SOC 2 Consulting and Management Services

SOC 2 Consulting and Management Services

When your largest client demands that you undergo a SOC 2 audit, usually the top levels of the organization are quick to say “yes”. Some organizations find that understanding the requirements is incredibly difficult. To implement SOC 2 successfully, your organization has hundreds of decisions to make, controls to design, and procedures to implement. It has the potential to add additional load to your already overworked staff, or you may need to hire dedicated cybersecurity experts. We’ve shouldered the load successfully. We absolutely want you to succeed as well! Here’s some information to get you started on your SOC 2 journey. If you want some help, be sure to reach out to our team. We are here to help!

Finally, there is a free resource at the bottom of this page entitled “The Ultimate Founders Guide to Achieving SOC 2 Using Vanta”. It will give you a step-by-step guide to bootstrapping a successful SOC 2 program yourself.

How does a company become attested as SOC 2 (SOC II) certified?

Many people refer to achieving the SOC 2 (aka SOC II) attestation call it becoming “certified”. While this isn’t technically accurate, it really boils down to semantics. The intent of going through the SOC 2 audit process is to have an independent 3rd party attest that the organization maintains policies and practices that sufficiently protect sensitive data. The auditor must be accredited by the AICPA (American Institute of CPAs). During the audit, the auditor will review evidence that the organization maintains controls that demonstrate a commitment to protecting customer information or systems. Once the auditor completes, the audit, a SOC 2 report will be issued along with an opinion on the state of compliance.

What is the fastest way to become SOC 2 compliant?

We have found that organizations considering SOC 2 compliance start with a compliance automation platform. This will provide a solid foundation for customizing controls and building evidence. If nobody on your team has experience with SOC 2, we also recommend using a qualified consultancy such as Genius GRC to fast-track your way to a completed audit. Our consultants have successfully guided many companies with highly complex environments through the SOC 2 process.

What is the difference between SOC 2 Type 1 (Type I) and SOC 2 Type 2 (Type II)?

A Type 1 audit is known as a “point-in-time” audit. The auditor will review evidence that the organization has the appropriate policies and procedures built and functioning to protect data. A Type 2 audit actually reviews evidence that the organization maintained and performed those controls over time. While the Type 1 audit can be completed much faster than the Type 2 audit, a Type 2 audit provides greater assurance to customers that your organization is actually protecting their sensitive data.

Why choose Genius GRC for SOC 2 consulting?

Simply put, we have the experience to successfully guide your organization through a SOC 2 audit and ensure you are able to maintain the control environment. We do that by becoming your compliance team and your CISO. Our team of vCISO consultants will work with your team to leverage your existing investments in cybersecurity while building the SOC 2 control structure. This saves time and resources but more importantly makes meeting SOC 2 requirements a seamless part of your activities. Once the control environment is built, we serve as your compliance team by continually monitoring for failing controls. When new evidence is required, we work with your team to gather it. During audit time, we work with the auditor on your behalf so that you can focus on the most important thing – servicing your customers.

Will Genius GRC assign a dedicated Advisory CISO or vCISO to lead the compliance team?

Yes, our fractional CISO and vCISO services are always provided as part of the SOC 2 compliance management offering. This ensures you have all the resources needed to be successful. We consider your program successful only after an independent 3rd party auditor reviews the control evidence and signs off on it. It’s the only KPI that matters.

Does Genius GRC offer SOC 2 readiness assessments?

When you engage with us to manage the SOC 2 program within your organization, we perform a readiness assessment (also known as a gap assessment or a gap analysis) before each audit. This involves reviewing each control and related evidence to provide the highest level of assurance that the auditor will be able to issue an unqualified opinion. An “unqualified opinion” is also known as a passed audit. This is what you want.

What if I get an exception on the SOC 2 audit?

