Getting ready to tackle the daunting task of becoming SOC 2 compliant? One of the first things you’ll need to understand is the requirements that an auditor will be assessing your business against and the common controls businesses implement in order to meet them.
So, what exactly is a control? And how can you make sure you’re choosing the right ones? Read on to find out.
First, What is a Control?
Forget about SOC 2 for a second, and let’s first explain what a control is in general. In simplest terms, a control is a system, process, or policy you put in place in order to mitigate a bad thing from happening. A bicycle helmet is a control to help avoid a head injury!
Now, What is a SOC 2 Control?
SOC 2 is made up of 5 trust service criteria (TSC) categories totalling 64 individual criteria, which are NOT controls – they are more like “requirements.” Therefore, SOC 2 controls are the individual systems, policies, procedures, and processes you implement to comply with these SOC 2 criteria.
For each trust services criteria (TSC) you choose to cover with your SOC 2 audit, there is a list of requirements (or “criteria”) that your auditor will assess your compliance against. Controls are what you implement to meet those requirements, and the auditor is attesting to the design and/or operating effectiveness of those controls.
If your audit covers security only, your auditor will typically be looking for 80 – 100 controls. As you add more TSCs to your audit (privacy, availability, processing integrity, or confidentiality), each will come with its own set of requirements that your business has to meet and controls you design and implement to satisfy them.
Controls to Satisfy Common Criteria (Security TSC)
When customers and prospects ask you for a SOC 2 report, they are usually focused on security. Are your systems secure? Can you protect their data? Are you vulnerable to breaches? Or are you perfectly aligned with security best practices?
These are the questions top-of-mind for most. And they’re the questions a SOC 2 audit and resulting report is designed to answer.
To answer them, the audit typically looks for 80 – 100 controls — by far the longest, most complex list of any of the TSCs. Keep in mind that these controls aren’t hard and fast rules from the AICPA—they’re the things you put in place to meet the requirements put forth by the AICPA.
Some of the common controls are exactly what you’d expect: tech systems designed to keep data and systems secure. But those new to SOC 2 are often surprised to learn that the requirements go farther than that, encompassing administrative policies and procedures, vendor management, risk assessment, security training, and employee onboarding and offboarding (among other things).
So, what do the requirements and security controls look like? The list is a long one, but here are a few key examples:
How safe are your passwords? Are employees following your password policies? Do you have password policies?
Compliance with this requirement is often achieved with the control of a enforcing the use of a password manager like 1Password or LastPass.
Security Awareness Training
Have employees been trained in your security protocols, phishing simulations, do’s and dont’s, and—importantly—can you prove it? SOC 2 won’t necessarily tell you what your security protocols should be (and that’s a good thing—since every business is a bit different). But it will ask you to prove that you have consistent policies in place and that your employees have acknowledged them, been trained on them, and follow them.
This means developing protocols and training and tracking employee compliance.
Employee Offboarding Controls
Do your systems automatically restrict access when someone leaves the company? Or is that account still there and now vulnerable? SOC 2 security audits require that you have controls in place to keep departures from turning into security breaches.
Physical Access Controls
What systems do you have in place to prevent unauthorized access? These controls may include door locks, employee ID card requirements, and security gates.
How do you recover from major incidents? How do you restore your systems, communicate with your customers, get to the bottom of the issue, and resolve it once and for all?
To meet these requirements, you’ll need strong policies, procedures, and systems in place to recover from incidents when they arise. You’ll also need to prove that you rest these policies every year by running simulations. Practice makes perfect!
Multi-Factor Authentication (MFA or 2FA)
Are your system logins secure? Do you know for sure that only the people who should have access do have access? Multi-factor authentication is a common control put in place to secure logins and prove that access is limited to those who need it.
The Flexibility of SOC 2 Controls
You’ll notice that all the requirements listed above have flexibility built in. There’s no SOC 2 prescription for “use this particular password manager” or “your training policy must be x.”
In this way, the requirements give businesses the flexibility to implement security in the way that works best for their particular company. And they also provide guardrails about what needs to be addressed to keep your business secure (and get you a strong recommendation from your auditor).
As the AICPA explains in their guidelines, “Many of the trust services criteria include the phrase to meet the entity’s objectives. Because the trust services criteria may be used to evaluate controls relevant to a variety of different subject matters…in a variety of different types of engagements…interpretation of that phrase depends upon the specific circumstances of the engagement.”
Availability, Confidentiality, Privacy, and Processing Integrity Controls
Like security, the other trust services criteria are flexible and ultimately rely on your company’s judgement as well as that of your auditor.
According to expert auditor Troy Fine, common controls for availability include load balancers, documented system recovery plans, and server room cooling systems.
For confidentiality, non-disclosure agreements and test data in test environments are key.
For processing integrity, role-based security access is an important component.
And for privacy, well-communicated privacy practices, explicit user consent, and the ability for users to delete their info are common and important controls.
A Simpler Way to Become and Stay Compliant
If this is all feeling a bit overwhelming, we don’t blame you. The reason we started Drata is that we’ve been through the compliance process, and we know what a huge lift it is. We also know that when compliance is done right, it should lead to a much stronger security posture, especially when continuous monitoring is put in place.
The good news is that every choice we make in Drata is designed to make the lift a bit less heavy. Drata’s automated 24-7 monitoring helps you make sure one mistake doesn’t set you back six months, and automated evidence collection means you can prove compliance on a dime.
In other words, we’re here to help you get the controls you need in place—and keep them there so that you stay compliant over time (and don’t ever have to start the process from scratch).
Curious how we accomplish all that? Schedule a demo.