2022 ISO 27001 UPDATES: EVERYTHING YOU NEED TO KNOW

ISO 27001 is a globally-recognized compliance certification and while you may know what ISO 27001 is all about, things are changing with the rapidly growing cyber world. So read on to make sure you’re on top of all the latest updates.

What is ISO 27001 certification?

ISO 27001 certification is an international standard on how to manage information security. This standard helps organizations protect the confidentiality, integrity, and availability of data. ISO 27001 is the only auditable international standard that defines the requirements of an information security management system (ISMS). 

ISO 27001 compliance includes specific security controls that organizations need to follow and are listed in Annex A. To understand the details of these controls and how they could be implemented, you need to consult ISO 27002, which serves as a guidance document of the ISO 27001 security controls.

It may also be helpful to read our blog detailing ISO 27001 vs SOC 2 and peruse our glossary, specifically the ISO 27001 glossary section.

Understanding ISO 27001 compliance in 2022

The 2022 updates apply to the security controls of ISO 27002 and therefore, Annex A of ISO 27001 will be updated accordingly.

Interestingly enough, ISO 27001 was last updated almost a decade ago and therefore, close attention needs to be paid to these changes and what they mean for organizations.

You may ask why ISO 27001 has now been updated. Simply put, it is time. Information security in 2022 is rather different from information security a decade ago. The cyber landscape has evolved significantly and become a lot more complex with more innovative technologies, online businesses and cloud operations.

ISO 27002 was officially updated on February 15, 2022, and updates in ISO 27001 Annex A will take place during 2022, however the date is not announced yet.

So, what are the changes to the ISO 27001 framework?

Changes to the ISO 27001 framework

Even though only Annex A has been changed, this makes up a significant amount of ISO 27001 implementation.

Update 1 

The previous version of Annex A contained 114 controls across 14 families, while the new version contains 93 controls across 4 families (People, Organizational, technological and Physical). The decrease in the number of controls is due to many controls being merged.

However, 11 new ISO 27001 controls have been added to Annex A:

  • Threat intelligence
  • Information security for the use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

Update 2

The previous version only required policies, while the new version requires documented operating procedures.

Procedures lay out the operational steps you will take to pursue the policies, the high-level parameters of your information security management system. 

Update 3

In the new version, the security controls are organized by 5 attributes:

  • Control type
  • Cybersecurity concept
  • Information security properties
  • Operational capabilities
  • Security domains

These attributes help businesses prioritize certain controls that are relevant to their specific business operations and main concerns.

In summary, the ISO 27001 2022 updates makes the documentation and guidelines more hefty, as well as adds additional responsibilities but it also provides more clear and detailed explanations of each control.

Should organizations planning to undergo ISO 27001 certification process, wait until the new version is published?

ISO 27001 certification process

If existing customers or prospects are requesting your ISO 27001 certification, then you should start as soon as possible in accordance with ISO 27001: 2013. However,  the decision should have nothing to do with the updated version, as it depends on how quickly you need the ISO 27001 report. Waiting until the new version of ISO 27001 is published will most likely leave your organization at greater risk.

In addition, for ISO 27001 first-timers, it is highly advised for these organizations to utilize compliance automation tools and highly benefit from automated evidence collection.

How do the changes affect your organization?

If your organization is already ISO 27001 compliant, it is important to note that no changes in technology are needed, only changes in the documentation. So when does the documentation need to be changed? The transition period for these relevant changes is not published yet, but it will most likely be 2 years from the date of the official ISO 27001:2022 update. Therefore, your organization will have more than enough time to comply.

Your ISO 27001 audit report will remain valid and no additional training will be needed. The certification body will ensure that you have adapted the documentation within the transition period. And therefore, no new audits need to be scheduled, as this will take place during your regular surveillance audits. However, when you renew your certification during the transition period, you could work against the new control set in order to not leave it for the last minute.
You can read about Scytale’s ISO 27001 certification and what this means for us and our customers. Also, take a look at how Scytale’s compliance automation platform can change the game for your ISO 27001 compliance process.

5 Reasons Why You Need a SOC 2 Report

Your SOC 2 report is the evidence you (and your customers) need to demonstrate that your information security controls are up to the job of protecting users’ data. It’s a powerful way of communicating exactly how seriously you take information security while giving the peace of mind that you’ve taken effective measures to protect customer data and prevent breaches, data leaks and other data security mishaps that could wreck your reputation.  

In other words, SOC 2 is more than simply a compliance standard. Becoming SOC 2 compliant is a good business decision. A really good one.

There are plenty of reasons for any SaaS company to prioritize SOC 2 compliance. Here’s our shortlist of five of the most compelling reasons why your business needs a SOC 2 report. 

1. It’s a chance to show, not just tell  

A SOC 2 report is a special kind of compliance document. Becoming SOC 2 compliant isn’t simply about ticking the right boxes and getting your certification. In fact, SOC 2 is not a certification at all. Rather, your independent SOC 2 auditor attests that you have met the strict standards set out by the The American Institute of Certified Public Accountants (AICPA). The AICPA is the national professional organization of Certified Public Accountants in the United States. 

In other words, the SOC 2 report is a detailed account of the controls you have designed and successfully implemented to ensure your customers’ data security. And that means that instead of simply assuring customers and partners that you take information security seriously, your SOC 2 report provides detailed, comprehensive evidence and results of your security controls testing.

And if you choose to implement SOC 2 Type II- the gold standard in data security – your SOC 2 Type IIaudit report is excellent evidence that your business demonstrates the highest levels of operating effectiveness of information security controls.

2. Your customers will demand it (now or in the future)

As we can now see, a SOC 2 report is an excellent way to prove your data security bona fides. That’s a powerful competitive advantage, which is especially useful for startups looking to build their brand and break into new markets. 

But it’s a mistake to think of a SOC 2 report as simply a ‘nice to have’. Many customers will demand compliance with a stringent information security standard – such as SOC 2 – as a minimum condition of doing business. In other words, they won’t even consider your product if you cannot produce a valid SOC 2 report, no matter how excellent your technology and service may be. 

That’s true of future clients. But it may also be true of your existing clients, which may implement stricter procurement policies as they grow. Becoming SOC 2 compliant ensures you can grow with your clients, and continue to provide first rate service to even the most data-security conscious businesses. 

