You are compliant with SOC 2—Now what?

March 24, 2021 in Resources



You are compliant with SOC 2—Now what?

Congratulations on getting your SOC 2 report! Now what?

Unfortunately, after spending a lot of time, energy, and money becoming compliant with SOC 2, many companies find themselves unprepared for what comes next.

In this article, you will be guided through a few steps you can take to maximize your return on investment while also ensuring that your company is taking precautions that protect the confidential nature of your SOC 2 report.

Safely sharing your SOC 2 report

Compliance documents like SOC 2 reports are intended to be confidential. Despite the fact that you may see a handful of these documents posted online, this is not the norm. Prospects will request to see your SOC 2 report as a normal part of the discovery phase, but it’s important to protect your organization by requesting a signed non-disclosure agreement (NDA) before sharing compliance documentation. Though some companies may already have agreements in place such as an NDA or a master service agreement (MSA), you should know that the report is not meant to be widely distributed within those companies.

Limiting the number of employees who can access the report internally is best practice. Just as you don’t want to publicly share your SOC2 report, you want to also treat it as confidential within your organization. Only provide access to those team members who require these documents to perform their job (e.g., sales executives may need access so they can efficiently navigate customers’ vendor onboarding processes).  

Furthermore, it is recommended to watermark your SOC 2 report with the information of the company requesting it.

Pima can help you automate the process and track prospects who received your SOC 2 report. Once you receive your report, upload it on Pima with an NDA, configure sharing rules, and invite colleagues who will be sharing the report. Pima will automate delivery, watermarking, logging, lead generation and everything that your team currently does manually, so you can just rest easy knowing that your documents are in good hands.

Tips on announcing your SOC 2 compliance

Although it’s not wise to publicly share your SOC 2 report, this does not mean that you shouldn’t be excited to announce that you’ve received your new report!

Here are some of the steps you can take to let your prospects know about your recent achievements:

  1. Register with the American Institute of CPAs (AICPA) and download their official logo.
    • Be aware that there are very specific guidelines for using their logo. The terms and conditions are short, so be sure you read the SOC 2 sections.
    • The logo may not be altered in any manner other than size.
    • You can use the logo almost anywhere as long as it is hyperlinked to www.aicpa.org/soc4so
  2. Write about your achievements!
    • On your blog or website 
    • In marketing materials, report packages, or engagement proposals
    • In pitch decks or business presentations
    • Via social media
  3. Build a trust page for your website.
    • Hacker One and Bonus.ly both are examples of companies that showcase their compliance accomplishments on a trust page. 
    • Add a request form to your trust page.

Keep Up the Good Work

Your valuable time and effort were spent not only establishing (or refining) a cybersecurity practice but also navigating the audit process. Your SOC 2 report is not a trophy you dust off just before the auditors arrive. You want to maintain good compliance habits year-round.

A few tips for operationalizing your hard work:

  • Celebrate the good news about earning your SOC 2 report with a company-wide announcement or during a meeting. Your team members worked hard to achieve this and it should be recognized.
  • Embrace compliance and instill a culture of adherence to controls in order to do what is right (from a cybersecurity perspective). Share the culture-of-controls message frequently and often.
  • Monitor your controls to ensure that they are working correctly. Strike Graph is an amazing tool for that. This is important – it is not only a requirement for SOC 2, but it’s good practice. You can spot-check a few controls quarterly or have an independent assessment performed to ensure that they’re operating as intended.
  • Consider where controls can be automated, updated, or streamlined.
  • Ask your auditors to suggest areas of further improvement, and where you strive to mature your security practices. Auditors have the knowledge to point you in the right direction.
  • Contact your auditor when you make any major changes to the network, control processes, or to the scope (e.g., adding additional services or products). 
  • Consider whether it might make sense to add another Trust Service Criteria (TSC). The ROI could lead to larger sales!