A SOC 2 readiness assessment, like other kinds of readiness assessments, highlights an organization’s ability to succeed in an assessment against a framework baseline. Readiness assessments are particularly helpful in driving cost savings for assessments, but take time and effort to conduct.
In this article, I’ll outline what a SOC 2 readiness assessment is and where it fits in the SOC 2 assessment process. I’ll also highlight some of the pros and cons of engaging in such an assessment.
- What is a SOC 2 Readiness Assessment?
- Is a Readiness Assessment Necessary For Compliance?
- What's The Benefit?
- What Happens in a Readiness Assessment?
- How Long Does a SOC 2 Readiness Assessment Take?
- Internal vs External Readiness Assessments
- How Much Does a SOC 2 Readiness Assessment Cost?
- How to Choose a SOC 2 Readiness Assessor
- Is a SOC 2 Readiness Assessment Worth it?
What is a SOC 2 Readiness Assessment?
A SOC 2 readiness assessment is (typically) a self-assessment aimed at gauging the quality of implemented controls and risk mitigation activities to support a full and formal SOC 2 audit successfully. This is a great tool for service organizations that don’t want to undertake the potentially substantial cost of a SOC 2 audit without understanding how they satisfy the trust services criteria: security, availability, processing integrity, confidentiality, and privacy of information.
Readiness assessments are critical for framework certifications that are scaled on a pass/fail basis. An organization that will be assessed is charged for the assessment whether or not they pass. If their control environment and risk mitigation measures aren’t up to snuff, then the fees for that assessment represent an expensive way to figure out a compliance process and path.
With respect to a SOC 2 official audit, readiness assessments are no less critical. While a SOC 2 audit doesn’t have failure criteria, per se, the opinion letter and gap analysis can highlight significant deficiencies. In that case, the SOC 2 audit has limited utility outside the organization for highlighting the quality of the organization’s controls. Internally, it has the same effect as a failed framework certification: it’s an expensive method for creating a compliance roadmap.
Realistically, a readiness assessment can be whatever you want it to be. It can be as detailed or as summary as you want. The less detailed, the looser the review around the trust services criteria, and the fewer service organization controls tested against the specific framework, the less useful the assessment is to prepare for a SOC 2 audit. Conversely, the tighter the review to the trust services principles and the more comprehensive the assessment of security criteria and internal controls, the more useful the assessment is to prepare for a SOC 2 audit.
Those considerations also impact the cost of the assessment–either financial for an external CPA firm or other assessing organization or lost opportunity cost for an organization’s internal resources. More detailed assessments will cost more.
However, an organization with a strong security and compliance program, established risk assessment process, internal ongoing evaluation or ongoing monitoring program, and business processes informed by a robust security culture likely has the overall compliance process in place to support an internal audit assessment review. It really depends on what their compliance program maps to now and how that risk management workflow can change over time to support readiness assessments.
Pivoting a compliance program to address focused readiness assessments is no small task. The reward for doing so is substantial: assessing potential risks and security system operations improvements against security criteria and a baseline control environment to promote consistency and repeatability with quality security processes. That’s especially critical where system operations manages internal controls like:
- access management and access review,
- data processing integrity,
- data protection,
- security tools,
- a controlled change management process,
- logical and physical access controls,
- asset management or other inventory management,
- the incident response plan,
- security awareness training,
- vendor risk assessment, and
- other aspects of a comprehensive risk program.
Key to succeeding in a SOC 2 audit is being able to sustain repeatable processes in those areas. Key to having a SOC 2 audit with results that are externally useful is to have solid information surrounding quality control of those processes driven by a risk assessment of those processes. Readiness assessments help drive that control environment through documentation that highlights what the current control environment covers and what gaps exist with that coverage.
Is a Readiness Assessment Necessary For Compliance?