3. Protect your brand reputation 

As we can now see, a SOC 2 report is an excellent way to show customers just how effective your data security controls are. But even more importantly, it’s a way to reassure yourself that you have successfully implemented appropriate security measures. 

After all, if your business suffers a data breach or if information security is compromised in any way, that can be absolutely catastrophic for your brand reputation. Some companies never recover from the reputational damage of a serious breach.

SOC 2 takes the guesswork out of data security. After all, you get the reassurance of an objective assessment by professional auditors that you meet an independent set of information security standards. What could be more reassuring than that?

4. Save money in the long run

By now we can appreciate that SOC 2 is a powerful and effective information security standard that offers a clear business advantage. But can your company afford it? After all, implementing SOC 2 is time-consuming and requires a substantial investment of resources. 

That’s not a trivial question. For startups and small businesses in particular, choosing how to prioritize your limited resources is a key strategic decision. 

Fortunately, advances in SOC 2 compliance software have made SOC 2 compliance simpler, easier and more affordable. The ability to automate tedious, time-consuming and error-prone SOC 2 processes means that more businesses can enjoy the benefit of SOC 2 compliance.  

Considering the business benefits of SOC 2 compliance and the severe risks of poor information  security, the real question may be: can your business afford to ignore SOC 2?

5. Build a foundation for growth

No SaaS business can afford to ignore data security. If you provide cloud services, customers ultimately want reassurance their personal data is safe. 

But when is it time to get really serious about data security? It may be tempting to focus on accelerating growth in the early stages of a business and then implementing robust standards such as SOC 2 when the company is more established. 

But that can lead to serious complications. After all, good data security requires developing effective structures, processes and controls across the organization. And to get the most out of those processes, you need a culture of information security. 

Achieving information  security controls, and fostering a good information security culture, is no simple matter at the best of times. But once a company scales, it becomes exponentially more difficult. At that point, you need to overcome a potentially lax InfoSec culture and you need to develop a whole host of new processes on top of existing layers of bureaucracy.

That’s why implementing SOC 2 at the startup phase is so strategically valuable. Building flexible and resilient controls now means that your data security protocols can evolve with the business. And getting leadership is involved from the beginning, and laying out all stakeholder roles and duties clearly and precisely, ensures that information security is part of the company culture, rather than simply an afterthought. 

Why do you need a SOC 2 report?

SOC 2 compliance: check all the boxes

If you are serious about becoming SOC 2 compliant, there’s no time like the present. Implementing SOC 2 offers a clear competitive advantage and sets your business up for long-term success. 

Of course, SOC 2 is only worth doing if you take the time to do it right. To help with your SOC 2 journey, we’ve devised a checklist to ensure you don’t overlook any important details. Be sure to check it out here.

Top Compliance Concerns For SaaS Companies

A careful compliance strategy is non-negotiable for SaaS businesses. That’s true for giant multinational corporations. And it may be even more critical for smaller businesses. Unlike large, established firms, SaaS startups can’t always absorb the reputational risk of data breaches or legal trouble that lax compliance policies often lead to. 

However, successful compliance management doesn’t just happen. It takes care and attention. Good SaaS compliance management means carefully assessing your company’s strategic goals and developing an integrated set of compliance policies to help ensure you meet those goals. 

That may sound daunting, but with the right compliance automation technology and support, meeting even the most rigorous compliance targets is much simpler and more cost-effective. 

Here are some of the most important compliance management concerns every SaaS business needs to carefully consider.

ISO 27001 or SOC 2?

Let’s start at a high level. How can SaaS companies implement robust and comprehensive data security controls? And how can you demonstrate your commitment to information security, gaining a crucial competitive advantage? For most managers the answer is obvious. Implementing a renowned and globally-recognized standard like SOC 2 or ISO 27001 is the most effective way to demonstrate that your business meets the highest levels of data security. But how do you decide which standard is most appropriate for your organization? One simple answer is that SOC 2 tends to be preferred in US markets while ISO 27001 is often demanded by European customers. But there’s more to the decision than just geography, and in many cases, you may even decide to implement both standards. Be sure to check out our guide to ISO 27001 vs SOC 2  compliance to help you make a more informed decision. 

What Are The Compliance Concerns For SaaS Companies?

SaaS companies

Reputational damage

This is not directly a compliance issue, but rather a major reason to get your compliance efforts in order. Even major businesses struggle with the brand damage of a security leak. For SaaS startups, bad security could ruin a business before it even gets a chance to build its reputation.

GDPR and global data protection regulations

Data protection regulations, such as GDPR in the EU, and specialized local rules, such as the California Consumer Privacy Act, mean that data security isn’t just a good business decision, it’s a legal requirement. 

As more countries adopt stringent data privacy rules, you need to ensure you have the systems and technology to meet those standards and to be able to efficiently update your processes as the regulations change. 

Data security

For SaaS companies, data security is the fundamental compliance issue. (There’s a reason security is a non-negotiable component of SOC 2.)

Obviously, data security is primarily about developing robust controls to prevent data breaches in the first place. But a comprehensive data security strategy also plans for the unforeseen. Do you have a contingency plan in place to investigate breaches? And are you constantly learning from attempts to compromise your network security? Do you have technology that automatically records and collates efforts to breach your systems? 

Access management 

Now let’s dig into the specifics. What does data security actually look like? Access management is one of the truly basic components of information security – and one you absolutely have to get right. 

Cloud storage is convenient and flexible, but there’s also an obvious potential vulnerability. You need to absolutely assure SaaS users that they can access their account relatively quickly and easily – but that sufficient controls are in place to prevent unauthorized access. Finding that balance between watertight security and convenience is at the heart of any thoughtful InfoSec strategy. 

Third-party risk control

SaaS companies rely on Saas companies.  Just like you hope to become an integral part of your customers’ tech stack, you likely rely on a number of third party services within your organization. However, a compliance value chain is only as strong as its weakest link. 

That’s why you need to vet all partner systems and technology thoroughly to ensure they do not compromise your system. No less importantly, you need a mechanism to ensure there’s no unauthorized use of third party services and software within your organization. 

Who is leading your compliance efforts?

Compliance cannot be an afterthought. The stakes are simply too high. And that means you need dedicated resources. You also need to have the appropriate senior managers or project managers driving your compliance efforts and monitoring ongoing compliance. 

