Security certifications are a must for vendors and technology firms. Many organizations choose SOC 2 as a way of demonstrating effective risk management practices and meeting regulatory requirements. Holding a SOC 2 shows that your organization takes security seriously and now, more than ever, deals often depend on it. So it is critical for your organization to recertify every year and by using the right risk management tool this could be easier than you think.
With SOC 2 reports, you’re focusing on non-financial reporting controls that are based on five Trust Service Principles: Common Criteria, Availability, Processing Integrity, Confidentiality and Privacy. You can choose to report on any of the Trust Service Principles, but you must include the Common Criteria as this is the minimum requirement of a SOC 2 certification. The pathway to SOC 2 reports, whether Type I or Type II, takes significant preparation. Type I is a “point in time” report on your system and processes, whereas Type II looks at a minimum of 6 months of evidence, this is commonly known as the lookback period, and is much more comprehensive. Type II provides more assurance as the auditor tests the operating effectiveness of the controls. Both require that you demonstrate a mature security program.
What happens after I become SOC 2 certified?
Being SOC 2 certified is just the start of a long term commitment to security and compliance. Organizations are required to renew SOC 2 Type II certification every 12 months. If you completed your first SOC audit without MyVCM you probably used hundreds of spreadsheets and documents to keep track of all your policies and evidence. But there’s an easier way to keep track of evidence and to help your organization in the future. Whether you are starting SOC 2 preparation for the first time or renewing your certification, using a tool, like MyVCM, can save your organization time and money. As an added benefit with the MyVCM platform, you can crosswalk the evidence you have collected for your SOC 2 and apply it to the criteria of over 100 globally recognized standards and regulations giving you a headstart when expanding your security certifications. For example, many items of evidence gathered for a SOC 2 can also be used in GDPR, CCPA and HIPAA compliance.
Collection of Evidence
When it comes to SOC 2, if you didn’t document it, it didn’t happen. Examples of evidence include organizational charts, asset inventories, evidence of on-boarding and off-boarding processes and change management. When reviewing the evidence, the auditor may choose to conduct on-site interviews or handle interviews remotely. The report can take between 6 to 8 weeks for small companies, or several months for larger companies – depending on the scope of the report. By using MyVCM both auditor and customer can share all required documentation on the platform making it easier to update and discuss.
How can MyVCM make renewing my SOC 2 easier?
If you conducted your initial SOC 2 audit using MyVCM, the good news is that you can simply "clone" your previous assessment and so the majority of your evidence is automatically mapped. You can then focus your efforts on any changes to the scope of our structural changes with your processes and procedures since the last audit. All previous documents, audits, test plans and policies will already be linked.
If you didn’t use MyVCM the first time around, the MyVCM Assessment module makes it really straightforward to map prior evidence by relevant control and security domain.
In addition, MyVCM gives you all the tools you need to prepare for SOC 2 activities including:
- Single platform management for information security, privacy, and compliance activities
- Supports your ability to assess and identify vulnerabilities and compliance gaps
- Comes with policy and procedure templates, asset inventory tracking and management tools
- Provides document management and learning tools that support your security and privacy framework build-out and ongoing administration
- Built-in dashboard and reporting tools that let you quickly and efficiently share how responsibly your compliance program operates with clients, partners - and auditors!
Finally, you can select and contract with an approved Ostendio Audit partner via MyVCM Auditor Connect, meaning you don’t even have to export any data. The Ostendio Audit Partner will review your evidence from directly within your MyVCM instance.
Successful SOC 2 audit results are rooted in readiness. With the support of the MyVCM platform and Ostendio’s partner CPA firms and compliance experts, your SOC 2 audit and certification preparation becomes easier than you might think. If you need additional help preparing for your SOC 2 audit, the Ostendio Professional Services team is able to provide you with consultants who are experts in this field. Let us know how Ostendio can help make it easier for your organization with either preparing for a SOC 2 audit or renewing your existing SOC 2. We’re happy to talk!
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at email@example.com.
What do customers say?
Read real reviews from Ostendio MyVCM customers on the Capterra web site.