How to Track SOC2 Compliance

In Q3 2022, KRM22 completed its annual SOC2 Type 2 assessment for the year and passed with no issues reported by its auditor. SOC2 is a compliance standard for service organizations that specifies how they should manage and secure customer data. As businesses turn to software vendors that deploy IT solutions in the cloud, it has become critical that these cloud-based solutions adhere to the highest standards for security, availability and confidentiality and that this can be demonstrated.

Why does this matter?

Internally, this gives us confidence that our processes, policies and procedures are fit for purpose. We want to be sure that what we say we do and what we actually do are one and the same. Good controls and policies also mean that everyone at KRM22 is better placed to understand our individual and collective responsibilities – and, perhaps most importantly, why they matter.

Externally, audits such as SOC2 also provide confidence to our customers. KRM22 can be trusted to act responsibly and professionally on their behalf with their data in mission critical systems. Our customers can show their own IT, InfoSec and Compliance teams that KRM22 meets their requirements for data security.

How do we track compliance?

We have deployed an instance of our Risk Cockpit product to ensure all its processes are completed accurately and promptly. SOC2 is listed as a Process that KRM22 must complete and each control our auditor assesses us on is stored in the Cockpit as an Information Asset.

All tasks that are regular (these can be monthly, quarterly or annually) are tracked as automated items, assigned to the correct team, assigned due dates, linked to evidence that shows the task has been completed, and then finally tracked back to the underlying Control.

By using our Kanban-boards, the Information Security team can see immediately what tasks are open, in progress, or completed. When a task is set to recur, it is automatically recreated at the defined interval and it’s progress shown on the board.

Any authorized KRM22 staff can see who is Accountable or Responsible for a given task, and who in the firm they should Inform or Consult too.

We use these tools to conduct a mid-year audit on itself to verify that no tasks are falling behind or not completed. We then review the quality and availability of evidence to support a task, immediately seeing if we are fulfilling the requirement, and how easy it is for KRM22 to provide evidence to match

Finally, should a member of staff leave KRM22, all tasks previously owned by that staff member can be handed over to a replacement in an automated fashion. Nothing gets dropped or missed even in the event of staff changes.

The Risk Cockpit has become a tool which not only supports the SOC2 process, but is central to it.

‍