Fortunately, many of the manual processes involved in continually assessing compliance can now be automated. That means keystaff can stay on top of the company’s compliance and maintain business as usual without having to devote too much time and effort to the process. 

Do you have a compliance roadmap?

A business may be fully committed to meeting compliance demands, but do you have a coherent and comprehensive set of internal policies and best practices to guide the process? If everything is ad hoc and improvised, you risk overlooking important elements of compliance, or duplicating effort within the organization, or simply failing to align everyone’s goals. Ultimately, that’s a recipe for failure. Every SaaS business will benefit from developing and implementing a set of inhouse compliance policies and procedures that reflect the company’s values and help achieve long-term strategic goals.  

What’s your privacy policy?

Just as an inhouse privacy policy is important, there’s great value in developing a comprehensive privacy policy that communicates precisely how you will manage customer data.  A privacy policy isn’t only an important part of complying with rules but it also makes good business sense, setting up clear expectations for users and partners alike. 

Are you using the appropriate compliance technology?

Compliance technology

Compliance automation is a game changer. Many of the tedious, time-consuming and costly manual processes involved in meeting compliance goals can now be automated. That means compliance is now faster, simpler and more affordable. And no less importantly, automation reduces the chance of human error.  So if you’re not using compliance technology, you’re wasting time, wasting money and risking serious errors in the process. 

Ticking all the boxes

Whatever compliance standard you ultimately choose, you need to take a careful, methodical approach ensuring your implementation meets your compliance goals. Before undergoing an audit, consult a comprehensive SaaS audit checklist and ensure you’ve ticked all the boxes. Otherwise you risk investing time and money into an incomplete process.

As compliance experts, with experience implementing the most rigorous data security protocols, Scytale appreciates that there is no one-size-fits-all compliance solution. Every SaaS business has its own priorities, goals and functions. Our powerful compliance technology means every SaaS business can now enjoy a flexible, customized and secure compliance solution, customized to meet your organization’s needs.  

Preparing for Your SOC 2 Audit – Dos and Don’ts

The SOC 2 audit process can be daunting. To get the most out of your SOC 2 compliance, it’s critical to remember why you’re undertaking a SOC 2 audit in the first place. With a good strategy and the right technology, it becomes much easier to set yourself up for SOC 2 success.

To ensure you’re on the path to effective SOC 2 implementation, be sure to bear these key dos and don’ts in mind.

Don’t rush the process…

There are no shortcuts to successful SOC 2 implementation. Just think about how much preparatory work is needed before you can even think of undergoing the actual audit. You need to determine the scope of the audit, get clarity on the type of report you wish to pursue, and ensure all stakeholders are empowered to play their role in ensuring SOC 2 success. 

… but do have a SOC 2 strategy 

Now, it’s all well and good to say you need to effectively prepare before setting out to meet the SOC 2 compliance requirements. But what does that mean in practice?

That’s why it is so important to gain clarity on your SOC 2 strategy. Why are you implementing SOC 2 in the first place? What is your current operational capacity and how are you planning to grow the business? Are you planning to compete in new markets? 

These may seem like abstract questions, but they inform concrete actions. For example, once you have clarity about your customer’s expectations, you are in a much better position to determine the scope of your SOC 2 implementation

Similarly, while we can all appreciate that SOC 2 Type 2 is the gold standard in information security, you need to be sure you have the operational capacity to implement such a rigorous compliance protocol. 

Do use SOC 2 compliance technology

Speaking of operational capacity, how ambitious can you be when implementing SOC 2? After all, becoming SOC 2 compliant is a great way to gain an advantage in highly competitive markets. But at the same time, the audit process is demanding and rigorous. How can you use SOC 2 to grow if achieving SOC 2 compliance is beyond your current operational capacity?

This is where compliance technology takes center stage. SOC 2 automation is a game changer. By automating highly time-consuming processes, and simplifying much of the complexity of preparing for audit, the best SOC 2 technology puts compliance in reach of more business. 

Automation also enables you to be more ambitious in your compliance goals. For instance, a SOC 2 Type II audit is extremely demanding. If you’re relying on manual processes, SOC 2 Type II is simply out of reach for many startups and smaller SaaS companies. SOC 2 compliance technology changes the equation, putting the most rigorous compliance in reach of ambitious businesses that need it most. 

Don’t delegate too much 

So far, we’ve alluded to some big ideas to discuss SOC 2 implementation. Strategy. Operational capacity. Long-term vision. 

There’s a good reason for this. Becoming SOC 2 compliant is an intensive process designed to meet a long-term business goal. And that means leadership needs to hold the reins. 

There are two reasons senior management needs to be directly involved in SOC 2 compliance decision-making. First, in order to realize the overall strategic vision, you need direction and vision from the top. Second, for successful implementation, every relevant person within the organization needs the guidance and authority to make the required inputs.

Experience shows that the SOC 2 audit process really succeeds when leadership drives the process. 

Do get the whole organization involved

Do get the whole organization involved

If leadership needs to drive compliance, that doesn’t mean the process should be a heavy-handed top-down affair. Management needs to lead the process but all employees should be involved. After all, to meet the compliance demands of SOC 2 you will need to develop controls that may affect every element of the business. 

All employees need to appreciate why the changes are necessary and receive the training and support they need to adapt.

SOC 2 technology is especially useful when it comes to coordinating workflow between staff and ensuring everyone has access to the tools and information they need to successfully drive the compliance process. 

Don’t take your auditor for granted

As a framework developed by the American Institute of Certified Public Accountants (AICPA), your SOC 2 audit is conducted by an independent CPA. When choosing an auditor, it’s important to remember that the auditor is not your adversary.

SOC 2 is not some legal box you have to tick. You’ve chosen to become SOC 2 compliant for a reason. Therefore, you want an experienced, thorough auditor that will make a careful assessment of the controls you have established. 

Remember, the SOC 2 attestation report is a detailed document that describes the measures you have put in place to meet the exacting SOC 2 standards. A detailed attestation will reassure clients that your organization is committed to, and capable of, safeguarding their data. 

