SOC II report

View Only

Back to discussions

Expand all | Collapse all

1. SOC II report

2 Like
Marina Hoffmann
Posted Aug 02, 2021 11:20:00 AM
Edited by Marina Hoffmann Aug 03, 2021 11:58:04 AM

Reply Reply Privately
Wow, I've received so many answers - thanks to all of you - I think I have already a lot of information which I need to work on.

REQUEST IS RESOLVED :)
*********************************************************************************************************************************************

Hi folks,

I hope this question is fine for the CSA inner circle community - I'm new here :)

we're planning to perform a SOC II audit. I've already performed the whole ISO 27001 certification process but don't have experience with SOC II. I would love to get your experience and some tips on how to start. Do you have any recommendations for me on which company can support me with performing the gap analysis and the preparation?

thx.
Marina

------------------------------
Marina Hoffmann
Information Security Officer
Userlane
------------------------------
2. RE: SOC II report

1 Like
JOHN DIMARIA
Posted Aug 03, 2021 07:15:00 AM

Reply Reply Privately
Hi Marina:

Any of the firms listed on our Certified Auditors for CSA STAR Attestation can help you with this.

Just go to the page I provided a link to above and scroll down to that section.
John A DiMaria; CSSBB, AMBCI, HISP, MHISP, CERP
Assurance Investigatory Fellow
Cloud Security Alliance
m:+1 314 374-9752
e: [email protected]

This e-mail account is used only for work-related purposes; it is not guaranteed that any correspondence sent to this address will be read by the addressee only, as it may be necessary, under certain circumstances, for third parties appointed by the Cloud Security Alliance to access this e-mail account. Please do not send any messages of a personal nature to this address.

Original Message
3. RE: SOC II report

3 Like
Robert Ficcaglia
Posted Aug 03, 2021 08:12:00 AM

Reply Reply Privately
Hi Marina! The AICPA has mapped SOC2 Trust Criteria to various other frameworks including ISO (sadly not CCM afaik):
https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/mappingsrelevanttothesocsuiteofservices.html

So you really should not need your auditor to do much to get you a Type II if you already have the ISO (and are actually doing the things your documentation says you are doing ;) It should largely be a mapping exercise.

That said, SOC2 focuses a bit more on certain controls specific to cloud hosting and will be a bit more pedantic on evidence collection. The typical evidence request list for a Type2 for all trust criteria (core security, integrity, availability, privacy) would be ~200 items - a mix of whole population requests (ie show me all your change tickets for last year) and then specific samples, eg give me these specific 25 git PRs and show me test cases for these.

No one should be managing their SOC2 manually - nor their ISO for that matter - use a tool. There are free ones (search in the archives here or Google), there are free-to-try ones, and there are good ones that are not too expensive. I don't want to invade the community discussion here with product mentions so DM if interested in specific recommendations - I've tried them all!

Your auditor should also be ready to accept automated evidence and minimize manual requests (ie screenshots). If not, find another audtor. There are many many who can use automated tools to be efficient. On cost, especially for an ISO -> SOC2 Type 2 you shouldn't have to pay >$15K in my experience. Less is possible, but many auditors will charge MUCH more. For someone who is already ISO, you shouldn't need an expensive Type 2 audit.

Good luck!!

------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC
------------------------------

Original Message
4. RE: SOC II report

1 Like
Nicholas Grove
Posted Aug 03, 2021 11:05:00 AM
Edited by Nicholas Grove Aug 03, 2021 11:51:11 AM

Reply Reply Privately
Just wanted to say publicly, since often times we only reward negative behavior on the net (:/); this was a fantastic response @Robert Ficcaglia! Even in the field I learned something new, thanks to you Robert (and Marina for asking the question!).

------------------------------
CISSP, CCSP, CASP+, et al. | Cybersecurity • Supply Chain • Education | www.linkedin.com/in/nicholasgrove/
------------------------------

Original Message
5. RE: SOC II report

0 Like
Marina Hoffmann
Posted Aug 03, 2021 11:41:00 AM

Reply Reply Privately
Hi @Robert Ficcaglia,

thank you so much for your really, really helpful response!
This is helping me to understand the scope and effort for the SOC II report.

:*

------------------------------
Marina Hoffmann
Information Security Officer
Userlane
------------------------------

Original Message

The Inner Circle

SOC II report

Marina HoffmannAug 02, 2021 11:20:00 AM

JOHN DIMARIAAug 03, 2021 07:15:00 AM

Robert FiccagliaAug 03, 2021 08:12:00 AM

Nicholas GroveAug 03, 2021 11:05:00 AM

Marina HoffmannAug 03, 2021 11:41:00 AM

1. SOC II report

2. RE: SOC II report

3. RE: SOC II report

4. RE: SOC II report

5. RE: SOC II report