Every SOC report follows the same basics – the attestation is completed, demonstrating a company’s adherence to established controls, and the report is then provided to customers and prospects (under NDA, of course). Now that everyone is assured that their data is secure in the hands of the organization, what’s next? Rinse and repeat every year? Hardly.
As simple as the basic process sounds, there are other ways to gain additional value with a SOC report while doing what is required of your organization (perhaps contractually). In order to maximize your report year over year, use the SHARPE method:
-
Showcase Your Unique Tools and Applications
If you’re utilizing the latest in technology, why not demonstrate the use of your best-in-class tools? Whether monitoring for threats, analyzing logs, or patching vulnerabilities, the SOC report is the perfect place to demonstrate your control posture. -
Highlight Your Controls
That includes those beyond the scope of review, because while the Testing Matrices section of your report includes the control activities necessary to meet the established control objectives (SOC 1) or trust services criteria (SOC 2), options exist to demonstrate additional controls in place. Within the audited section of the report (Section 3), the system description can be utilized to elaborate upon the functioning of key controls or processes (i.e. how the controls function in detail). Within the unaudited section of the report (Section 5), additional information could be documented regarding other items of relevance to the report recipient (i.e. compliance with privacy laws or regulations such as GDPR, CCPA, etc.). -
Accentuate Process Flows
Add some color to your report by including process flow graphs or diagrams to further elaborate on unique processes or controls. For example, data flows are oftentimes best demonstrated via diagrams. Additional considerations should be given to data classification levels or components of the risk assessment and treatment methodology. -
Record Changes in Controls
Your business is continuously changing, but are your controls keeping up with the pace? Changes to existing controls should be communicated in advance of fieldwork to ensure they are properly included, and the report contents should expand upon these changes to demonstrate enhancements in the entity’s controls. -
Protect the Report Contents
Worried about the report falling into the wrong hands? A password of your choice can be added to open the document. If that is deemed excessive, the organization’s requirements for accessing the report content can be applied as part of a clickwrap version requiring acknowledgment of the terms. -
Explain Deviations From the Norm
Were there exceptions or deviations identified as part of the assessment? While optional, you may provide a management response within Section 5 of the report to reduce the number of potential inquiries. Consideration should be given to documenting what caused the deviation, how the issue was corrected, the details of mitigating controls, and how the entity plans on remediating the issue to prevent recurrence.
SOC reports don’t have to be “just routine.” By applying the SHARPE method, you can ensure your report is providing the most value by effectively communicating the entity’s commitment to safeguarding customer data and protecting critical company assets.
About the Author
More Content by Robert Tylka