Do take advantage of expert guidance

Do take advantage of expert guidance

SOC 2 is complex, but you don’t have to go it alone! Many businesses depend on an expert SOC 2 advisory service to provide strategic guidance and to manage the nuts and bolts of implementation. An experienced SOC 2 advisory service is a highly effective way to ensure you comply with all SOC 2 regulations as efficiently as possible. 

Don’t get complacent after assessment

SOC 2 Type II reports are valid for 12 months from the date of issue. Any report that is older than that becomes of limited value to potential customers. In order to maintain your SOC 2 Type 2 status, you need constant, ongoing compliance. It’s a demanding security standard, but ultimately an extremely rewarding one, as it demonstrates that your business upholds consistent standards of security and reliability. That’s something clients value. 

That’s why it is so important to lay the right compliance foundation from the start. With effective processes and systems, and the right compliance technology, consistently meeting your SOC 2 goals becomes simpler, more efficient and much more cost-effective.  

10 Best Compliance Podcasts You Should Listen To In 2022

If your business is affected by compliance rules and regulations, it pays to stay up to date with the latest developments. As they say, knowledge is power. Fortunately, knowledge can also be fun, quirky, and entertaining. If that doesn’t sound like something you’d say about the world of compliance, you have probably missed the great selection of compliance podcasts out there.  

With a number of high-quality podcasts to choose from, staying on top of risk and compliance doesn’t have to be a chore. In fact, the engaging and entertaining style of the hosts means you’ll likely make at least one of these shows part of your weekly routine. 

We asked our people at Scytale what podcasts they listen to in order to stay updated. Here, in no particular order, is a selection of some of our favorites. It’s not a comprehensive list. Rather, we’ve tried to offer you a sample of the best compliance podcast options, from detailed technical compliance podcasts to human interest stories and pithy news updates. 

1. The ISACA Podcast

Targeted at professionals, ISACA brings you a podcast that tackles cybersecurity, audit, governance, and everything in between. With a focus on the working world, if these topics are an interest or a concern for you, you are bound to find an array of important conversations relating to you and your career. Hosted by a combination of ISACA members as well as industry experts, gain insight into the latest trends that affect our technologically advanced world and how this impacts our working environments.

2. Brakeing Down Security Podcast

One of the most acclaimed podcasts in the industry, Brakeing Down Security is a must-listen for all those concerned about information security. Whether you’ve been in the industry for years or you’re an aspiring professional, this podcast, ranging from ​​cybersecurity, privacy, compliance, and regulatory issues, will break down and explore all the concepts you need to know. 

3. OWASP Podcast

Benefiting from three seasoned veterans in the industry, the OWASP Podcast is hosted by Mark Miller, Matt Tesauro, and Vandana Verma Sehgal. Each host produces episodes with a slightly different focus but all with the same goal – securing the future for coming generations. Listen to interviews with cybersecurity and open-source experts, conversations with project leaders and AppSec professionals, and stay current with all OWASP news, information and updates. A truly fascinating podcast that invites all to contribute to the improvement of software security.

4. Unsupervised Learning

The perfect weekly round-up for your Monday morning commute, Unsupervised Learning is a quick 15 – 30 minute summary of the week’s most important stories and why you should take note. Exploring the intersection of security, technology, and society, benefit from the genuine passion of host, Daniel Miessler. While less technical and more real-world-focused, this podcast highlights why we care about privacy, security, and compliance and brings real-world matters to the forefront of conversation.

5. SC Media Podcast – Security Weekly

The original source of truth for all things cybersecurity, Security Weekly is a comprehensive resource for foresight, learning, and collaboration. This podcast offers an extensive series that covers the complete cyber landscape. Discussing important topics such as the latest threats, news analysis, and enterprise reporting, practitioner-led conversations, unpacking industry research and data, to exploring specialized coverage of enterprise security and compliance, the cyber community is not left wanting. Another must-listen for security practitioners and leaders.

6. Cyber Security Interviews 

An interview-focused podcast, Cyber Security Interviews offers an in-depth exploration of the minds shaping the cyber security industry. From interviews with cyber security influencers, thought leaders, and experts, listeners benefit from their personal stories, what motivates them, and where they think the industry is headed. Stay ahead of the curve, and learn what actually works and what doesn’t from experts that are ingrained in the world of cyber security.

7. Privacy Please

A more lighthearted approach to the world of security, privacy, and compliance, hosts, Cameron Ivey and Gabe Gumbs, discuss best practices, conduct interviews with industry professionals, and unpack real-world stories. Privacy Please is a podcast that aims to keep you informed while also enjoying a good laugh here and there.

8. The 443 Podcast

A podcast dedicated to instant security solutions to cyber threats, 443 talks IT security and digital safety without being intimidating, pretentious, or complex. Host, Marc Laliberte, is glorified for his mastery research skills and this has resulted in the 443 podcast being one of the most trusted podcasts on the market. Each episode simplifies complex cybersecurity concepts, solutions, and tools in order to make the content useful for even the most novice listener.

9. The Ethics Experts

Taking a closer look at the world of ethics and compliance, The Ethics Experts is a podcast dedicated to exploring the real-world experience of leadership teams, experts, and industry influencers in the world of work. Through interviews with the likes of lawyers, compliance specialists, and business leaders, listeners gain an on-the-ground understanding of ethics and compliance, moving away from the theoretical and abstract and more towards real people, real companies, and real relationships.

10. Hacking Humans (Bonus)

Perhaps not so in line with our focus on our information security and compliance, but we felt we had to include this guilty pleasure. Hacking Humans, hosted by Dave Bittner and Joe Carrigan, takes a closer look at cybercrimes that are making global headlines. From social engineering scams to phishing schemes to criminal exploits and beyond, this podcast unpacks cybercrimes that have a monumental impact on organizations globally, highlighting flaws in what we perceive to be bulletproof systems and processes. Sometimes it pays to know the other side of faulty information security and non-compliance.

Best Compliance Podcasts You Should Listen To

Take a deep dive into SOC 2 and beyond

We hope you enjoyed our selection of podcasts. We’re always learning new things about our industry; it keeps us motivated to continually innovate and grow. 

We also would love to hear from you. Let us know if we’ve left out any of your favorite podcasts and we’ll include your suggestion in future posts. Leave us a note on social media or shoot us an email.