Readiness assessments aren’t necessary for compliance. Service Organizations can hire an AICPA-registered CPA firm at any time and undergo an actual audit based on the SOC 2 standards. Organizations should do that if they are very confident in their ability to meet the trust services criteria for their chosen framework.
What the self-assessment or external assessment provides is a benchmark risk assessment to identify potential shortcomings in the ability to meet trust services criteria for the selected framework. That could be because the organization knows it didn’t implement controls but not which controls, it doesn’t know how to determine systems in scope, or because it’s an otherwise new service organization and is uncertain about the outcome of the SOC 2 audit.
What’s The Benefit?
There are a couple of tangible benefits to conducting a readiness assessment. The first is cost. Organizations that conduct an informal assessment aren’t required to use an AICPA-registered CPA firm, which is required for the formal SOC 2 audit. Organizations can choose to use any security consulting company or even leverage the organization’s internal resources.
Whomever the organization chooses can use the initial assessment to gather supporting documentation so it is organized and can be provided in a timely manner to the SOC 2 auditor. The initial assessment can also be used to assist management in designing remediation plans based on the risks identified in the assessment.
The second is scoping. A service organization can evaluate new and existing systems to determine what should be included in the SOC 2 audit. Some systems may be out of scope and while risk management should be a priority for all systems, it allows an organization to triage and prioritize.
The third is timing. A service organization can take its time with an informal assessment and remediation, especially if conducted with internal resources. A formal SOC 2 audit puts the organization on a clock: they have one year to improve risk management and data protection by the next audit or have significant recurring findings. Those recurring findings, in turn, can impact the utility and tenacity of external representations based on the SOC 2 audit.
What Happens in a Readiness Assessment?
A readiness assessment is like any other risk management activity. It’s important not to overthink it and not overdo it. Many organizations may think “SOC 2 preparedness” and work themselves into a flurry evaluating business processes across the board to support the audit.
I’ll break the assessment into a few key steps:
- Scope the assessment. Think about your service organization services and service organization relevant systems and business processes. Write a list to identify the scope. This is especially critical for your initial assessment and less critical once you have an established risk assessment program.
- Time box the assessment. Come up with a reasonable but arbitrary timeline for the assessment. This is especially effective when you’re leveraging internal resources and not an external consultant or firm.
- Start the assessment. Have a clear kickoff to set expectations for organizational participation in the assessment. You want your IT and business lines to work in conjunction to provide information to support the trust services principles.
- Collect information. You’ll collect information and evidence to support consistency and completeness in implementing a risk framework, as measured against the trust services criteria. I listed some common internal control areas in a prior section, but your framework or organizational operations may differ. You’ll want to comprehensively assess your technical, administrative, and physical security controls as applicable to service organization operations.
- Don’t forget the small stuff. Here are some common areas organizations may miss when conducting a self-assessment that may not matter individually to a SOC 2 audit, but do matter in aggregate:
- How logical and physical access controls restrict lateral movement through technical and physical locations and support data protection.
- Is there a robust change management workflow that’s documented and followed for all changes?
- Are there monitoring systems for data processing integrity that alert relevant personnel if integrity is compromised?
- Is security awareness training provided to all employees?
- Does an employee confidentiality agreement exist to protect the confidentiality of client service provision?
- Do employee performance reviews account for data confidentiality, integrity, and availability compromise caused by employee misfeasance or malfeasance?
- Has the organization effectively worked at establishing communication channels with customers and clients? Is there a dedicated customer support channel?
- Is there a periodic user access review process?
- Does your organization alert on security events meeting predefined criteria?
- Does the organization conduct regular penetration testing? Is that penetration testing for all assets, the organizational perimeter, or client-facing infrastructure? How regularly does that testing happen? See also: SOC 2 penetration testing.
- Does your organization employ an unauthorized data modification or exfiltration data prevention tool?
- Does the employee handbook recount the seriousness of preserving confidentiality, integrity, and availability of customer and client information and operations?
