Hey GRC and Risk management cyber security professionals.
You just received a SOC 2 report, what are you supposed to look at? What is the important stuff behind all that CPA language? A thread..
You just received a SOC 2 report, what are you supposed to look at? What is the important stuff behind all that CPA language? A thread..
There are really three areas you should focus your review on.
1. The opinion (Pass/Fail)
2. Section 3 (Description of the system)
3. Control testing
1. The opinion (Pass/Fail)
2. Section 3 (Description of the system)
3. Control testing
The Opinion: In Section 1 (Independent Auditors Report), you will find the auditors' opinion, which is their Pass/Fail determination in the audit. Examples:
Unqualified = No issues identified.
Qualified = 1 or more issues, not that big of a deal.
Adverse = Holy sh*t, really bad
Unqualified = No issues identified.
Qualified = 1 or more issues, not that big of a deal.
Adverse = Holy sh*t, really bad
Section 3: This is the description of the system and will tell you what the system is that went under an audit. You'll want to make sure this is the application your company plans on using. Aka don't get a SOC 2 report for an on-prem app if you're paying for the Cloud version.
Section 4: If the auditor identified an issue, they would outline that here. If you're concerned with data encryption at rest, you should expect to see controls addressing that here.
For example, when reviewing AWS, Azure, and GCP's SOC 2 report, you should be concerned about the physical and environmental security controls (at a minimum) since that is their part of the shared responsibility model.
Few articles to help dive deeper into these areas:
Opinion: help.bytechek.com
Sec3: help.bytechek.com
SOC2 Overview: help.bytechek.com
Opinion: help.bytechek.com
Sec3: help.bytechek.com
SOC2 Overview: help.bytechek.com
Just getting the SOC 2 report isn't enough. You have to know what to review and where to look for the crucial details.
#GRC
#GRC
Loading suggestions...