Startups! Here’s Your Guide to SOC 2: Readiness Assessment 

Tejas Ranade

3 Feb 2023

Part Two – Conducting a Readiness Assessment

To learn how to prepare for an audit, swing back to Part One

What is a Readiness Assessment?

A readiness assessment is the dry run before the official audit, so you can address potential issues before the actual audit takes place. It is not required, but highly recommended to identify any gaps and plan resource allocation. Proper preparation is key – not only will you save time and resources, you’ll ensure a successful audit. 

Readiness assessments can be conducted by your organization’s internal resources, a CPA firm, or a consulting company.

In our guide, we’ll be using SOC 2 as our example for conducting a readiness assessment.

How Do I Assess My Readiness?

You can start by identifying the relevant controls that need to be adopted. Having the proper controls is a vital part of the SOC 2 process, so let’s take a few minutes to outline these in more detail. The first one will identify your gaps so you know what you currently have and what you need to start creating in terms of policies, controls, and systems.

 In the case SOC 2, there are five Trust Services Criteria (formerly known as the Trust Services Principles) to include, which cover both security and common criteria. Some are required (like security) and some are optional and will be based off of your specific company’s audit scope

  • Security: Required. Demonstrates to an auditor that your systems are protected against unauthorized access and other risks that could impact your organization’s ability to provide services to your clients.
  • Availability: Optional. Applicable when service organizations need to demonstrate that their systems meet a certain standard of high-availability.
  • Confidentiality: Optional. Applicable to organizations that need to demonstrate that data classified as confidential is protected.
  • Processing integrity: Optional. Applicable to organizations that must demonstrate that system processing is occurring accurately and in a timely manner.
  • Privacy: Optional. Included when a service organization is in possession of personal information, to demonstrate this information is protected and handled appropriately.

Security Criteria is designed to protect information and systems. The criteria used to test the Security Criteria are called the Common Criteria. 

The Common Criteria, or CC-series 

CC1: Control Environment 

Covers the organization’s commitment to integrity and ethical values, evidenced by the employee handbook, code of conduct, board of directors oversight, and the ongoing monitoring of hiring and employee performance standards.

Examples of Controls: Employee manual, code of conduct, employee confidentiality agreement, board of directors oversight, security awareness training, employee performance reviews.

CC2: Communication and Information

Supports the proper functioning of internal controls by establishing communication channels for information surrounding quality control (lines of authority, boundaries of the system, relevant changes, etc.).

Examples of Controls: Customer support channel, release notification, escalation procedures.

CC3: Risk Assessment

Included to demonstrate that the service organization is assessing potential risks that will impact its operations and implementing plans to mitigate these risks.

Examples of Controls: Risk management, risk register, inventory management, fraud risks.

CC4: Monitoring Activities

Covers the ongoing evaluation of monitoring systems at the service organization and notification procedures to alert relevant personnel if a breakdown is detected.

Examples of Controls: Internal audit assessment review, vulnerability scanning, penetration testing, board of directors oversight.

CC5: Control Activities

Covers the process of identification, analysis, and mitigation of risks. The service organization should implement controls to mitigate the risks identified as part of its risk assessment. Controls are monitored on an ongoing basis, and risk assessment is performed at least annually.

Examples of Controls: Risk management, risk register, control owners.

CC6: Logical and Physical Access Controls

Restricts and manages logical and physical access to protect your information assets and prevent unauthorized access.

Examples of Controls: Multi-Factor Authentication (MFA), access review, terminated access, data retention, firewalls, IDS, Bring-Your-Own-Device (BYOD), data prevention tool.

CC7: System Operations

Manages your system operations to detect, monitor, and mitigate any deviations from set procedures.

Examples of Controls: Centralized logging and monitoring, incident response plan and testing, security events meeting. 

CC8: Change Management

Designing and implementing a controlled change management process to prevent unauthorized changes.

Examples of Controls: Change management workflow, source code repository, automated deployment, production changes notification.

CC9: Risk Mitigation

Identifies, selects, and develops risk mitigation activities for risks that deal with business disruptions and the use of any vendor services.

Examples of Controls: Risk management, risk register, disaster recovery plan and testing, vendor risk assessment, and due diligence.

There are additional specific criteria for the availability, processing integrity, confidentiality, and privacy categories, and you can read more on those here.

Determine Systems and Business Processes

Once you’ve selected the right controls for your business and goals, the next step is to figure out which systems and business processes need to confirm these controls, and add them to your compliance program. 

We recommend using existing systems and processes for your initial readiness assessment rather than creating new ones. This approach will provide you with a baseline to improve later. 

Organizations should create a central location where evidence collection, list requirements, policies, and controls can be found. Doing so helps to easily identify gaps. This can be automated with a tool like TrustCloud, or done manually in a spreadsheet. 

You’ll need to validate the mapping between your implemented controls and the criteria requirements. This helps the auditor understand your approach and frame what you’ve created relative to SOC 2 requirements.

Friendly Tip: To help streamline the overall compliance process, consider purchasing the right security tools and services. We recommend performing pen testing, enrolling in asset management, and conducting background checks. We also have a full article dedicated to tools and services to help you in this process.

Share the Results and Remediation Plans

Spread the word about the self-assessment results to all the key players such as stakeholders, and those in charge of fixing any identified gaps. Give a rundown of what the self-assessment aimed to achieve, the internal controls that were examined, any newly found or unresolved gaps, and the plan to address them.

Don’t just see these meetings as a boring update – take advantage of them to establish a robust security culture and keep everyone on the same page when it comes to compliance.

Trust Issues: Your Trusted Source for GRC & Security News. Subscribe Now!

Keep the Momentum Going

Executing a readiness assessment will help your organization reach new heights of security, privacy, and data protection. Not only will you and your company feel confident and credible, but you’ll also show your customers and stakeholders that you take security and privacy seriously. 

We at TrustCloud are pros at this kind of stuff. Our platform helps make processes like this faster for you, because we programmatically determine how your compliance program maps to various standards. Once we learn about your stack, we can show you where you stand. 

We also understand how expensive and complicated it can be, which is why we created a free SOC 2 Readiness Program for Startups. If you’re interested, sign up here and we’ll get you onboarded in less than 10 minutes.