And if you’d like to take a more detailed look into the theory and practice of SOC 2, ISO 27001, InfoSec, and more, be sure to check out our blog. We’re always adding new material, detailing the insights we’ve learned working with our wonderful clients, and implementing our advanced compliance software.

Pro Tip: You should be able to find all the above podcasts on Spotify and/or Apple Music. Enjoy!

SOC 2 Audit Exceptions: What Does This Mean And How To Address Them

SOC 2 audit exceptions are not inevitable but they happen more frequently than you might think. That’s fine! Audit exceptions are often an acceptable part of the audit process. They don’t necessarily mean a failed audit. 

Let’s take a closer look at what audit exceptions are, why it’s not the end of the world if they occur, and how to best prevent them in the first place.

What are SOC 2 test exceptions?

SOC 2 test exceptions are noted by the auditor in the course of testing a company’s SOC 2 compliance. In short, an exception is some instance of non-conformance to the SOC 2 requirements. That’s a fairly broad description, but we can drill down into the precise forms which test exceptions take. 

But before we look at the technical details, let’s remind ourselves of how SOC 2 compliance works. SOC 2 isn’t simply a checklist of requirements. When a company chooses to become SOC 2 compliant, it carefully assesses which Trust Service Principles are relevant to its operations and develops controls to meet those criteria. 

Measuring the space between goal and achievement 

In practice, a SOC 2 audit is a test to determine whether those controls actually do what they’re designed to do. Any gap between that goal and how well the controls perform will count as an exception.   

With that background in mind, let’s consider the kinds of test exceptions in more detail.

Types of test exceptions

There are three categories of test exceptions. 

System description 

Any discrepancy between your description of how your systems or services work and how they actually function will be marked as systems description exceptions. 

Control design 

The crux of SOC 2 compliance is to design controls to meet specified SOC 2 requirements and then to successfully implement those controls. If the controls have not actually been adequately designed to meet those goals, then the auditor will note a control design exception. 

Note that any well-planned SOC 2 audit will commence with careful design of the appropriate controls, often in close cooperation with your auditors or SOC 2 consultants. Control design exceptions are therefore uncommon and are often evidence of a poorly planned SOC 2 process. 

Control effectiveness

While system description and control design test exceptions can’t be eliminated, their likelihood can be greatly reduced with careful planning. And, of course, successful SOC 2 depends on thorough preparation. 

However, even exceptionally well-designed controls may still be imperfectly implemented. That’s perfectly understandable. Real-world implementation is complex and depends on numerous factors. 

That brings us to the third kind of test exception: control effectiveness exceptions. These happen when one or more controls, even exceptionally designed controls, don’t operate as planned. Unlike the previous exception, control effectiveness exceptions don’t necessarily indicate poor planning and slipshod implementation. And they certainly don’t necessarily imply a failed audit.  

Of course, implementing SOC 2 should always involve careful planning and rigorous preparation. And it is advisable to implement SOC 2 automation to minimize the possibility of errors or oversight. At the same time, it’s equally important to adapt and learn when exceptions occur. 

Do exceptions mean a ‘failed’ report?

Every SaaS company aspires to an unqualified SOC 2 compliance report. If your auditor detects an exception, it may issue a qualified report. However, there are two important reasons for optimism. 

First, a qualified report is not necessarily a calamity. Remember, your auditor will produce a description of your controls, and it may be that minor exceptions don’t perturb your clients too much. Indeed, in a complex operation, the odd anomaly may be perfectly fine, depending on the overall quality of your controls.

Second, an exception will not always result in a qualified audit. If a control fails to fully succeed in meeting its objective, but a secondary or overlapping control manages that same risk, then the auditor may still issue an unqualified audit.

In short, while businesses should take care to mitigate the possibility of any kind of audit exception, in the real world, anomalies happen and they’re often tolerable. Therefore, there is definitely no need for panic if an exception occurs.

no need for panic if an exception occurs

How to address test exceptions: Section 5 of the SOC 2 report

In fact, the real test of a company’s innovation, dedication, and abilities may not be that it manages to eliminate absolutely all exceptions under all circumstances. Rather, the real test may be how a business responds to those challenges. 

That’s where Section 5 of the SOC 2 report comes into play. Section 5 is the company’s opportunity to explain your response to exceptions. The business has a number of options. They can describe why the exceptions pose a relatively limited systemic risk if that is their assessment of the audit. Alternatively (or in addition) they can describe the measures they’ve taken to manage any risks posed by the exceptions. 

In either case, the business should remember that Section 5 is not about meeting abstract compliance criteria but making a persuasive case to potential clients. As such, the description should be realistic and accurate.

The business may even choose to remediate some or all exceptions detected by the auditor. While the auditor will not attest to the remediation until the next audit period, the company can take advantage of Section 5 of the audit report to lay out the measures it took to remediate problems. 

A chance to adapt and learn…

We learn more from our mistakes than from our successes. You’ve probably heard some variation of this expression many times. Frankly, it can be a little annoying. Wouldn’t it be better not to make mistakes in the first place? But there’s really a lot of truth to the idea. Mistakes can drive innovation. A system or process can seem to be working well, but is it functioning optimally? How will it fare under real-world pressures? Minor real-world errors can help you adapt and transform to produce even stronger, more resilient systems. If you are willing to pay close attention and … well, learn from your mistakes. 

And undoubtedly, this is the case with the SOC 2 audit process. If you’ve rigorously designed your control and the auditor nonetheless detects anomalies, this is evidence of a good auditor in action. After all, you want the audit process to reveal any weaknesses or shortcomings in your information security and data processes. In the long term, you can only develop watertight security processes – and guarantee ongoing security and reliability – if your auditor is sufficiently thorough. 

… but prevention is better than cure.

Developing and implementing effective SOC 2 controls is an ambitious undertaking. It’s not easy, but the competitive advantage SOC 2 offers is worth it if you want to compete at the highest level. 

While it may not be possible to eliminate the possibility of exceptions, you can take successful steps to maximize your chances of implementing a completely successful SOC 2 process and secure an unqualified audit. 

Critically, you need to exhaustively prepare for your SOC 2 audit. You need to ensure leadership is fully on board and that all stakeholders are empowered to play a role. And, crucially, you need to automate as much of the compliance process as possible. Automation is a game-changer. SOC 2 software makes compliance simpler, faster, and more cost-effective. But critically, it also eliminates human error and helps you test your processes and adapt to problems as quickly and effectively as possible, reducing the chances of those audit exceptions to occur.

