Posts

What Makes a SOC 2 Audit Successful?

What happens after you receive your SOC 2 report? You’ve just used many resources – maybe even some that you were strapped to allocate – to go through a gap analysis, remediate the findings, and then begin the SOC 2 Type I and/or Type II audit. It’s a massive project that you should be proud to finish…but what now? What makes a SOC 2 audit successful? How do you make the most out of your compliance? Let’s take a look at four ways to prove that your SOC 2 audit was successful using one of our client’s SOC 2 audit journey as an example.

iPost’s SOC 2 Compliance Journey

iPost is a flexible and dynamic marketing automation solution for email and mobile needs, built for marketers by marketers. Like many others in the marketing industry, iPost was being asked by clients and prospects for evidence of their commitment to data security. When iPost decided to pursue SOC 2 compliance, it felt nerve-wracking to begin such a big project. After completing a SOC 2 Type I audit, though, iPost’s CEO, Cameron Kane, said, “The real value in the SOC 2 audit is that we’ve become a better company. The audit forced us to grow, and that’s not an easy thing – but we did it.”

So, how did iPost know that their SOC 2 audit was successful? How can you know that your SOC 2 audit was successful? We’ll give you four key ways.

How Do You Prove Your SOC 2 Audit was Successful?

1. C-Level Support

During a SOC 2 audit, it’s incredibly important that C-level executives and stakeholders understand and support the audit and the organization’s overall information security needs. Without their support, how can any policies or procedures be implemented? Who will approve funding? Who will care about the outcome of the audit?

iPost’s CEO supported and understood the SOC 2 audit and its purpose, and that made all the difference in making their SOC 2 audit successful. Kane and his team interacted with an Information Security Specialist and the President of KirkpatrickPrice, Joseph Kirkpatrick. When Kane met with Kirkpatrick, the tone for the SOC 2 audit was set: Kane knew that it would be a long process, but also understood that the auditor’s intention was not to find sensitive areas and pour salt in the wound. Instead, the auditor was there to help, point, and direct iPost into stronger security practices. Right away, iPost’s CEO knew that their SOC 2 engagement wasn’t going to be stereotypical audit and helped his team understand that there was no reason to be guarded. Kane knew that the KirkpatrickPrice team and iPost team were all working towards the same goal: to make iPost the best organization it can be. With that C-level support from iPost, it made their SOC 2 audit much more successful.

2. Seeing Real Change Within Your Company

SOC 2 audits are meant to strengthen and enhance your business, yet many organizations are fearful of the process, rather than seeing the benefits. At KirkpatrickPrice, we believe a SOC 2 audit is successful when you see real change at your company. This means that the audit isn’t something to be checked off of a list every year, or just another IT thing to include in the budget. Instead, the audit is an opportunity to improve your business processes and organization as a whole. At iPost, almost immediately following their SOC 2 Type I audit, they already felt a change within their employees. Phishing attempts were being reported like never before and their procedures were being followed; all because they had buy-in from their staff.

3. Using Compliance as a Competitive Advantage

When an organization leverages compliance achievements as a competitive edge, they are taking full advantage of the achievement. After all, you just used a lot of time and resources to complete a SOC 2 audit – why not use it in marketing materials and sales conversations?

One of the reasons why a SOC 2 attestation was so valuable to iPost is because it provided them with bigger, better sales opportunities. The opportunities are endless when you can demonstrate that you care about your customers’ data and have the evidence to prove it. iPost knows their competitors and others in their industry are being pushed towards a SOC 2 audit, and their proactivity has paid off. When they received their SOC 2 report, they were immediately able to close deals that depended on a SOC 2 attestation, use that achievement in sales conversations, and incorporate it into their marketing strategy.

4. Continuing the SOC 2 Journey

Many of our clients have the same feeling after completing an audit for the first time: it was a difficult process, but one that helped their company. After completing a SOC 2 Type I audit, iPost headed towards the next step: a Type II audit. They know that the next audit will still be difficult, but by following remediation guidance, they plan to become as prepared as possible for the SOC 2 Type II audit. When asked what he would say to other organizations considering pursuing SOC 2 compliance, Kane said, “First, it’s not going to be as bad as you think it’s going to be, even if you feel strapped for time and resources. Second, you really can use it in a sales environment. Lastly, your auditor is not there to ‘get you’ – they’re there to help you!”

