Statement on Standards for Attestation Engagements (SSAE) 16 SOC 2 is an auditing standard written for service organizations. While Service Organization Control (SOC) 1 reports primarily on financial institutions and their controls, SOC 2 framework and reporting focuses on the technology service providers (such as data centers, cloud-based businesses, IT managed services, and software-as-a-service) as they pertain to five principles: Security, Availability, Integrity, Confidentiality, and Privacy of data held or processed by the service organization. In the chosen principles, we focus on Policies, Procedures, Communication and Evidence.
ADHERE can help ensure that your organization has the controls in place to comply with the SSAE 16 SOC 2 auditing standard. Here’s how:
Phase 1: Plan
In the Planning phase, ADHERE works with your Senior Management to identify your business objectives, taking into account several factors such as the organization’s size, business sector (industry specific considerations), existing Information Security maturity level, existing compliance standards, and management commitment to the initiative.
We then identify the budget, timeline, key stakeholders, risk factors, and inventory of company assets.
Phase 2: Document
In the Documentation phase, we take a look at your Policies and Procedures, what type of Risk Treatment Plan (RTP) is in place, and the extent of InfoSec staff resources and training in place.
Policies and Procedures
Once engaged, ADHERE will review your organization’s security-related Policies and Procedures against the SSAE reporting controls. If there are gaps in the Policy or Procedures as they relate to the controls, ADHERE will work with your organization’s respective stakeholders and legal counsel to create and deliver, or remediate any required documents.
If your organization already has security-related Policies and Procedures in place, ADHERE will review your existing documents and provide a gap analysis and recommendations to bring you into compliance with the standard.
Having the appropriate Policies and Procedures in place is the first step towards SSAE 16 compliance. You also need to ensure that they are communicated and implemented by your workforce.
Throughout this process, ADHERE will work with your team members to ensure the documentation and implementation process of your Policies and Procedures are fully understood.
Technical Security Requirements (TSRs)
While Policies and Procedures deal with the documentation side of the InfoSec process, Technical Security Requirements deal with IT infrastructure and execution.
ADHERE’s technical Subject Matter Experts (SMEs) can create technical security requirement documents for your IT environment which are the security hardening guide for your software operating systems or network architecture. These documents will be mapped and customized for your level of regulatory compliance.
Depending upon the organization’s Risk Treatment Plan (RTP) , ADHERE can perform Quarterly or Annual Risk Assessments as one of our services.
Working with the individual internal team owners, ADHERE will review the applicable data, assess it, and present our findings and recommendations to management for further action and/or remediation.
Phase 3: Support
In the Support phase, ADHERE can perform a formal attestation on your organization’s level of security compliance. The attestation provides Senior Management with insight as to whether the organization is ready for the formal audit, before committing to the corresponding fiscal expenditure that comes with a Big-4 audit firm.
During the attestation period, ADHERE reviews and scores your ISMS with the perspective of an Auditor. It is important to distinguish that the attestation is NOT an audit; it is a pre-audit review and scoring that illustrates the organization’s IT security maturity level. After the attestation, your organization has the opportunity to either proceed with the audit, or perform additional remediation in preparation for the sudit. (See the section on our Attestation Service for more information.)
CISO Team Services
ADHERE offers CISO Team Services On-Demand to provide your organization with operational oversight, periodic reassessments, remediation, and preventative action.
ADHERE offers continuous improvement and remediation to secure your organization throughout the process. Our #1 goal is for your organization to implement and maintain a mature ISMS that is adherent to industry standards and certifications.