ISO 27001 vs SOC 2: What’s the Difference?

ISO 27001 or SOC 2. Which is right for your business? It’s a common question, for a good reason. The two protocols are very similar in many ways. Both represent the highest standards of information security. Both are an excellent way to demonstrate how seriously you take your clients’ data. And they both require care and attention to implement correctly. In other words, when we assess ISO 27001 vs SOC 2, we’re not asking which is better. They’re both benchmarks for information security and reliability. We’re assessing which is optimal for your business, at the current time. 

To appreciate which standard is appropriate for your business, we’re going to need to dig a little deeper into the differences. 

ISO 27001 v SOC 2: The meaning of certification 

One of the critical differences between ISO 27001 and SOC 2 is that SOC 2 is not a certification. If you pass the exacting ISO 27001 requirements, then your business is ISO 27001 certified. However, in the case of SOC 2, the auditor issues a formal report, confirming whether or not you met the relevant criteria. 

In simple terms, an attestation is when an auditor provides an independent opinion, like in the case of a SOC 2 audit.

It’s important to understand the distinction as it can help us appreciate the real-world difference in becoming compliant in either standard. 

Independent auditing

While certification and attestation are different, we should not overemphasize the distinction. Both certification and attestation involve assessment by an independent auditor that measures your achievements against a set of objective criteria. 

However, that raises a question. All things being equal, surely it’s better to hold a formal certification? Won’t that impress clients more?

It may be true that some clients will be more impressed by ISO 27001 certification, particularly in markets where ISO 27001 is the more commonly recognised standard.

However, the SOC 2 attestation report also has unique advantages. Notably, the attestation report describes in detail the controls your company has developed to meet SOC 2 criteria. That can be attractive to discerning clients who want an objective account of the steps you take to safeguard their data.  

What makes ISO 27001 compliance different from SOC 2 compliance?

Free Pills Fixed as Question Mark Sign Stock Photo

The distinction between certification and attestation isn’t arbitrary, a mere whim of the auditors. Rather, it reveals the fundamental distinction between ISO 27001 and SOC 2. 

In summary, a recognized ISO 27001-accredited registrar certifies ISO 27001 compliance, which is a formal security certification. A SOC 2 attestation report includes an independent opinion of the auditor, on whether the design and operating effectiveness of your controls meet the standards of SOC 2 compliance and how well your organization is meeting the relevant trust service principles. The licensed CPA firm will provide a conclusion about the reliability of a written statement (the management’s assertion), to which the organization they are assessing is held responsible. 

SOC 2 compliance is a framework, not a certification. This means that a SOC 2 attestation report are conducted by a licensed CPA firm, not a certification board. The accrediting body behind the SOC 2 framework is the American Institute of Certified Public Accountants (AICPA).

Location, location, location

As indicated above, it’s important to consider which standard your clients (and potential future clients) will value most.

In part, the preference will be determined by where the client is based. ISO 27001 is a common European procurement requirement and is internationally recognized as the highest standard in information security. In the US market, many businesses want the reassurance that you are SOC 2 compliant.

When considering how a compliance protocol can advance your business goals, you should therefore think carefully not just about where you’re currently operating but which markets you want to expand to. 

Establishing an ISMS

ISO 27001 defines specific standards that need to be met and clear controls that need to be implemented to meet those standards. In order to become certified, the company needs to establish an information security management system (ISMS), according to ISO 27001 standards. 

Establishing an ISMS is demanding but, as we discovered on our own ISO 20071 journey , extremely rewarding.

Certification is highly rigorous. The ISO 27001 compliance report assesses whether you’ve met all necessary criteria, according to the protocols uncompromising standards. 

Flexible security protocols 

SOC 2 compliance, by contrast, is more flexible and customisable. To become SOC 2 compliant, you need to meet the criteria of the Trust Service Principles (TSP) designed by the AICPA. There are five TSP:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

Importantly, you do not need to meet all five criteria in order to prepare for the SOC 2 audit. Security must always be incorporated, but otherwise, you get to choose the criteria that matter for your business. 

Moreover, SOC 2 doesn’t specify which controls you must implement in order to meet the criteria. Rather, what is important is that you develop and implement effective controls. 

That makes SOC 2 a more flexible security protocol.  However, being flexible doesn’t mean being lax. The auditor carefully assesses whether your controls are up to the job, according to the criteria you have specified. 

As your success or failure to meet the criteria is attested to in detail, your clients get the assurance that you have effective controls in place and a sense of how those controls work.

For example, if you run a data center, it’s likely that your clients will value the Availability criterion. In order to get the competitive benefit that SOC 2 provides, you would have to implement effective controls to achieve reliability, according to the strict SOC 2 standards. If successful, your auditor would attest that you have successfully implemented those controls in the attestation report. 

So while SOC 2 gives you the flexibility to pick and choose the TSP, that choice is ultimately determined by your business goals and the expectations of your clients. 

Which standard can I implement more quickly?

There are no fixed rules for how long either compliance process will take. Both ISO 27001 and SOC 2 involved careful preparatory work. And the precise timeline will ultimately depend on your company’s operations and capacity. 

Generally speaking, however, implementing SOC 2 compliance takes more time and resources than ISO 27001 compliance.

The most important consideration, of course, is that you implement a standard that achieves your goals. There are no shortcuts to successful compliance. However, there are ways to make the process more efficient, notably by using automated compliance technology. By automating manual processes and eliminating human error, compliance software makes compliance accessible to more companies.  

Complementary standards

While drawing out the differences between ISO 27001 and SOC 2, it is important to appreciate that these are not opposing standards. 

It’s not simply that they overlap in many ways, but they also complement each other. For example, establishing an ISO 27001 ISMS can be an extremely effective way to realize SOC 2 controls. 

Some companies even choose to implement both at the same time. However, in most cases, startups and smaller SaaS companies will likely want to devote their time and resources to implementing one protocol at a time.

Customized assessment 

So what’s the perfect information security protocol for your business? ISO 27001? SOC 2? Both? 

Free Yellow Straight Line Road Between Tall Trees Stock Photo

Well, it depends on a careful case-by-case evaluation. 

