33 Essentials for Your SOC 2 Readiness Assessment
March 12, 2021
If you are considering a SOC 2 Readiness Assessment, now is the time to think critically about what you want out of that process. Most companies pursuing a SOC 2 Readiness Assessment see it as their smooth on-ramp into a full SOC 2 examination. And, they see it as a way to preemptively identify and resolve any major gaps in their security program.
In almost any imaginable case, that approach is dramatically better than getting knee-deep into an audit and discovering that you have a huge pile of urgent remediations that you need to take care of in order to obtain a clean SOC 2 report (an "unmodified opinion"). If you find yourself discovering major SOC 2 shortcomings during an audit, something went very wrong during your readiness effort.
So, SOC 2 Readiness Assessments are a good thing, right? Yes. But only if you pick one that is rooted in TSP Section 100.
A Road Trip Without a Map
Before we get deep into TSP Section 100 and how it relates to SOC 2 Readiness Assessments, some context-setting is in order.
Imagine that you are embarking on a cross-country road trip. You've got a particular destination in mind -- a city that holds some meaning to you. You conceptually know what direction it is from your current location. Perhaps it's a long journey westward -- a day or two of driving. As you reflect on the destination you are headed to and the westward journey to get there, the big picture is clear -- you know the destination and you know approximately what direction to head.
Now, imagine your journey will be with no map of any kind.
All good? Probably not. You'll have dozens of small decisions to make along the way -- left or right, this exit or that one, this interstate or that one -- and any one of those decisions can put you far from the fastest route to your destination.
You'd better use a map, after all.
TSP Section 100 & SOC 2 Common Criteria
The idea of a cross-country road trip with a specific destination in mind, but no map to get there, is very much like an effort to prepare for SOC 2 without a SOC 2 Readiness Assessment that maps very specifically to TSP Section 100.
Good news: TSP Section 100 is readily available for download by anyone (from AICPA). Bad news: only "industry insiders" know the norms of how auditors most frequently interpret various criteria specified in TSP Section 100.
33 Common Criteria for SOC 2 Readiness Assessment
There are 33 "common criteria" (to use auditor lingo) that are defined in TSP Section 100. Here are a few snippets of key parts of these common criteria, to give you a flavor for what they are like:
- Excerpt from CC1.1: "The entity demonstrates a commitment to integrity and ethical values."
- Excerpt from CC3.2: "The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed."
- Excerpt from CC3.3: "The entity considers the potential for fraud in assessing risks to the achievement of objectives."
We've got 30 other excerpts we could share too. Want 'em? No?
What do the 33 Common Criteria Really Mean?
There's a reason why most founding teams don't hop straight into TSP Section 100 to handcraft their own internal task list for SOC 2 readiness. The above excerpts don't exactly point you to the particular security controls that an auditor might ask you to satisfy.
What you really need at that point, is a SOC 2 Readiness Assessment that suggests specific security controls that are relevant to each specific criteria. Ones that leading auditors often ask for. Ones that are practical and easy for you to implement, given limited time and limited resources.
Would you have guessed that one of the most common items an auditor asks for on CC1.1 is an employee handbook? Would you have guessed that CC3.2 often leads to an auditor asking for evidence that you have recurring risk assessment meetings that monitor likelihood and impact? Would you have guessed that CC3.3 often leads to a discussion around how you track your software and hardware IT asset inventory?
None of this is "knowable" by just reading TSP Section 100. It's only "knowable" if you spend a ton of time getting to know SOC 2 auditors and discussing their perspectives on what evidence they most frequently request for each particular common criteria.
And that's exactly what we do at Havoc Shield. We get to know many of the leading SOC 2 auditors, we discuss common criteria with them, and gain insight into the types of evidence that they most often choose to review.
SOC 2 Readiness Assessment - Easy to Get Started
One of the absolute easiest ways to begin your readiness effort is to start a free trial of Havoc Shield, choose the "SOC 2" project, and work through the 33 items that give you some level of coverage on each common criteria. Your auditor (we're glad to recommend one) may ask for some things you (and we) could never anticipate. They may not ask for every item that you prepared. But, you can bet that you'll be way ahead of companies that hop straight into a SOC 2 audit with no knowledge of the common criteria and no archive of evidence associated with the company's efforts towards each of the common criteria. Companies without preparation around the common criteria are embarking on a cross-country road trip without a map.