Juern was motivated not only by the fact that the firm maintains sensitive client data but also because it will give 7tech the ability to show new prospects they are handling sensitive information properly .
Proving You Have Controls In Place
In contrast with the ISO 27001 security standard , which audits that you have an information security management system in place , a SOC 2 audit proves that you have security controls in place to protect customer data .
“ SOC 2 is the go-to framework that most of my clients use and is widely accepted within the industry ,” says Kevin Beaver , an independent information security consultant , writer , and professional speaker with Atlanta-based Principle Logic .
Beaver described both frameworks as “ quite prescriptive ” and noted that they require ongoing audits to maintain certification . “ Neither is inexpensive ,” he adds , “ but they can both pay dividends in terms of building out a resilient information security program and providing a competitive advantage for those looking to do business with companies who take security seriously .”
There are a lot of similarities between SOC 2 and ISO 27001 , but the big difference is that SOC 2 audits are conducted by CPAs , Juern says . He opted for SOC over ISO 27001 because “ we feel like SOC 2 Type II is more aligned with MSSPs and people who host any sensitive information .”
A SOC 2 Type I audit is a snapshot of one day ; a SOC 2 Type II audit looks at a larger time period , typically one year .
Prepare To Spend Time And Money
Achieving SOC 2 compliance requires an investment of time and money , and it ’ s an annual audit .
If a firm is starting the compliance process for the first time and does not have policies written down “ in a significant way ,” Bickmore estimates the cost at between $ 25,000 and $ 35,000 , as well as 200 person-hours .
Additionally , he says , “ You may have to hire someone to help you write policies if you don ’ t have any .” The good news ? “ After you ’ ve done it the first time , in subsequent [ audit ] years , expect all those numbers to halve ,” Bickmore notes .
The fastest Juern has heard of someone achieving SOC 2 compliance is six months , “ but that ’ s because they already had good controls in the first place ,” he says . “ Realistically , we think it is a 9-month process .” He estimates 7tech will invest $ 40,000 to achieve compliance .
The process for Juern is making sure 7tech has all of its security controls defined along with a “ track record ” of historical evidence . “ A small example is we have a computer at the front desk . It ’ s a visitor system and you have to sign in , so we ’ re logging every visitor and their purpose ,” he says . “ You can ’ t just throw that up there . . . you have to show a history of use .”
Additionally , 7ech must show standard operating procedures that indicate they are protecting sensitive customer information . “ You can ’ t just make up a list of security controls . . . they have to [ follow ] industry standards ” such as NIST , Juern says .
7tech did a lot of the SOC 2 required work in the process of achieving Cybersecurity Maturity Model Certification ( CMMC ) Level 1 compliance , so “ the process to get to SOC 2 is much simpler ,” Juern says .
Giving Clients Peace Of Mind
Both Juern and Bickmore agree that the biggest benefit of meeting SOC 2 compliance is credibility .
Once they complete their SOC 2 report , Bickmore says he shares the findings with customers or prospects who sign a nondisclosure agreement . “ I always like saying to someone considering our services , ‘ We ’ re good at security , but you don ’ t have to take our word for it — here ’ s a third-party report ,’” he says .
“ For retention purposes , you can use it as collateral with existing clients to say , ‘ Hey , we ’ re working on it ,’ and when you achieve it , you can announce it ,” Juern says . “ It gives current clients comfort that you ’ re doing things well .”
He has already noticed that the larger the prospect , the more likely they are to ask for a SOC 2 report . This “ allows us to swim upstream in terms of client size , so that means the potential for growth is incredible ,” he says .
Right now , 7tech is talking with a “ very large prospect ” who asked whether the firm is SOC 2 certified . When Juern said they are working on it , “[ The prospect ] said , ‘ If you can ’ t provide a SOC 2 report , be prepared ,’” because the questions from the prospect will be overwhelming , he recalls .
For any MSP going through the SOC 2 process , say Bickmore , it ’ s “ all about being better at what we do and being safer and more secure , so our clients , I would argue , get peace of mind .” It gives them assurance that “ we ’ re doing what we say we ’ re doing ,” says Bickmore . “ It means we ’ re a better service provider .”
Esther Shein is a longtime freelance tech and business writer and editor . Her work has appeared in a variety of publications , including TechRepublic , FierceMarkets , Network Computing Magazine , and The Boston Globe .
MSPSUCCESS . COM | 31