How do you properly scope a SOC 2 audit?

Table of Contents

    John Minnix

    November 21, 2024

    How Do You Properly Scope a SOC 2 Audit?

    Ryan Johanson of Johanson Group, LLP discusses best practices around scoping a SOC 2 audit

    Video Transcript

    Below is a transcript of the conversation between Tim Mekrakarn, Co-Founder of Bright Defense, and Ryan Johanson, Owner of Johanson Group, LLP.

    Tim: “How do you properly scope a SOC 2 audit? How do you properly scope the number of products, entities, trust service criteria, and those things? What are the levers?”

    Ryan: “So let’s start with the trust service criteria. The only one you have to do is security. The other four are completely optional. So, if you’re going for speed or simplicity, you just focus on security.

    Availability is around disaster recovery and uptime. Pretty easy to to accomplish. Most of you are in the cloud. So, it’s mostly writing a few extra policies.

    The next one we see is as being pretty popular is confidentiality, which is information that you, as a company, deem confidential. So, an extra policy, and two or three extra controls. Very easy to do, and those three apply to pretty much everybody.

    Now, once you get to privacy, which is around PII (Personally Identifiable Information), a lot of people really aren’t handling that. It’s a larger lift. Auditors are going to charge you more. The GRC platforms are going to probably charge you more for that. And, I’m not sure it always gets the client the benefit that they’re looking for. There would be some other things like a GDPR or HIPAA where your clients are going to be more interested in you actually following the law than having that privacy framework in place.

    The last one process integrity. It really doesn’t apply to most people. It’s around financial transactions. So, if you’re a payroll processor or credit card processor, then you’d be looking at something like that. But, those cases are usually few and far between.

    As far as scoping out the product, small businesses usually have one product. So, it’s if you’re a little bit larger company that has multiple product lines you can include all of them in one SOC 2 report. But, that will depend on what your customers know about your business. Will they be confused by having multiple product lines in this report? So, sometimes, if all the clients are already using all of the various services that you’re providing, one SOC 2 report may make sense. If they’re separate product lines and a company mainly uses one or two of them, then it may make sense to expand and do multiple SOC 2 reports for each product line.

    Another benefit to doing multiple SOC 2 reports, one for each product line, is that in case there is an exception, it’s only applied to that one product line. The other product lines are not getting hit with that exception when it doesn’t apply to them. So, some benefit there.

    Talk to your auditor about what makes the most sense for your company, for your customers, and for the reader’s report. It’s not as expensive as you think to generate that additional SOC 2 report. The auditor is already looking at those controls. It’s a smaller upcharge, so don’t get frightened by doing that.

    As far as just a general scope, we provide a Customer Success Manager to help answer those questions like “Hey, should I include this in scope?” If it’s kind of an odd situation, we can walk you through what the impact will be to the report and to those controls. Should you decide that something’s really not applicable as a control for your for your company, ask the questions, and that way we can help give you the answers that’ll lead you to the path to success.”

    Tim: “Awesome. Thanks for that. I’m gonna use that in in my scoping as well in the future.”

    About Bright Defense

    Bright Defense is defending the world from cybersecurity threats through continuous compliance.

    We understand that compliance is more than just checking boxes. It’s about minimizing the financial risk and reputational harm from a data breach. It’s also about assuring your clients, stakeholders, and employees that you are conducting business with the greatest commitment to security and data integrity.

    Bright Defense combines technology, expertise, and a customer-centric approach into a continuous compliance service that meets your unique business needs. Our monthly engagement model delivers a robust cybersecurity program that allows you to meet compliance frameworks, including SOC 2, ISO 27001, HIPAAPCI, and CMMC.

    Once compliance certification is achieved, we constantly enhance your security program to keep up with the evolving threat landscape and compliance standards. Our compliance automation toolset powered by Drata gives you complete visibility into your compliance status while saving you time and money.

    About Johanson Group, LLP

    With team members working from around the globe, the Johanson Group is ready to serve the compliance needs of companies from any corner of the world. Experienced in SOC 1,2,3, HIPAA examinations and ISO 27001 certifications, we offer various services tailored to meet each client’s individual needs. Our ultimate aim is to provide all our customers with the highest quality care and support in achieving whatever security posture is best for them.

    Get In Touch

      Group 1298 (1)-min