The road to SOC 2 Type 2 certification
A pragmatic approach to achieving SOC 2 Type 2 certification based on OKRs.
Gtmhub, as any other business that takes its Information Security practices seriously, engaged with external auditors to certify that customers can trust us with their data. In a previous blog post, we talked about our commitment to security and why achieving the SOC 2 certification is critical.
However, getting SOC 2 Type 2 certification can be a daunting endeavor. Any team will inevitably face the questions:
- Where do we start from?
- What do we need to do?
- What will it cost us?
In the following few paragraphs, I will outline our approach to achieving the selective and rigorous SOC 2 Type 2 certification with the help of OKRs.
What do OKRs have to do with SOC 2 certification?
You might wonder why OKRs are essential for getting certified.
The short answer – OKRs provide alignment and transparency.
Achieving a SOC 2 certification involves a great deal of effort on behalf of the whole company – it is not only the Security team that is a stakeholder in this mission. OKRs keep everyone informed about certification timelines, the progress of the team in charge and the next steps. Most importantly, the OKR methodology can aid you in getting other teams to contribute to the project.
Typically, it takes an organization between 18 – 24 months to achieve SOC 2 Type 2 certification, so get ready for the long haul.
Step 0 – Solid security requires solid foundations
Reaching your long-term objective will be impossible if you do not have a solid base on which to build. Solid foundation has a different meaning depending on what your business is. Gtmhub is a SaaS (Software as a Service) vendor, so for us this meant:
– Our processes and practices being based on Secure SDLC (Software Development Life Cycle)
– Knowing what is happening with services at any point in time (logging, monitoring, alerting).
– Having developed and practiced response procedures for when something goes wrong.
– Having implemented and practiced risk and vulnerability management.
What will the OKR for implementing a risk and vulnerability management program be?
All principles of crafting good OKRs apply here: create an aspirational Objective backed by measurable Key Results. The Objective should focus on the desired outcome, and the Key Results represents the plan you need to have to meet your Objective.
Objective: No vulnerability goes unnoticed
Description: Implement a risk and vulnerability management program to track vulnerabilities in our solution and address them.
Key Result #1: 100% SLA (Service Level Agreements) compliance for risk and vulnerability management
What to measure: Time to resolve discovered vulnerabilities as defined by our risk management policy.
- Define risk and vulnerability management policy and procedure.
- Define vulnerability resolution SLA based on issue criticality.
Key Result #2: We build a risk-free solution
What to measure: The number of unresolved vulnerabilities in your solution – less is better.
- Implement vulnerability monitoring.
- Perform penetration test with a third party.
- Monitor security bulletins for your dependencies.
Key Result #3: We only work with trusted vendors
What to measure: The number of your vendors which are not compliant with your vendor risk management policy – less is better
- Define supplier risk assessment policy.
- Perform risk assessment for your vendors.
- Mitigate vendor vulnerabilities.
Step 1: Mock SOC 2 assessment
Once you are confident with your foundation practices, it is time to take the plunge into the deep and take a mock SOC 2 assessment. Performing an internal SOC 2 audit will give you an overview of the gaps you need to fill to become certified.
As SOC 2 encompasses how you operate on a company level, you will be collaborating with every department or team within the company. Your Information Security team will be the owner of the objective, but they will have to pull in the rest of the teams’ effort.
Objective: Enterprise-security ready
Description: Carry out internal SOC 2 assessment to discover gaps and address them.
Key Result #1: Audit all security controls
What to measure: The number of SOC 2 controls you have audited. This will depend on the scope of your SOC 2 compliance program, as some controls will be applicable to your case and some will not.
- Define the scope of the SOC 2 compliance program.
- Audit security controls.
Key Result #2: We know what needs to be fixed
What to measure: You need to have a mitigation plan for anygaps discovered in the internal audit. Count the number the gaps you have a mitigation plan for. This can be a percentage, and you should aim for 100% coverage.
Key Result #3: Smooth as German autobahn
What to measure: The execution of your gap mitigation plan. Influenced by Key Result #2, you will count the number of unmitigated problems – less is better.