A careful assessment of your business – operationally, strategically, the markets they operate in – may reveal that one standard will be especially helpful in producing the controls needed to be more competitive and productive.

At Scytale, there is no predetermined view of what’s best for a client. We sit down and carefully assess their needs.

Walking The Walk: SOC 2 For Us Too

Why is our SOC 2 report so important?

SOC 2 compliance is our expertise and our passion. It is a compliance framework we believe in whole-heartedly to ensure outstanding security practices for SaaS companies and that sensitive information of customers is being protected.

It is of absolute importance that we are able to deliver our SOC 2 Type II report to customers and prospects, demonstrating the high levels of design and operating effectiveness of our information security controls.

Scytale is a SOC 2 readiness platform, enabling our customers to manage their SOC 2 workflows and remain compliant continuously with our compliance automation and non-stop monitoring. Therefore, our SOC 2 audit ensured our very own systems are secure and meet the high standards of the AICPA framework. 

Due to our industry, product offering, as well as to ensure we gain the most value out of our compliance journey, our SOC 2 audit reports on the following Trust Service Principles: Security, Availability, Confidentiality and Processing Integrity.

Priority #1: the protection of our customers’ data

We want to put the minds of our customers and prospects at ease when it comes to the security of their information. Our SOC 2 report proves that they can rest easy knowing their data is protected and that our platform is built with the utmost care and robust systems and controls in place. We believe in earning the trust of our customers, ensuring them that they are partnering with a company that is committed to sound security standards and believes in what they say. 

Our people, processes and infrastructure

SOC 2 compliance not only ensures we have sound data security standards, but much more. 

Our SOC 2 attestation demonstrates:

  • Our people are working securely and following correct procedures. 
  • We have best security practices and processes in place.
  • We have all necessary policies in place and are being followed
  • Correct HR practices, such as onboarding and offboarding of employees
  • Risk Management
  • Threat detection
  • User access review
  • Security oversight across our company

As a SaaS startup, our SOC 2 compliance also proves that our software was built with robust security systems from day one, with correctly designed and effective operating controls.

Next Steps

Maintaining our SOC 2 compliance is vital. We are committed to renew our SOC 2 report annually for an audit period of 12 months. We will also continuously ensure security oversight across all areas of our company, update all necessary policies and procedures, and review and expand security measures. Take a look at our IS0 27001 certification to gain more insights into our dedication to information security compliance.

The SOC 2 Compliance Checklist for 2022

Is 2022 the year you finally make your SOC 2 goals a reality? Experts say that information security standards, such as SOC 2, are becoming much more central to businesses. That’s no surprise. Customers are much more discerning about information security and reliability. Competitive pressure means startups and established companies need a competitive edge. And SaaS companies recognize that they can no longer afford the risk of mediocre InfoSec practices. SOC 2 solves these challenges, and more so if implemented correctly

So, how can you be sure you’ve implemented a SOC 2 protocol that ticks all the boxes? Here’s a handy SOC 2 compliance checklist to help you prepare for your SOC 2 compliance audit and realize your business’ security goals.

Benefits of being SOC 2 compliant

Before we jump right into our SOC 2 compliance checklist, let’s remind ourselves of why being SOC 2 compliant is so valuable in the first place. 

Businesses that are SOC 2 compliant: 

  • Demonstrate reliability and the highest standards of data security.
  • Meet the most demanding clients’ procurement requirements.
  • Gain a competitive edge when entering new markets.

Importantly, being SOC 2 compliant doesn’t just demonstrate that your systems are secure and reliable. Preparing for a SOC 2 audit is one of the most effective ways to actually ensure your systems meet your own high standards. Remember, SOC 2 is not a certification. Rather, it’s a demonstration that your company’s system has truly met stringent security standards (and those that clients demand).

Below is Scytale’s 5-step checklist to achieve your SOC 2 goals in 2022

Identify your core focus from the Trust Services Principles and outline the criteria and relevant controls that will fall under the ambit of the company’s SOC 2 audit.

A SOC 2 audit checklist should ensure you’ve covered all the bases, confirming you have met all the requirements your auditors will be looking for. 

But remember, before preparing for your SOC 2 audit, you want to be clear about the specific scope of your organization’s SOC 2 report. Only once you have this strategic clarity is it time to consider the finer details of your SOC 2 compliance goals. When evaluating the scope, remember that SOC 2 is evaluated according to the five Trust Services Principles, covering the following categories:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

Managers need to decide upfront which of the criteria and relevant controls will fall under the ambit of the company’s SOC 2 audit report. Security is a fundamental criterion, and is central to all SOC 2 compliance processes. However, the other criteria do not necessarily apply in all cases. For example, demonstrating Availability is extremely important for data centers, whereas Privacy can be more of a priority for companies that manage sensitive user data. 

Elect a dedicated SOC 2 project manager who will ensure the process runs smoothly and successfully.

Before implementing any SOC 2 controls, you need systems, processes and personnel in place to plan, analyze and implement your SOC 2 strategy, from start to finish. A dedicated project manager should be in charge of ensuring your SOC 2 compliance project runs smoothly. In this role, they should have the authority and resources to implement decisions and track deadlines across the organization in order to meet the SOC 2 compliance requirements. If you don’t have an effective manager driving the entire SOC 2 process, you need to go back to the drawing board.

Map out your SOC 2 journey, outlining where you are, where you need to be and how you plan on getting there.

You can’t plan your journey unless you know where you’re going. That’s the scope. But where are you starting from? That’s why companies need to undergo a thorough gap analysis to determine how far their systems are from where they need to be. By determining where your company is now and where it needs to be, you can track performance and ensure you are moving in the right direction. 

Implement a proper SOC 2 compliance automation platform.

SOC 2 is complex and extremely demanding. Fortunately, technology transforms SOC 2 compliance from a tedious, complicated and time-consuming process into a relatively simple, efficient and cost-effective strategy. 

Preparing for the audit with the proper SOC 2 compliance automation platform in place removes barriers and sets your company up for success.

Work with a SOC 2 expert advisory service that can help you devise the right strategy and optimize implementation.

You’ve got industry-leading SOC 2 audit software, you’ve worked out a high level SOC 2 strategy and you’ve made sure all stakeholders are invested in the compliance process. Everything is running optimally, without any gaps? Well, maybe. 

