SOC 2

Everything You Need

to Get a SOC 2 Report

With:
Christian Hyatt
 Section 1

Course Introduction
Christian Hyatt

• Hi, my name is Christian Hyatt.

• I am the CEO & Co-Founder of
risk3sixty
• And for the last 15 years we have
helped hundreds of organizations
obtain SOC 2.
 Certifications Implementations Managed Programs OffSec
We assess you program. We implement your program. We run your program. We test your security.

Multi-Framework Multi-Framework Compliance-as-a-Service Penetration Testing

SOC 2 SOC 2 SOC 2 Network
ISO 27001 ISO 27001 ISO 27001 Application
PCI DSS PCI DSS PCI DSS Cloud
HITRUST HITRUST HITRUST Continuous
FedRAMP FedRAMP FedRAMP Custom
Privacy Privacy vCISO Ransomware

We are ISO 27001, 27701, and 22301 Certified

Best Firms to Work For Peer Reviewed Authorized Assessor

We Are Covering 5 Key Things
1. Background and Context on SOC 2
2. The 4-Step Process to Get a Report
3. Timeline, effort, and cost
4. What to expect during a SOC 2 audit
5. Free Resources and Templates
 Section 2

SOC 2 Background
Context
Lecture 2
Market Drivers:
Why Does SOC 2 Exist
What’s Happening

• You customers are asking about security a lot

• Endless security questionnaires and due diligence
• SOC 2 written into contracts
• Impacts to Sales Cycle and Revenue

To understand SOC 2 you need to

understand what’s happening in the
market.
4 Million Miles
85% between 1908 - 1960
The Digital Universe
More data was created in the last 2 years than all human history.
Shared
Risk
The State of Cybersecurity
If cybercrime were a country, it would be the third largest
state in the world behind the United States and China.
$300B Spend

$10T Problem
by 2025
Bottom Line
• Everyone is relying on third parties to do business
• Cybersecurity is a huge risk
• 66% of cybersecurity incidents come from third
parties
• Companies need a mechanism to trust each other
• Companies need to reduce their risk
• SOC 2 provides an efficient way to get a minimum
level of trust that your business partners are
doing the right thing
• This is why you are doing SOC 2
Lecture 3
Who Runs SOC 2:
The Governance of SOC 2 by the
AICPA
The Players

• American Institute of Certified Public

Accountants (AICPA): Governs the SOC 2
Standard
• CPA Firms: Perform the audits and issue SOC 2
reports
• Peer Review: CPA firms are required to be peer
reviewed by other CPA firms
 Governs the Standard

Performs the Audit

Your Customers
Your Company is Audited Request the
Report
Why It Matters

• Make sure you stay up to date on the standard

• You will need to hire a peer reviewed CPA firm to
perform the audit
• Make sure you hire a CPA firm that specialized in
SOC 2 reports and has the right technical skills to
support your project
Lecture 4
SOC 2 Scoping:
What Does SOC 2 Cover
SOC 2 Scope

• 5 Trust Services Criteria

• System in Scope
Trust Services Criteria

• Security (Common Criteria)

• Availability
• Confidentiality
• Processing Integrity
• Privacy
System In Scope
• You have some flexibility here
• Needs to be applicable to the reader of the report

Typically Includes:
• Application, Product, or Service
• People
• Locations
• Technology Stack
• Supporting Corporate Systems (Network, Email, HR,
Legal)
Bottom Line

• The scope of the report needs to address the

needs of the reader of the report

• The reader of the report is your clients, your

prospects, your internal stakeholders
 Section 3

4-Step Process
How to Get a SOC 2 Report
Lecture 5
The 4-Step Process
4-Step Process

Gap Assessment Correct Issues SOC 2 Type I SOC 2 Type II

SOC 2 Type I vs. SOC 2 Type II

SOC 2 Type I: Point In Time

• Usually just your first year
• Let’s you get a report in hand faster
• Good first run of a real audit
• Not required (but recommended in year 1)

SOC 2 Type II: Covers an Audit Period

• Covers an audit period
• This is what you will get every year
 Typical Timeline (First Year Example)
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

SOC 2 Type II Audit Period

Gap
Assessment

Audit
SOC 2
Planning
Fieldwork Type II
Correct Issues Report

SOC 2
Type I
Typical Timeline (Year 2 and Beyond)
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

SOC 2 Type II Audit Period

SOC 2
Audit
You Maintaining Your Program Planning
Fieldwork
Type II
Report

Download the
controls spot-check
template!
Lecture 6
People, Efforts, and Cost
People and Effort Estimates (Audit Only)
Who What Est. Audit Effort
Main Project Manager • Coordinate with auditor 80 hours
• Coordinate all walkthroughs, sit in on walkthroughs
• Coordinate evidence gathering

Leadership • 1-2 Walkthroughs 4-8 hours

• May want to review draft reports

Information Technology • 1-2 Walkthroughs 10-20 hours

• Provide evidence as requested by auditor
• Network Security, IT Operations

Engineering, DevOps • 1-2 Walkthroughs 10-20 hours

• Provide evidence as requested by auditor
• Topics: Change Control, SDLC, Application Security, Access Control,
System Monitoring