So, what makes a SOC 2 audit successful? If you’ve gained C-level support that cultivates a culture of compliance, if you see real change within your company that supports security and privacy standards, if you utilize your compliance in sales and marketing, and if you want to continue the SOC 2 compliance journey, then you know you’re making the most out of your compliance efforts.

Are you considering pursuing SOC 2 compliance, but don’t know if it applies to your business or where to start the process? Contact us today to talk through your compliance objectives.

More SOC 2 Resources

SOC 2 Academy

Was the Audit Worth It?

Was the Gap Analysis Worth It?

Why Quality Audits Will Always Pay Off: You Get What You Pay For

SOC 2 vs. ISO 27001: Which One Do You Need?

SOC 2 and ISO 27001 audits are similar in intention; they both help organizations protect the data that they are responsible for. How are they different, though, and which one meets your organization’s needs?

What is a SOC 2 Audit?

A SOC 2 audit evaluates internal controls, policies, and procedures that directly relate to the AICPA’s Trust Services Criteria. This means that a SOC 2 audit report focuses on a service organization’s internal controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. The Trust Services Criteria are relevant to the services of organizations in these ways:

  • Security – Is the system protected against unauthorized access?
  • Availability – Is the system available for operation and use as agreed?
  • Processing Integrity – Is the system processing complete, valid, accurate, timely, and authorized?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the entity’s privacy notice?

The result of a SOC 2 audit is a report validating the organization’s commitment to delivering high quality, secure services to clients. This compliance can be a powerful market differentiator.

What is an ISO 27001 Audit?

ISO 27001 is the only internationally-accepted standard for governing an organization’s information security management system (ISMS). The ISMS preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

The ISO 27001 standard regulates how organizations create and run an effective ISMS through policies and procedures and associated legal, physical, and technical controls supporting an organization’s information risk management processes. An ISMS preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. It’s vital that an ISMS is integrated with the organization’s processes and overall management structure, and that information security is considered in the design of processes, information systems, and controls.

Sections four through ten of the ISO 27001:2013 requirements provide the core guidelines for compliance with the standard.

  • Section 4: Context of the Organization
  • Section 5: Leadership
  • Section 6: Planning
  • Section 7: Support
  • Section 8: Operation
  • Section 9: Performance evaluation
  • Section 10: Improvement

Organizations may choose to perform an internal audit against the ISO 27001 standard and not pursue certification. Like many other frameworks, certification is possible but not mandatory. If an organization wants a professional, independent auditing firm to perform the ISO 27001 audit, be sure to perform due diligence to verify they have the knowledge and expertise to do so. ISO 27001 certification does require an accredited certification body to issue certification. Undergoing an ISO 27001 audit, even if certification isn’t pursued, can be an effective way to meet the requirements of your international business partners.

What Type of Compliance Do I Need?

No one wants to work with an at-risk vendor. Do you want to give consumers a reason to trust your services? Both ISO 27001 and SOC 2 compliance can help your organization maintain loyal clients and attract new ones, operate more efficiently, avoid fines for non-compliance or from breaches, and most importantly: assure clients that their sensitive data is protected. But which one meets your organization’s needs?

It all comes down to who your clients are, where your clients are, and what they require of you. If you are proactively pursuing compliance and the majority of your client base is in the United States, we recommend starting with a SOC 2 audit. If you are operating internationally or have a specific requirement from a client to undergo an ISO 27001 audit, then that internationally-accepted standard would be a better fit for your organization.

Both of these audits provide a competitive advantage that is priceless in today’s threat landscape. If you need help deciding which audit meets your organization’s needs, we are here to help. Contact us today.

More Assurance Resources

ISO 27001 FAQs

What’s the Difference Between SOC 2 Type I and SOC 2 Type II?

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

What Type of Compliance is Right for You?

Why Would a Healthcare Organization Need a SOC 2?

No one wants to work with an at-risk healthcare provider. If someone is looking to use your services, they want to know how secure your healthcare organization actually is. You may think that you have a secure healthcare organization, but does an auditor? With more and more healthcare security breaches being reported to the HHS, it’s more important than ever for covered entities and business associates to demonstrate their commitment to keeping protected health information (PHI) secure, providing quality healthcare services, and putting their patients’ well being first. Let’s look at how a SOC 2 audit could bring value to your organization’s reputation, marketing initiatives, and competitive advantage.

What is a SOC 2?

A SOC 2 is perfect for both covered entities and business associates that want to reassure their clients that their information is secure, available, and confidential. It’s become increasingly common for organizations to request that their vendors become SOC 2 compliant so they can ensure that the healthcare organizations they work with have strong security postures.