But it’s impossible to know what you don’t know. That’s why an expert advisory service makes all the difference. Find a SOC 2 expert with the technical knowledge and hands-on experience to help you devise the right strategy and optimize implementation. Ultimately, expert assistance is likely to save you time and money by ensuring you get SOC 2 right the first time, and continue to deliver impeccable services to your clients on an ongoing basis.

Preparing for your SOC 2 audit: Getting the details right

As should be clear by now, preparing for a SOC 2 audit is a strategic journey that starts with a rigorous process of analysis and evaluation. Some managers may be tempted to look for shortcuts, but experience shows there is no substitute for a careful, deliberate strategy, supported by experts.  

Of course, while planning and preparation are critical, you need to actually close the gaps between objective and reality. This comprises the remediation period, during which you implement the measures identified in the gap analysis.

Now, it would be nice if we could just say ‘here are the three things you need to do to meet each criterion’. But the reality is a little more complicated than that. After all, choosing the appropriate security safeguards to fulfil the relevant criteria depends on a range of factors. These factors include budget, local regulations, customer expectations, operational capacity and the level of employee expertise. 

For that reason, no checklist can be overly specific. SOC 2 is different for different organizations. The critical point is that you need (appropriate) processes in place to meet the specified criteria. Your SOC 2 auditor will be providing his opinion whether you have met the stringent criteria, not that you’ve simply followed a generic set of best practice codes. Think about it: you could install best-in-class technology, but that counts for nothing if the responsible employees don’t have the time or expertise to run the software properly. 

In short, you need a comprehensive and customized SOC 2 controls list, that extensively applies to the relevant Trusted Services Principles your organization is including in the report. SOC 2 is so powerful because it mandates that you create controls that meet the requirements of these criteria. 

While SOC 2 is uncompromising and demands a high level of system security and integrity, businesses, in reality, have a lot of flexibility in how they go about meeting those standards. 

Practically speaking, then, you need to ensure you develop a robust SOC 2 security controls list that meets your goals, without any gaps.

Examples of the kinds of intervention your business will need to make include:

  • Creating a directory of staff members who are responsible for specific controls and who are required to act if there are failures. 
  • Developing and effectively executing appropriate internal controls. 
  • Creating periodic reviews and monitoring controls. 
Preparing for your SOC 2 audit

The one box you need to tick: Get an objective assessment 

This high-level SOC 2 checklist should help provide a solid foundation on which to begin your compliance journey in 2022. SOC 2 is a powerful, flexible protocol that will give your company a competitive advantage. However, precisely because SOC 2 is so flexible and far-reaching, each company’s specific path will be different. For this reason, there is no step-by-step guide on how you can reach your specific SOC 2 goals. But, if you can tick all the right boxes of our high-level SOC 2 checklist, you should be well on your way.

How To Speed Up Your SOC 2 Audit Without Breaking A Sweat

What’s the fastest way to pass a SOC 2 audit? Simple: you need to plan carefully and avoid taking any shortcuts. Hmmm…that might sound paradoxical but we’ve seen way too many businesses attempt to rush through the compliance process and suffer the consequences: delays, high costs and unsuccessful audits.

Know when to ask for help

The good news is that with effective planning and a methodical approach to implementing SOC 2, you can be assured of a fast and smooth SOC 2 experience, and that you’re on your way to a successful audit report. However, there’s an important caveat. All the planning in the world won’t take you very far if you lack real world experience with SOC 2 and are not 100% sure of SOC 2 best practices.  

But to be perfectly honest,  since SOC 2 is such a highly specialized and complex process, it’s rare to find teams that  know what to do right off the bat. With the right guidance and access to the appropriate tools though, SOC 2 compliance really can be fast and efficient.  

In short, you need a guide. That may sound like it adds another layer of cost and complexity to compliance. But actually, the right SOC 2 partner will assure SOC 2 success, while significantly saving you time and costs.

To appreciate why, let’s consider some of the ways the right SOC 2 partner can help your business.

Know which compliance tools to use

A big mistake when implementing SOC 2 is to rely on outdated manual processes which often leads to errors and wastes time. Automation to streamline the SOC 2 compliance process makes all the difference, but you need the right tools for the job. 

At Scytale, we developed software especially designed to overcome the SOC 2 compliance challenges we’ve identified in the real world, and to make compliance efficient and easier to achieve. We also guide our clients on which technologies and methodologies will best help them meet their objectives.

In a nutshell, automating your SOC 2 compliance reduces tons of workloads, and in return, cuts the hours spent on your SOC 2 project significantly.

Eliminate the possibility of oversights 

SOC 2 involves long, complex checklists and it’s easy to neglect something or get too focused on irrelevant points. 

Once again, your compliance partner should help you find that balance, making sure you don’t miss anything important while ensuring your attention isn’t overly focused on irrelevant details. 

At the same time, utilizing a smart compliance tool, eliminates the risks of human error and enables organizations to sufficiently track and manage the status of their SOC 2 workflows. Again, reducing time spent on compliance through ensuring simplicity in the process. 

Objective assessments

Your SOC 2 partner isn’t just a compliance expert, they provide fresh objective perspectives on your planning and implementation, which is critical for SOC 2 success.

Scytale’s compliance experts understand exactly what the SOC 2 auditor will be looking for, and  therefore can help customers objectively assess whether they meet those expectations. For example, when performing a Readiness Assessment there are often differences of opinion across the organization. Our experts will be able to gauge your actual readiness and ensure you have the knowledge and tools to effectively prepare for the audit. 

Receiving hands-on advisory services ensures you utilize your time on relevant processes and tasks for your SOC 2 project.

What is SOC 2 for, anyway?

We’ve now covered some of the fine details such as the tools and practical applications, as well as how a good partner makes compliance much more efficient.  But there’s also the bigger picture to consider. It’s not something that you can really distill into a few points. For example: What are your goals as a business? What is SOC 2 really for in the context of your organization? How will you continue to harness SOC 2 to create and sustain real value in your business over the long term?

These aren’t technical questions about implementation. They’re strategic business decisions. And to get them right, it’s important to have a strategic compliance advisor that understands SOC 2 inside and out, from a technical and a business perspective.

Book a Demo

Get all the latest and greatest in
SOC 2 news.