One 5-figure invoice and an eight-month waiting period later, and you’ve finally received your SOC 2 audit.
So, now what?
On the other side of this considerable investment of time and money, it helps to have a structured, checklist-style post guiding you through the post-SOC 2 audit process. This article addresses all of the due diligence requirements after receiving a SOC 2 audit, and clarifies some of the common misunderstandings cybersecurity teams have when it comes to SOC 2 reports.
1. Share your SOC 2 Audit with Sales Prospects
SOC 2 audits are among the most useful resources for turning prospects into customers. They demonstrate the exemplary information security standards of your data centers, increasing a prospect’s trust in the safety of their customer data - a considerable win given that third-party breaches are a growing concern amongst SaaS partners.
Integrate SOC 2 audit report sharing into your sales cycle - but in a way that compliments and simplifies sales efforts. This is most efficiently achieved by sharing all completed cybersecurity documents (including your SOC 2 report) on a secure cybersecurity profile, also known as a Shared Profile on the UpGuard platform.
To learn about how such a Shared Profile feature works, watch the video below.
See UpGuard’s Shared Profile feature in action >
Shared Profiles host any cybersecurity information likely to be requested by prospects or existing business partners in one public-facing location. This information could include completed risk assessments and certifications. By uploading a SOC report to a Shared Profile, companies commonly required to provide these reports (such as SaaS companies, service providers, service organizations, etc..) can do so by simply providing access to their Shared Profile.
SOC 2 reports contain confidential information. Access to these reports must also be gated with an NDA.
Remember, unlike SOC 1 and SOC 3 reports, SOC 2 reports contain confidential and sensitive information that should only be shared internally or with prospective customers. To prevent data leakage, all SOC 2 reports hosted on a Shared Profile must be guarded by an NDA.
Learn how to integrate NDAs into the Vendor Risk Management process >
UpGuard’s Shared Profile includes an NDA feature to protect against unauthorized access to sensitive documents.
Remember, only SOC 2 reports need to be protected with an NDA. SOC 1 and SOC 3 reports don’t disclose sensitive information and so can be freely shared with the public.
Once a Shared Profile solution is in place, it can be integrated into the Nurture stage of the Sales Cycle, where any major concerns potentially blocking a sale are addressed and completely dispelled from a prospect’s mind.
Important: SOC reports are not intended to be primarily used as a sales tool. They help prospects perform vendor due diligence by providing critical information about your internal security controls. However, by demonstrating your commitment to an improving security posture, SOC reports help to convince sales teams of your value as a potential business partner.
UpGuard’s Shared Profile feature allows sales teams to provide access to your Shared Profile via a direct link or an email invite. The option of sharing via a direct link is particularly beneficial when nurturing leads via Linkedin.
See UpGuard's shared profile feature in action >
2. Share Your Official SOC for Service Logo
Don’t be shy. With all the work you put into getting your SOC 2 audit, you’ve earned the right to show off your efforts! SOC logos are recognizable representations that your organization has undergone a SOC engagement within the prior 12 months. To access your SOC logo, submit your registration to the AICPA here.
Before using your SOC logo, be sure to read the terms and conditions of use by AICPA
Your AICPA logo can be displayed on:
- Your website - provided that the logo is hyperlinked to the URL: www.aicpa.org/soc4so
- Engagement proposals - provided that the URL www.aicpa.org/soc4so is displayed within the proximity of the logo.
- Your social media posts - provided that the URL www.aicpa.org/soc4so is displayed within the proximity of the logo.
- Physical media prints - provided that the URL www.aicpa.org/soc4so is displayed within the proximity of the logo.
SOC logos cannot be modified in any way, with the exception of sizing.
If you create a dedicated SOC 2 report page on your website describing the details of your SOC audit (i,e, type 1, type 2, etc.), be sure to post your SOC logo there. Consider also including a link to your Shared Profile in case your sales team finds it helpful to share this page with prospects.