A SOC 2 audit addresses third-party risk concerns by evaluating internal controls, policies, and procedures that directly relate to the AICPA’s Trust Services Criteria. This means that a SOC 2 audit report focuses on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. When determining which Trust Services Criteria apply to your organization, consider the following questions:

  • Security – Is the system protected against unauthorized access?
  • Availability – Is the system available for operation and use as agreed?
  • Processing Integrity – Is the system processing complete, valid, accurate, timely, and authorized?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the entity’s privacy notice?

While the responsibilities of covered entities and business associates vary, typically a healthcare organization will choose to be evaluated against the security, availability, and confidentiality categories. If a client can’t be assured that you have reliable, secure processes for securing protected health information, why would they choose to work with you?

Why Should Healthcare Organizations Include the Privacy Category?

Aside from choosing the security, availability, and confidentiality categories, it might make sense for a healthcare organization to include the privacy category in their SOC 2 audit. Consider a doctor’s office – what’s one of the first items that the receptionist hands you? A Notice of Privacy Practices. Why? You’re about to disclose personal information about your medical conditions to a medical provider, as well as provide them with other personal information like your data of birth, insurance information, and list of medications that you’re on. What if the office shares that personal information with a marketing company so it can advertise new prescriptions to you? What if they share it with a research organization that’s conducting research about treatments for your condition? What if they give that information to other medical providers who are providing services to you, or to an insurance company? That Notice of Privacy Practices must fully inform you of who your personal information will be shared with. By including the privacy category in your SOC 2 audit report, you’ll be able to ensure that your organization is handling client data in accordance with any commitments in the privacy notice as committed or agreed upon.

Benefits of SOC 2 Compliance for Healthcare Organizations

Undergoing a SOC 2 audit demonstrates that your healthcare organization is invested in providing secure services and remains committed to keeping not only your PHI secure, but ensuring that your patients receive quality healthcare services. Your reputation, business continuity, competitive advantage, branding, and most importantly, patients’ health all depend on the quality and security of your systems and can benefit from SOC 2 compliance.

The healthcare industry is based on customer trust. If a client can’t trust your services, why would they choose to use it? If a patient is victimized as the result of your lack of due diligence, what would be the impact to their health and livelihood? If your organization suffers from a data breach, the negative impact to your reputation would be a ripple effect. Once your healthcare organization has been successfully attacked and patients’ PHI has been exposed, you’ve put your organization on a path full of obstacles and fragmented security. Your reputation will be permanently changed. Clients will stop trusting you, larger, educated prospects won’t want to work with you, lawsuits and fines will begin to surface, and patients could face life-threatening consequences. The continuity of your business and your patients’ well being depends on securing your systems.

On the other hand, however, if you do pursue SOC 2 compliance and achieve attestation, your healthcare organization will have a new branding tool. You can market your organization has having reliable, secure services. There are so many possible ways to incorporate your compliance into branding methodology, too. We always recommend that our clients leverage their compliance as marketing material, and we strive to help them find ways to do so.

When you partner with an auditing firm that educates you and performs a quality, thorough audit, you gain a valuable competitive advantage. Does your competition have a SOC 2 audit report? If not, you’re ahead of the game. Even if they have gone through a SOC 2 audit, was it a quality audit? You want to be educated on what a quality audit looks like so you can explain to prospects why your SOC 2 audit report holds more value than a competitor’s. Having a SOC 2 audit report from a licensed, quality-driven firm also opens you up to a whole new marketplace of prospects who are knowledgeable about security and are looking for a vendor with SOC 2 compliance.

Even with all of these benefits, you may be wondering what the penalties are of not pursuing SOC 2 compliance. These questions may help you understand the scope of implications if you don’t invest in SOC 2 compliance:

  • How would your organization’s reputation be damaged if you suffered from a data breach?
  • Would your clients stay loyal to you if they know that your healthcare organization couldn’t secure their information?
  • What future sales would you lose if your healthcare organization suffered from a data breach?
  • How are you validating that your security and privacy practices are in place and effective?
  • How happy would your competition be if you suffered from a data breach?
  • What’s your potential exposure to lawsuits if you suffered from a data breach? What fines would you pay?
  • How much would it cost to investigate a data breach and notify clients who were impacted?

