you wish.
Conclusion
If the above areas sound like areas you’d like help with, please reach out to Fractional CISO here, or request a budgetary pricing estimate here. We have a 100% compliance program success rate. All of our clients have met their goals and more. You will too!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.