If sensitive documents on your Shared Profile are guarded by an NDA, it won’t matter if this web page is discovered and accessed by the general users.
3. Establish a Culture of SOC 2 Adherence in the Workplace
To increase your chances of getting a positive SOC report during every 12-month audit cycle, you will need to raise the bar for security practices in the workplace. Update your security awareness program to include best practices within the framework of SOC’s control.
Instilling a culture of SOC 2 control alignment isn’t just achieved by changing the mindset of your employees. Think of this effort s a compliance program for your entire organization, where every aspect of your processes and security programs are adjusted to map to SOC 2 controls
Some examples of business regions that are impacted by SOC 2 controls include:
- Security policies - Especially data security policies.
- Remediation policies - Remediation policies should prioritize risks and control environments with the highest likelihood of impacting SOC 2 alignment.
- Internal Controls - Like remediation policies, security measures must be optimized to prioritize risks threatening SOC 2 alignment with organization controls.
- Stakeholders - Stakeholders need to be aware of the importance of SOC adherence and kept informed of your alignment efforts through executive reports.
- Risk Assessments - Update your internal assessment policies based on which Trust Services Criteria apply to your business. For example, if you sell in the European Union, your business must comply with the GDPR.
- Applicable Regulations - SOC 2 controls map to some regulatory standards. To prevent excessive efforts, you will need to identify areas of overlap between applicable regulations and SOC 2 controls. For example, SOC 2 controls could support compliance with HIPAA.
4. Continuously Monitor SOC 2 Controls
With the efficacy of your SOC 2 controls confirmed by your SOC type 2 audit, you are responsible for ensuring this efficacy continues until your next compliance audit in 12 months.
There are several ways this can be done.
- Custom Security Questionnaires - Build custom questionnaires based on the unique efforts your internal teams must follow to maintain SOC 2 adherence. Readiness assessments can also be created from custom questionnaires.
- Attack Surface Monitoring Solution - An ASM could help you discover risks threatening SOC 2 control alignment and also support compliance across a range of SOC 2 standards, like CC3.2.
Learn how UpGuard streamlines ASM >
- Independent Assessments - Have assessments performed by third-party auditing firms to assess alignment with trust service principles, including processing integrity, operating effectiveness, etc.). Use this information to complete a gap analysis well before your next audit period.
5. Be Prepared to Still Recieve Security Questionnaires
For many, a primary incentive for completing a SOC 2 audit is to reduce the number of security questionnaires your team will need to complete. While it’s true that because of common criteria mapping, SOC 2 alignment will likely result in some cyber frameworks and regulations requiring less querying, it’s important to remember that type ii auditors are CPAs, not security professionals.
Auditors work for CPA firms, which makes them primarily financial experts. As such, their understanding of the nuances of cybersecurity control efficacy is limited. You are still likely to receive security questionnaires when security controls knowledge gaps need to be filled.
The comprehensiveness of your security questionnaires depends on the type of report that was supplied, and whether vendor compliance is being assessed. If you provided prospects and clients with SOC 1, SOC 2 Type 1, or SOC 3 reports, details questionnaires are likely still required since these types of reports only provide a high-level overview of your information security standards. Since SOC 2 Type 2 reports also confirm the efficacy of internal control, the questionnaires you received will likely be modified to be shorter - if they are even required.
Because each service provider’s risk exposure is so unique, businesses must implement customizable questionnaires into their Vendor Risk Management program to support efficient workflows.
To appreciate how custom questionnaires improve the value of VRM efforts, watch this video overviewing UpGuard's custom questionnaire builder.
Some examples of frameworks and regulations that map to SOC 2 include:
- ISO 27001 (adherence to this framework could be accepted in lieu of a SOC 2 Type 2 audit, which is an indication of the mapping density between the two standards)
- NIST CSF
- NIST 800-53
- COBIT 5
- EU-GDPR
Learn how UpGuard streamlines the questionnaire process >
If you’re implementing any of the above, refer to this resource by AICPA for guidance on mapping to the SOC 2 trust criteria.
