Learn more about SOC 2 compliance for cloud computing with NDB’s in-depth audit reporting compliance overview and checklist for today’s SaaS, PaaS, and IaaS vendors. With cloud computing being adopted by seemingly every business – coupled with the huge growth in regulatory compliance – now’s the time to gain a strong understanding of the entire SOC 2 auditing process.

NDB offers SOC 2 services for businesses using Amazon AWS, Microsoft Azure and Google GCP.

Hosting in Amazon AWS and Need a SOC 1 or SOC 2 Audit? Let's Talk.

aws logo

1. Choose the Correct Trust Services Principles and Criteria: The TSP’s – as they’re simply called – form the very fabric of any SOC 2 mandate, consisting of the following: Security, Availability, Processing Integrity, Confidentiality, and Privacy. What’s important to note about each of the five (5) TSP’s is that they all require heavy documentation for SOC 2 compliance – policies, procedures, and established processes that can be actually validated by auditors.

2. SaaS vs. PaaS vs. IaaS: Good auditors know the difference between the three (3) main cloud computing models of SaaS, PaaS, and IaaS, which means they should also provide an audit framework that tests for such environments. From the Cloud Security Alliance (CSA) to many other cloud computing platforms and standards – there’s an ample amount of information available for auditors that allow them to develop a customized testing framework for your platform – and that’s what we do at NDB.

Is your SOC 2 report calling for an integration of an official framework or set of best practices, or will a generally accepted SOC 2 framework suffice? These are questions that need to be answered prior to performing an assessment, so get the facts before the audit begins by speaking with an expert, such as Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 today.

3. Documentation is Critical: Cloud computing compliance – regardless of the mandate – calls for comprehensive security documentation to be in place – specifically – various types of information security policies and procedures. Think about the core information security domains – change management/change control, access rights/access control, data backup and recovery, incident response, usage policies, business continuity, and more – they’re all highly critical when it comes to SOC 2 compliance, and it’s why NDB offers a comprehensive security policy templates to all of our valued clients throughout the globe. Writing policies and procedures “used” to take a lot of time, but thanks to NDB, that mandate just became easier. 

SOC 1 SSAE 18 and SOC 2 Policy Templates and Information Security Policies

Along with documentation, performing a risk assessment – along with having policies and procedures discussing such initiatives – is a mandate for annual SOC 2 Type 1 and SOC 2 Type 2 compliance. It’s much more than just having a policy stating you’ll perform a risk assessment, it’s something you need to actually do.

NDB offers a comprehensive and easy-to-use risk assessment document and supporting templates for helping meet the needs of SOC 2 cloud computing vendors. Even without SOC 2 compliance mandates, performing an annual risk assessment is something every business should be doing considering the growing threats in today’s cyber world we all live and work in.

4. Develop an Asset Inventory List: Ready to begin the SOC 2 audit process? Great, before you do, make sure you have a comprehensive, current, and accurate listing of all your information systems. We’re talking about a documented asset inventory list that details the hostnames, models, brands, and other necessary information for one’s network devices, servers, company-issued devices (i.e., laptops and PDAs, etc.), and other essential devices. You can’t protect an I.T. environment if you have no real idea on the types and location of your I.T. assets, so do yourself a favor and develop one.

5. Perform Essential Remediation: Developing all outstanding information security policies and procedures – as just mentioned above – is critical for SOC 2 compliance, but so is all the necessary technical and security remediation. Specifically, you’ll often find a healthy to-do list of items needed for ensuring your network is properly built, has adequate security safeguards in place, and much more. From re-configuring network devices (i.e., firewall, routers, and more) to hardening servers and applications, or even placing monitoring agents on devices, much has to be done, and we can assist as needed.

SOC 2 Risk Assessment Template

6. Next Steps? In need of a SOC 2 audit, then contact the SOC 2 cloud computing compliance professionals today at NDB.