- Is multi-factor authentication integrated into access control safeguards? If not, is there another similar mitigating control?
- Document everything. Robustly documenting security and operational gaps provide the ability to remediate those gaps. Failing to document a gap means that you’ve wasted time assessing it and may not remember to address it. When your organization develops risk mitigation activities, they need to be actionable. The best way to do that is by creating processes where risk mitigation identifies and records ways to address that risk.
- Develop a remediation plan. Once you have the documentation, you need to act on the documentation. Identify how you can improve organizational operations and drive that improvement. Create manageable steps and projected timelines for achieving improvement. Where the risk assessment included penetration testing, make sure those reports are provided to appropriate personnel to drive application and infrastructure remediation.
You may want to include more, fewer, or different steps in your assessment. The great thing is that you can! Ultimately, you need to develop an assessment program that works for your organization. I’m providing a suggested framework and you need to make that a reality for your organization.
How Long Does a SOC 2 Readiness Assessment Take?
A SOC 2 assessment can take as long or as short as you want. That’s going to depend on whether you’re using internal or external resources, the size of your organization, the volume of supporting applications for your service organization functions, and how formal your security controls are.
If you have a small organization delivering focused services and document processes well, the assessment could be completed in a few days. If you have a large multinational organization delivering broad services to thousands of clients and have scattered procedural documentation, then the assessment may take months to complete. Cost also matters and using an external vendor who provides a tangible bill can motivate responsiveness.
Internal vs External Readiness Assessments
As highlighted above, you can’t go wrong with an internal or an external assessment. Both are great options and can result in the same work product.
An external assessment is best for organizations that don’t have the internal expertise or staff to dedicate to conducting an assessment. It’s also a good option for organizations that want independent verification and validation of controls for other reasons. The downside to this solution is cost: the cost is additive to other operations.
An internal assessment is best for organizations that have the internal expertise and staff to conduct the assessment. It’s also good for organizations that want to build that expertise and function internally. The direct cost can be lower, but you have staffing costs. That being said, by hiring staff internally to run these assessments, you’re effectively building administrative continuous monitoring or compliance programmatic functionality.
How Much Does a SOC 2 Readiness Assessment Cost?
An informal assessment conducted by a consulting company will cost in the thousands to hundreds of thousands of dollars, depending on the size of the organization. Expect the costs to be significantly cheaper than a formal SOC 2 audit, which typically costs between $50,000 and $250,000.
If you opt to hire internal staff, the national average wage for this kind of compliance staff is around $110,000 per year. The national average wage for a manager is around $127,000 per year. Remember, that’s the assessment and remediation implementation management. Those roles drive comprehensive risk management, which an external vendor could do but for far greater compensation.
How to Choose a SOC 2 Readiness Assessor
There are many consultants that provide this service. Just about any security assessment firm can help with a readiness assessment and evaluate against the appropriate criteria; the materials and methodology are all publicly available.
The best way to pick a vendor to conduct an assessment is to gauge their experience in the space. Ask yourself:
- Do they sound like they know what they’re doing?
- Have they served other clients in your industry?
- Are they willing to provide industry-relevant references?
- Can you poll other industry peers to see if they have experience with the vendor?
- What’s the proposed service cost, timeline, and methodology?
None of those elements are bulletproof in isolation but collectively can demonstrate competence or incompetence with respect to a SOC 2 assessment.
Is a SOC 2 Readiness Assessment Worth it?
I think any organization that is thinking about a SOC 2 audit and hasn’t been previously successfully audited should pursue an initial readiness assessment, at the very least. It provides a more relaxed environment to evaluate controls and remediate gaps. That provides a more solid footing for the actual SOC 2 audit.
Organizations that have successfully undergone SOC 2 audits probably don’t need to pursue a readiness assessment but likely have a continuous monitoring or compliance program that effectively serves the same function. They may see a better return on investment by investing in those risk management and mitigation programs.