Security • 1-2 Walkthroughs 10-20 hours

• Provide evidence as requested by auditor
• Topics: Security Operations, Security Policy

Legal/HR • 1-2 Walkthroughs 4-8 hours

• Provide evidence requested by auditor
• Topics: Employee Agreements, Customer Agreements

Facilities (if applicable) • Physical walkthrough of the facility (if applicable) 1-2 hours
What Drives Cost
Scope and Complexity Drives Cost?
• Number of Trust Services Criteria
• Number of products in scope
• Number of business units
• Number of reports you are getting
• Complexity of Tech Stack
• Number of teams and people
• Mapping to other frameworks
 Section 4

The Audit
What to Expect During a SOC 2 Audit
Lecture 7
Choosing and Audit Firm
Types of Firms that Can Help
Consultant vs. Auditor

Audits Implementations Managed Programs

CPA Firms Consulting Firms Consulting Firms
Choosing the Right Audit Firm
• Are they a peer reviewed CPA
firm
• Are they independent and
permitted to perform the audit
• Do they do other audits or
provide other services that you
might need?
Do They Have the Right Technical Skills?
• Cybersecurity
• Information Technology
• Cloud
• Industry Experience
Do They Provide Outstanding Service?
• Do they have happy
clients
• Are they good teachers
• Good communicators
• Does their staff have
availability
• Do they have a tools and
resources (e.g., Training,
Templates, GRC
Platform, etc.)
Evidence Request Lists
Ask your auditor how they will exchange evidence with your
company: Excel or a Platform
Lecture 8
How the Auditor Will
Conduct the Audit
Walkthroughs
Who What
Main Project Manager Coordinate all walkthroughs, sit in on walkthroughs

Leadership Leadership and governance

Information Technology Network Security, IT Operations, Change Control

Engineering, DevOps Product Overviews, Change Control, SDLC, Application Security,

Access Control, System Monitoring

Security Security Operations, Security Policy, Incident response,

Penetration Testing, Vulnerability management

Legal/HR Employee Agreements, Customer Agreements, Employee

onboarding/offboarding

Facilities (if applicable) Physical walkthrough of the facility (if applicable)

Observations
• Facility Security
• I.T. Equipment
• Data Center
• Key Processes (if applicable)
Inspect Evidence
• Policies
• Configuration Settings
• System Access Lists
• Change Tickets
• We will cover examples in the next lesson
An Examples
Control Auditor’s Test Procedure Evidence
The company maintains security Inspected the Company's security Information security policy
policies and procedures. Policies and policies and procedures to
procedures are made available to determine if the policies are Screenshot of the company’s
employees in the Company's policy
documented and up to date. policy document repository
document repository.
showing everyone has access to
Inspected the Company's policy the information security policy
document repository to
determine if policies and
procedures were made available
to employees in the Company's
policy document repository.
Ask for the Project Plan
Workflow Between You and the Auditor
Evidence Request Lists
Ask your auditor how they will exchange evidence with your
company: Excel or a Platform
Lecture 8
Common Evidence
Governance and Risk Management
Examples:
• Org Chart
• Policy and Procedure
• Leadership meetings to govern security
(Information Risk Council)
• Risk Assessment and Risk Register
• Penetration Tests and Vulnerability Scans
• Incident Response and Business Continuity
• Vendor Risk Assessments
Human Resources
Examples:
• Employee Roster
• Onboarding documentation
• Offboarding documentation
• Background screening
• Performance reviews
• Employee Handbook
• Security Awareness Training
Technical Controls
Examples:
• IT Asset Inventory
• Network and Data Flow Diagrams
• Access Lists (Network, Key Systems, etc.)
• Configurations (Hardening, Passwords, etc.)
• Endpoints (Antivirus, endpoint protection)
• SDLC Practices (Change Tickets, Stories, QA)
• Monitoring and Alerts
• Backups
Live Demo of an Information Request List
Lecture 8
Getting Ready for the Audit
Prepare Your Team
• Why This Matters
• Set Expectations
• Build Confidence
Spot Check Controls
Here are common gaps:
• Policies are updated annually
• Review user access for terminated
employees or overly broad access
• Vendor risk assessment on all
vendor
• Vulnerability scans are performed
and issued corrected
• SDLC Process Discipline
• All recurring controls (Weekly,
Monthly, Quarterly, Annual)
Partnering with your Auditor
• Set Expectations
• Communication
• Status Reporting
• Clear Milestones and
Deliverables
 Section 4

FAQs and
Free Resources
Helpful Resources to Get Started
Top 10 Common Questions
1. What if I am in the cloud?
2. What if my whole company is remote?
3. What if I rely on third parties (like engineers in
different countries)?
4. Should I do SOC 2 or ISO 27001?
5. What if I have other compliance requirements like
ISO 27001, PCI DSS, HITRUST, or HIPAA?
6. What if I need to comply with privacy regulations
like CPRA or GDPR?
7. What if my scope changes during the year?
8. Does the auditor have to come on site?
9. What if my scope changes during the year?
10. Do you have policy templates?
Free Resources
1. SOC 2 Recurring Events
2. SOC 2 Spot-Check List
3. SOC 2 Business Case
4. Risk3sixty YouTube Channel
5. Risk3sixty Templates