Hi Marina! The AICPA has mapped SOC2 Trust Criteria to various other frameworks including ISO (sadly not CCM afaik):
https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/mappingsrelevanttothesocsuiteofservices.htmlSo you really should not need your auditor to do much to get you a Type II if you already have the ISO (and are actually doing the things your documentation says you are doing ;) It should largely be a mapping exercise.
That said, SOC2 focuses a bit more on certain controls specific to cloud hosting and will be a bit more pedantic on evidence collection. The typical evidence request list for a Type2 for all trust criteria (core security, integrity, availability, privacy) would be ~200 items - a mix of whole population requests (ie show me all your change tickets for last year) and then specific samples, eg give me these specific 25 git PRs and show me test cases for these.
No one should be managing their SOC2 manually - nor their ISO for that matter - use a tool. There are free ones (search in the archives here or Google), there are free-to-try ones, and there are good ones that are not too expensive. I don't want to invade the community discussion here with product mentions so DM if interested in specific recommendations - I've tried them all!
Your auditor should also be ready to accept automated evidence and minimize manual requests (ie screenshots). If not, find another audtor. There are many many who can use automated tools to be efficient. On cost, especially for an ISO -> SOC2 Type 2 you shouldn't have to pay >$15K in my experience. Less is possible, but many auditors will charge MUCH more. For someone who is already ISO, you shouldn't need an expensive Type 2 audit.
Good luck!!
------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC
------------------------------
Original Message:
Sent: Aug 02, 2021 11:17:43 AM
From: Marina Hoffmann
Subject: SOC II report
Hi folks,
I hope this question is fine for the CSA inner circle community - I'm new here :)
we're planning to perform a SOC II audit. I've already performed the whole ISO 27001 certification process but don't have experience with SOC II. I would love to get your experience and some tips on how to start. Do you have any recommendations for me on which company can support me with performing the gap analysis and the preparation?
thx.
Marina
------------------------------
Marina Hoffmann
Information Security Officer
Userlane
------------------------------