Let’s start off by defining SOC 2 (System and Organization Control Requirements). SOC 2 defines requirements for system security, availability, confidentiality, data processing integrity and data privacy in an organization. With ever-increasing frequency, technology service providers are being questioned about these elements.
Why is SOC 2 important for MSPs and XaaS Vendors?
As regulators place growing pressure on MSP customers to demonstrate these system and data characteristics, the customers will drive some of that responsibility through to the MSPs themselves. They want to feel comfortable that as MSPs manage their IT infrastructure and/or their end-user systems, their data remains safe. Customers also have expectations that the vendors serving MSPs are compliant. Customers do not want to be on the regulators’ radar and surely do not want to show up on the front page of a newspaper for breach of any requirements (and neither do IT service providers)!
What are the steps of a SOC 2 engagement?
First, a clearly defined readiness assessment process determines the state of systems and internal control processes. Once the remediation of gaps is completed, the SOC 2 examination begins. The results are then presented in a report, which provides evidence that controls are in place and operating properly; that they meet the appropriate, pre-defined and agreed-upon criteria, and that they are effective. The report will provide insights and actionable results.
How frequently should SOC 2 assessments be conducted?
After the initial assessment and reporting, reviews should be completed at least every 12 months.
So what does a SOC 2 assessment do for an MSP or Vendor?
In short: it mitigates the risk to MSPs, XaaS vendors and their customers. As it demonstrates the compliance and offers transparency for customers, SOC 2 reports quickly become a differentiator; a competitive advantage! Think about the statement that is made when a SOC 2 report is voluntarily and proactively added to a proposal or engagement letter. In addition, it makes adhoc reports and customer onsite visits unnecessary, increasing provider productivity.
“Why can I not do it myself?”
Regulators request an independent auditor to conduct an examination for an organization’s internal controls. In addition, a report completed by an outside, independent source delivers transparency for customers and assurance that their security needs are met.
Kate Siegrist, CPA, CISA, CRISC