Exceptions are somewhat common after SOC 2 audits. The reason is that no organization is perfect, and sometimes things get missed. Getting an exception on the report will not automatically mean that the audit has failed. It simply means that there is a process that can be improved. Our team will help you limit the number of exceptions by being proactive ahead of the audit, but then we will help you close any gaps that an auditor may discover.

Frequently Asked Questions

Hidden

Small organizations of less than 20 people can get a cheap audit for around $5,000 and a very good audit for around $7,500. We’ve seen quotes for larger organizations (600+ personnel) get quoted for around $20k. Most of the expense of getting compliant comes in the form of building the control environment and having the staff to managed, monitor, and operate the controls. A highly qualified information security professional typically costs an organization $150k – $200k annually. Genius GRC’s pricing is typically about 70% cheaper than hiring a full-time cybersecurity expert. See our pricing page for transparent pricing. You don’t even need to engage with us to find out what you should budget. Note that pricing is re-evaluated quarterly.

Some organizations find themselves limited in which customers will engage with them. Because they can’t prove that they have robust security controls, they lose out on larger customers, revenue, and bigger deals.

Genius GRC staff have successfully implemented all 5 TSC (Trust Service Criteria).

  • Security – This is a required TSC for every engagement. It provides broad assurance that risk is being managed throughout the organization and control environment. All organizations should consider this a baseline starting point to proving strong security controls.
  • Confidentiality – This TSC should be considered for all organizations processing or storing sensitive data. The audit will cover controls specific to ensuring data is protected from unauthorized access through weak access controls, snooping, or unauthorized sharing.
  • Availability – This TSC should be considered when the organization provides time-sensitive resources to customers. Those resources could be in the form of technology resources (examples could include SaaS, IaaS, Reporting, etc) or human performed services such as a call center.
  • Processing Integrity – This TSC should be considered when an organization receives and processes customer data that is then used by their customers to make decisions. Additionally, if the data is being used in financial processes, customers often want to know that they can trust the integrity of the system processing that data.
  • Privacy – An organization that is subject to privacy laws such as CCPA, GDPR, and others should absolutely consider implementing controls surrounding the Privacy TSC. If you are collecting any type of data from a consumer, having robust privacy controls builds greater trust.
The short answer is “No”, but having an independent ethical hacker actually attempt to hack your system will typically uncover gaps in protection that you should be aware of. Additionally, including evidence of a “pen test” in the SOC 2 report provides greater assurance that your system is resilient to attack. Genius GRC partners with high-quality penetration testers that offer their service at reasonable rates.
Yes, this should be considered a must. Genius GRC includes this service as part of every SOC 2 engagement. We will scan your public IP resources and provide you with a weekly report. The auditor will want to know that you are considering vulnerabilities in the system and taking action on high-risk vulnerabilities.
The SOC 2 framework is a risk mitigation framework. At its core, the purpose is to reduce the risk that your customer’s data will fall into the wrong hands. Each control implemented is meant to address some area of risk. The risks being addressed are quantified through a comprehensive risk assessment and tracked in a risk register. Genius GRC performs the risk assessment along with your team to ensure that appropriate controls are in place and risk is being addressed appropriately.
Yes, but Genius GRC will always lead a DR tabletop with your team. The outcome of this will be that your team leaves with a better understanding of how to recover your environment in the event of a failure. It is also an evidence item the auditor will review during the audit.
Yes, but Genius GRC will always lead an incident response tabletop. The scenarios discussed are relevant to your company or industry. We will walk you through the scenario and talk about how to respond in the minutes, hours, days, and weeks after the fictitious incident. Your team will leave with a better understanding of risk, and the auditor will have a high quality evidence document to review.
Yes, but we will do it for you. The vendors critical to your operation are known as “sub-service organizations”. We will build the vendor registry, perform the vendor risk assessments (third party risk assessments), and provide the necessary vendor related evidence during the audit.

Free Download

The Ultimate Founders Guide To Achieving SOC 2 Using Vanta

Author