Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

SOC in 5 Simple Steps

Home
Industry Insights
SOC in 5 Simple Steps

Blog Article Published: 05/09/2014

By Ryan Dean, Senior Associate

BrightLine

As an audit firm, we are frequently contacted by service organizations that know they need a SOC report (usually by way of a client request), but don’t know where to begin. With that in mind, I have broken down the process of obtaining a SOC report into five simple steps:

Determining the Scopesoc-in-5-simple-steps

The first step in obtaining a SOC report for your company (the service organization) is to define the scope. A few questions to ask the stakeholders are:

  • What service(s) do you need a SOC report for?
  • What systems are involved in providing those service(s)?
  • Are the services provided from a single location or several?
  • Is the report intended for all users or only one specific customer?

For service organizations that specialize in one particular service, scope definition is fairly straightforward. However, many organizations offer a variety of services to their clients, and it is necessary to narrow down the scope. While some services can be combined into a common report (i.e. the various payroll processing services of a payroll company), it is not uncommon for a service organization to have separate SOC reports for the different services they offer.

Choosing a Report

The next step is to determine which type of report(s) will best suit your company’s needs, and perhaps more importantly, your customers’ needs. The most common report is the SOC 1 report (SSAE 16 or the historic SAS 70), but SOC 2 and SOC 3 reports continue to gain traction. The need for SOC reports is often driven by a service organization’s customers and/or their customers’ auditors. It is therefore important to ensure that the type(s) of report(s) a service organization pursues will satisfy their customer needs. Frequently, the type(s) of SOC reports that a customer would like the service organization to provide is included as a contractual requirement for doing business, but keep in mind this is not always the case.

If specific requirements or requests are not made by contractual agreements and/or client requests, the service organization should select the SOC report that meets their needs:

  • SOC 1 – Detailed report of controls placed into operation for services relevant to financial reporting
  • SOC 2 – Detailed report of controls placed into operation for services concerning security, availability, processing integrity, confidentiality, and/or privacy
  • SOC 3 – High-level report, including seal, that is made publicly available to users with a need for confidence in the service organization’s controls

In addition to SOC reports, service organizations are often either required (i.e. PCI DSS) or elect (i.e. ISO 27000) to obtain various other attestation or compliance reports to showcase their adherence to different compliance requirements. In such cases, service organizations should consider the efficiencies and cost savings that can be attained by using a “single vendor” approach for their compliance reporting needs.

Preparing for the Assessment

Prior to the commencement of an actual SOC assessment, service organizations can take steps to help ensure they are well-prepared for the actual assessment. For clients that have never undergone an assessment before, it is often recommended to undergo a readiness assessment. A readiness assessment is intended for management use only, and will help the service organization identify both strengths and weaknesses with respect to the control environment. Regardless of whether it is a service organization’s first SOC report or tenth, management should always review and update their policies and procedures to ensure they reflect current practices and make sure employees are aware of the upcoming assessment.

It’s SOC Time!

Whether your organization is undergoing a SOC 1, 2, 3, or some combination thereof, the auditor will be working closely with you to help ensure a smooth assessment process. After agreeing upon fieldwork (testing) dates, the overall SOC report process can be outlined in a few basic steps:

  • Service auditor provides a list of requested evidence (usually a month in advance of fieldwork)
  • Service audit team arrives onsite at service organization to perform testing (that includes interviews, walkthroughs, and documentation review)
  • Service auditors document testing results and work with service organization to clarify any testing exceptions
  • Service auditor provides SOC report to service organization

Next Steps

Most service organizations that undergo a SOC assessment do so on an annual basis. In order to continually improve the quality of the SOC report and control activities contained within, service organizations should consider feedback from both their service auditors and the users of the report (customers and their auditors.) Service audit firms will often provide their clients with a list of observations made during SOC fieldwork. Such observations are not part of the actual SOC report; rather, they are an internal use listing of opportunities for improvement that the service organization might consider implementing in their control environment. If implemented, additional control activities can be added to the SOC report in subsequent assessments. Management should also consider feedback from their customers in terms of making sure the report is meeting their (and their auditors’) needs. Finally, because the majority of SOC reports are of the Type 2 variety (Type 2 reports span a review period compared to Type 1 reports, which are point in time), it is important that service organizations consistently execute their control activities throughout the year. This will help ensure that when the SOC auditors return for the next year’s assessment, testing exceptions are not discovered as a result of a lax control environment.

About the Author:

Ryan Dean is a Senior Associate with BrightLine where he has performed Service Organization Controls (SOC) reporting projects for clients in a wide range of industries, including financial services, healthcare, information technology, and manufacturing. Ryan has also provided professional services to multiple Fortune 1000, publicly traded, and regional companies during the course of his career.

Share this content on your favorite social network today!

Latest from CSA
Join AT&T Cybersecurity in Chicago
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Enhance your cloud security skills with CSA's online training options.