While the potential loss of business from a breach far outweighs the cost of SOC 2 compliance, a breach poses potentially life-threatening consequences for patients. Isn’t that enough to pursue SOC 2 compliance? We think so. Our Information Security Specialists want to be your audit partner, your second set of eyes validating that your security and privacy practices are effective. Let’s start planning your SOC 2 audit today.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

What is the Purpose of the SOC 2 Privacy Category?

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

How Can a SOC 2 Bring Value to MSPs?

As vendors, managed service providers (MSP) are sought out to help entities create and maintain a strong security posture – they shouldn’t bring more risk into their clients’ environments. When organizations engage with MSPs, they want to know how secure their organization really is and will often ask that the MSP undergo a SOC 2 audit before engaging with their services. So, while you may think that your services are secure, will an auditor? Will a malicious hacker find vulnerabilities to exploit? Let’s take a look at how a SOC 2 audit could bring value to MSPs’ reputations, marketing initiatives, and competitive advantages.

What is a SOC 2?

It’s no secret that engaging with vendors increases the risks that organizations must account for, which is why more and more organizations have asked that their MSP receives a SOC 2 attestation before doing business with them. But what is a SOC 2 audit and how can it benefit an MSP? It’s simple: a SOC 2 audit is perfect fit for MSPs that want to reassure their current and potential clients that their information is secure, available, and confidential. For MSPs that are looking to continue partnerships with their clients or gain a competitive advantage, a SOC 2 audit is a great place to start.

A SOC 2 audit addresses third-party risk concerns by evaluating internal controls, policies, and procedures that directly relate to the AICPA’s Trust Services Criteria. This means that a SOC 2 audit report focuses on a service organization’s internal controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. When determining which Trust Services Criteria apply to your organization, consider the following questions:

  • Security – Is the system protected against unauthorized access?
  • Availability – Is the system available for operation and use as agreed?
  • Processing Integrity – Is the system processing complete, valid, accurate, timely, and authorized?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the entity’s privacy notice?

Typically, an MSP will choose to be evaluated against the security, availability, and confidentiality categories. If a client can’t be assured that you have reliable, secure processes for protecting the information systems they’ve entrusted you to manage, why would they choose or continue to work with you?

Benefits of SOC 2 Compliance for MSPs

When an MSP undergoes a SOC 2 audit, it demonstrates that they are invested in providing secure services and ensuring that their clients’ information security assets remain protected. MSPs’ reputation, business continuity, competitive advantage, and branding all depend on the quality and security of their systems and can benefit from SOC 2 compliance.

As a vendor, MSPs depend on trust. If a client can’t trust your services, why would they choose to use it? If your organization suffers from a data breach, the negative impact to your reputation would be a ripple effect. Once your organization has been successfully attacked and customers’ information systems exposed, you’ve put your organization on a path full of obstacles and fragmented security. Your reputation will be permanently changed. Clients will stop trusting you, prospects will stop inquiring about your services, and lawsuits and fines will begin to surface. The continuity of your business depends on securing your systems and proving that you are, in fact, a secure MSP.

If you do pursue SOC 2 compliance and achieve attestation, you will have a new branding tool that will help you better position yourself as a reliable, secure MSP. There are so many possible ways to incorporate your compliance into branding methodology. We always recommend that our clients leverage their compliance as marketing material, and we strive to help them find ways to do so.

When you partner with an auditing firm that educates you and performs a quality, thorough audit, you gain a valuable competitive advantage. Does your competition have a SOC 2 audit report? If not, you’re ahead of the game. Even if they have gone through a SOC 2 audit, was it a quality audit? You want to be educated on what a quality audit looks like so you can explain to prospects why your SOC 2 audit report holds more value than a competitor’s. Having a SOC 2 audit report from a licensed, quality-driven firm also opens you up to a whole new marketplace of prospects who are knowledgeable about security and are looking for a vendor with SOC 2 compliance.

Even with all of these benefits, you may be wondering what the penalties are of not pursuing SOC 2 compliance. These questions may help you understand the scope of implications if you don’t invest in SOC 2 compliance:

  • How would your organization’s reputation be damaged if you suffered from a data breach?
  • Would your clients stay loyal to you if they know that your organization couldn’t secure their information?
  • What future sales would you lose if your managed services suffered from a data breach?
  • How are you validating that your security and privacy practices are in place and effective?
  • How happy would your competition be if you suffered from a data breach?
  • What’s your potential exposure to lawsuits if you suffered from a data breach? What fines would you pay?
  • How much would it cost to investigate a data breach and notify clients who were impacted?

