Prepare for Implementation
Shared Responsibility Model
In all engagements for a SOC 2 attestation. There is a shared responsibility model that is in place between you as a lead implementer, the service auditor, and the organization. That shared responsibility model encompasses trust between all three parties.
Lead Implementer - You as the lead implementer will be responsible for the gap analysis assessment, designing and implementing controls, and act as a vital communication line back to the organization.
Service Auditor - The service auditors' duties will be to run point on the engagement from an audit perspective. They will ask for the samples, examine testing output against the controls.
Organizational Roles - The organizations' responsibility will be to listen and ensure that deadlines are being met to achieve a desirable and favorable attestation report. The organization will need to work in tandem with the lead implementer to ensure the following; roles are known, timelines are set, and the evidence is collected in a timely fashion.
Key Stakeholder Identification
Setting the tone
After the organization has selected an auditing firm for the engagement. It's important that as a lead implementer or consultant, you define "who" from the organization will be in charge to assist with the following responsibilities. This should include multiple people from different departments within the organization.
Responsibilities of Organization
Control Design | Policy Owners | Creation of System Description |
Define Control Owners | Managed Services | Process & Procedures Owners |
Evidence Collection | Identification of Sub Service Providers | Management Response Team |
Stakeholder Identification is important because it will allow you the opportunity to not only meet the team you will be working with for the foreseeable future, but it also helps you establish a relationship with team members as SOC 2 has a rolling audit period.
Please note that the table above does not encompass everything needed for stakeholder identification. Every organization and platform is different, be sure to take the time to understand the organization, technology, and most importantly the people that make the magic happen.
Technical, Procedural, and Administrative Controls Implementation
Earlier in this course we discussed 3 different types of internal auditing controls. They were detective, preventative, and corrective controls. Now we're going to discuss technical, procedural, and administrative controls.
*Technical Control* - A control type that is covered under a technical system or device.
Examples - Anti-malware, System Incident Event Management System
*Procedural Control* - A process in which employees or software performs an action to achieve the desired result.
Examples - User access review, Annual policy updates, Endpoint compliance reviews
*Administrative Control* - A guideline that a business or business unit publishes in order to comply with compliance objectives, or the law.
Examples - New company policy, Code of conduct
Each company will have different controls depending on company size, and technology used. However, the over-archiving objectives for the controls are the same regardless of what technology is being used. You will find that companies will sometimes use a process to comply with technical controls. Whereas another company may have the control covered end to end with automation.
Control deficiencies and Implementation
Now that we have talked about the following control types, and what they entail. Your job as a consultant or lead implementer will be to assess after the gap analysis if any new controls need to be designed to ensure the organization is meeting its compliance requirements. This should be completed after the gap analysis.
Prioritization
*Keeping the organization on track*
While there are many steps when preparing an organization for a SOC 2 attestation. There is nothing more rewarding than keeping them on track. Listed below is a prioritization list, this list should be adapted to your project plan and the organizations' needs.
*Prioritization list*
Selecting an Auditor
Identification of Key Stakeholders
Performing a Gap Analysis
Selecting and Designing Controls
Control Implementation
Control Monitoring
Submission of Evidence
Your job will be to prioritize both the auditors' needs and the organizations' needs while maintaining an open line of communication to both parties. The list above is in chronological order as to what should be completed from a project planning perspective.
*Prioritization of Controls*
After you have identified gaps with the organization, you will need to sit down and have a detailed conversation with the organization. This will include discussing potential budgetary adjustments to ensure the organization is committed to achieving a satisfactory SOC 2 attestation.
You will need to layout and define the missing controls that need to be in place to achieve the desired Trust Services Criteria that was selected by the organization. At a minimum, they must comply with the common criteria. Where only one control is identified to address a common criteria, it might be worthwhile to design and implement another control. This will help prevent a common criteria from failing, by having a “back up” control in place.
Last updated