Step 2: SOC 2 Type 1 certification
At this point, you should be ready to get the first part of external validation for your security practices. It is time to engage with external auditors and achieve your Type 1 certificate. SOC 2 Type 1 certification examines your security program and attests that you are compliant with the five trust principles of SOC 2:
- Processing integrity
Objective: SOC 2 Type 1 certified solution
Description: Carry out the assessment with a respected security auditor and publish your SOC 2 Type 1 certified badge on your website once achieved.
Key Result #1: SOC 2 Type 1 ready
What to measure: Auditors will typically perform a readiness assessment before engaging in the certification process with you. This usually involves a questionnaire where you provide preliminary information about your security program. You can count the number of questions you have provided answers to – more is better.
- Shortlist 3 security auditors.
- Choose your audit partner.
- Carry out readiness assessment.
Key Result #2: Smooth sailing through the ocean of security controls
What to measure: At this point, you are facing a hefty list of security controls to provide information for. You should count the number of security controls which are not yet satisfied – less is better.
- Prepare documentation for each security control.
- Communicate with auditors how you satisfy each control.
Key Result #3: The final stretch
What to measure: Once your audit is ready, your audit partners will prepare your attestation and certificate. They will also outline recommendations on what you must improve in your security program. Prepare a mitigation plan while awaiting their advice. Count the coverage of your mitigation tasks relative to their suggestions. Go for 100% coverage.
Step 3: Almost there
Gaining your Type 1 certificate is a monumental achievement by itself. It is time to celebrate this massive success with your team and let the world know how fantastic your solution is.
As the SOC 2 Type 2 certificate attests to the effectiveness of your security program, you will have between 6 and 12 months from the Type 1 to Type 2 audits. The goal here is to accumulate evidence that the security controls you have already defined are working, and you are iterating to make them better. Practice what you preach by writing Objectives related to your control monitoring.
Objective: We are a digital fortress
Description: Ensure proper operation of security controls and evidence accumulation for SOC 2 Type 2 certification.
Key Result #1: Maintain availability SLA
What to measure: Coverage of your availability SLA as defined per your availability policy. Practice makes perfect, so make sure to engage your team in testing out your recovery and incident response procedures.
- Backup and recovery practice
- Incident response practice
- Identify and fix flaws in the recovery and incident response procedures.
- Publish incident response postmortems when incidents occur.
Key Result #2: Relevant policies and procedures
What to measure: Your policies and procedures need to evolve as your team and solution grow. Perform an internal audit of your policies and identify flaws. As you have a defined set of procedures, you can measure the number of policies and procedures you have reviewed – more is better.
- Update your policies and procedures where applicable.
Key Result #3: Maintain risk and vulnerability management SLA
What to measure: How you are addressing discovered vulnerabilities. Count the percentage of cases where you are within compliance – aim for 100%.
- Monitor your vulnerability tracking solutions.
- Classify discovered vulnerabilities.
- Take appropriate action as per your vulnerability management plan.
Step 4: SOC 2 Type 2 certified
This is it. Time for the mission-critical certification – all your efforts so far have been leading up to this moment. Enough time has passed since you have acquired your Type 1 certification. You had the time to gather relevant evidence of how your Security program is operating smoothly. Now you need to engage with your auditing partner to complete the final step.
Objective: SOC 2 Type 2 certified solution
Description: Own the audit process, prepare, and provide all necessary evidence. Leave no room for doubt of the quality of your security program.
Key Result #1: 0 Open audit controls
What to measure: The number of security controls for which you have not provided evidence – go for 0.
- Provide evidence for each security control.
Key Result #2: Auditors have all sample data
What to measure: The main difference between the Type 1 and Type 2 audits is that your partner will look at the actual artifacts being created by practicing your security program. Be prepared to provide incident reports, evidence of backup and recovery practice, evidence of mitigation for vulnerabilities, and so on. Count the number of open sample data requests you have – go for 0.
- Provide sample data requested.
Key Result #3: 100% security controls audited.
What to measure: Measure how your audit partner goes through the security controls. You have provided them with all necessary information, so this Key Result is more or less an indication of your certificate attainment. Measure the percentage of closed security controls – 100% indicates that you nailed it.
Step 5: Rinse and repeat
Boom! You have achieved your SOC 2 Type 2 certificate. Celebrate success, brag about it, and get back to business J
The security program requires that you continuously practice all its aspects. Repeat steps 3 & 4 to recertify your security program when the time comes.
*Read more about Gtmhub’s security practices here.