The potential loss of business from a breach far outweighs the cost of compliance. Our Information Security Specialists want to be your audit partner, your second set of eyes validating that your security and privacy practices are effective. Let’s start planning your SOC 2 audit today.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

5 Strategies to Keep You From Wasting Time on Security Questionnaires

If you’re a start-up trying to win new clients, the dreaded security questionnaires are coming your way. Or, let’s say you’re a midsize business who’s been in business for years that’s bidding on an enterprise-level prospect – a security questionnaire request is in your future. Even we, as an information security auditing firm, are frequently asked about the security of our Online Audit Manager.

The questions may seem irrelevant, repetitive, and unreasonable. Or – maybe you know that you don’t have good answers. For start-ups, a security questionnaire may prompt the first time they’ve truly evaluated their security practices. For a midsize business, it may be a frustrating process to constantly fill out similar, but slightly custom questionnaires for every prospect. The intention behind security questionnaires, though, is a good one. Because so much responsibility lies in the hands of vendors and business partners, an organization has to complete its due diligence to protect its reputation, operability, and financial health.

Compliance from the Start

A client recently told us, “Compliance cannot be an afterthought. If you’re starting a business, please think about information security first.” We completely agree with this sentiment. A business that is driven by security and integrity will create a quality service or product.

One of our auditors, Shannon Lane, says it best. “A compliance program is usually viewed as a cost center, an impediment to business practices, and a headache that seems to get worse year after year. And yet as auditors, we know that a system built with compliance in mind isn’t usually more expensive than a faster, easier solution. A business process or IT solution is hard to change, especially once it becomes core to the enterprise and its operations. Every shortcut taken in the design process, technology solution, or internal system haunts the company forever. It’s always lurking there, waiting to interrupt just when you think you’re prepared. That’s why creating a culture of compliance throughout your organization is so important. A compliance program must be made a priority from the beginning.”

Security questionnaires are tedious, but they’re trying to determine whether you’re an organization that values security, availability, confidentiality, integrity, and privacy. Are you going to bring more risks into a prospect’s environment? Are you going to provide them with a secure service? Will you hinder their business objectives or facilitate more opportunities?

Saving Time on Security Questionnaires

It’s difficult to know whether the company sending you a security questionnaire will take stock in the answers and how much they will impact the outcome of the deal. Or – what if you refuse to answer the security questionnaire, and they still choose to work with your organization?

Many organizations adopt the approach of refusing to release any information about their security practices, even during an audit. They tend to think, “By not sharing information, we’ll be more secure. Just trust us.” It’s the ultimate security paradox. The truth is, the more you isolate yourself, the less secure you are. You never have the internal blinders removed to get a new perspective. You never get to hear new strategies based on your practices. Even AWS provides information on their compliance programspenetration testing practices, cloud security, and data privacy practices. AWS isn’t saying, “Just trust us.” They’re giving evidence of how they serve their customers best.

Alternative approaches to satisfy a security questionnaire request may include:

  • SOC 1 and SOC 2 reports contain an independent service auditor’s report, which states the auditor’s opinion regarding the description of a service organization’s systems, whether the systems were presented fairly, and whether the controls were suitably designed. As a result of the additional risks that vendors bring to their business partners, more and more organizations are asking for SOC 1 or SOC 2 attestations.
  • An FAQ on your organization’s internal security practices, summarizing your commitment to security and the actions you take to implement controls at your organization, could go a long way in demonstrating your “compliance from the start” attitude.
  • Allowing a potential business partner to review your breach notification policy, incident response plan, disaster recovery plan, or internal information security policy may be enough evidence to satisfy their request.
  • Formal risk assessments allow organizations to identify, assess, and prioritize organizational risk. By proactively undergoing a risk assessment, you may prove that you’ve evaluated the likelihood and impact of threats and have an effective defense mechanism against a malicious attack.
  • If your organization knows it’ll be filling out a lot of security questionnaires in the future, try filling out one of the many security questionnaire templates available online to formulate your answers and potentially see where your gaps are.

If you’d like more information on how to tackle security questionnaires, contact us today. We can provide many ways for your organization to demonstrate your commitment to secure practices.

More Resources

How to Read Your Vendor’s SOC 1 and SOC 2 Report

Getting Executives on Board with Information Security Needs

The First Step in Vendor Compliance Management: Risk Assessments

How Can a SOC 2 Bring Value to Your SaaS?